When a user hits log in button on a page in order to verify heres what i need to do:
1st check if they exist and their login info is valid in the members table.
2nd using the entered username now check if they have access to this speficif page by checking the access table with their username.
i have to tables members and access.
Members has the following: id, username, password
Access has the following: userid, companyid
So say my username= ASH and password= 14ash
I'm trying to login to view a specific restricted page for the company called TARGET.
I first login with my account info with username ASH & password 14ash
in php i check the database table called members with mysql to see if i exist
and at the sometime i check the ACCESS table using
access.userid = ASH & access.companyid= TARGET
once all is check if i exist in both tables then i let the user login.
I tried this but doesn't work.
$sql="SELECT * FROM access,members
WHERE members.username='$myusername'
AND members.password='".md5($mypassword)."')
OR (access.userid=members.username
AND access.companyid='$username')";
It should be
sql="SELECT * FROM access,members WHERE members.username='$myusername'AND members.password='".md5($mypassword)."' AND access.userid=members.id";
Related
I am trying to create a social media prototype where user can log in, add others, send small file to others, etc. at the add friends page I have printed all the users name. when printing my name is also getting printed. what I want is to hide my my name from that list so that I get a list of all the other person except mine.
Try This:
select * from table where user_name not in ($_SESSION["name"]);
select * from table where user_name != '$_SESSION["name"]';
from php session you will get loggin user id, use that userid in your mysql query like following
$query = "select * from users where user_id not in(".$loggedInUserId.")";
where $loggedInUserId is the php session user id.
I made a login function with bruteforce protection, different bot protection functions like honeypot.., input filtering, Argon2 encrypted password.
But in the end to identify the user i save the id inside a session after a successful login.
With this id until now i checked if the column "admin" has the value 1 or 0.
If this value is 1 the user can do everything.
How i could improve the security ?
How else i could check if a user is an admin ?
You should do as I will direct you
As long as you have user id in act so it's half of the way
I will assume that you have function.php which have all the functions you use in website
Also you have login function that check user account details and give access
You now need to improve that to restrict user access
First:
Create table in MySQL call it group this table will have two records or as you like so. Admin will have id 1 and members id 2 then you can make much modifications like make another column in that table called upload and set admin to yes while members to no
Second in your login function use the following
$res = mysql_query("SELECT * FROM users INNER JOIN group ON users.class=group.group_id WHERE users.enabled='yes' AND users.status = 'confirmed'") or die(mysql_error());
$row = mysql_fetch_array($res);
Users.class is the group id and users is the table users
Now you can check group credits as example if on upload page you do the following
if($row["can_upload"]=="no")
echo("admin only can upload ");
You can check credentials on group as you need also you can make much classes like admin , members, uploders, reviewers,authors and give every class special permissions as website content is viewed
On admin.php you can use
if($row["admin"]=="no")
ech("admin only can view this page ");
In both examples above Admin and can_upload is colum in group table and it's changed by user class .
I am using one separate table called members to to keep sign up information. I am storing password using wp_hash_password($password).
But when I want login by using wp_signon() then it send 0 as response. I checked wp-includes/user.php to find the details about the wp_signon() and found it is using user_login and user_password as table column name there.
In my members table I have member_username and member_password.
How can I make this workable using members table?
FYI, I am using wp_users table to login into dashboard but for user end I am using wp_members to store all members information.
Thanks
Login username or password.
I want customers to login via "email" on the frontend and the admins to login via "username" on the backend (/admin page)
I came up with this solution:
In the users table there will be two fields, username and email.
If the customer try to login on the frontend, it will check their email, password and group_id = 0
For admin, it will check their username on group_id = 2
Is this the correct way?
Good enough ... will an admin require all the fields that are available for a cusomter? If not you might considering creating a specific table for the admin users since the table would not be in 3NF.
Other than that I don't see any issues :)
I am looking for a simple but secure login script with mySQL PHP: sessions, MD5 that I can use with my exsisting database.
Cookies to store password + password recovery by email.
Change login/pass.
I do not need registering, I register the user myself with temp login/pass.
table agents
agent1
agent2
table albums
album1, owner: agent1
album2, owner: agent1
album3, owner: agent2
...
login.php
agent1 logs in and has access to his albums:
- album1
- album2
agent1 can edit his albums:
edit.php?ref=album1
but NOT edit.php?ref=album3 by changing the ?ref variable
What you'll need to do is setup a method that checks login credentials for a particular agent. "SELECT * FROM agents where username='$username' and password='$password', if a row is returned, you know they have successfully signed in.
From here, you must save some data to session variables like the username and id of the user. You'll use this ID to check for album ownership in the album table. When an agent tries to edit an album, it will check if the agent ID is consistent with the ID in the album table.
When an agent creates an album, you must save their id as maybe "agent_id" in the albums table to relate to in your code.