Hi everyone,

I would like to ask you one question regarding a menu which appears to all the pages.I have developed a website in which a user log in and access the website.When the user log in a nanigation menu appears to all the pages. What i want to do is whether the administrator log in the website to have access to another menu called "logoffheaderAdmin" which includes one extra option .

Could please anyone suggest something?

Here i am including the code that i have written when the user logins.
The logoffheader.php i want everyone to have access.However the logoffheaderAdmin.php to appears when the administrator logins.

PHP Code:

<?
    session_start();
        if(session_is_registered('username')){
             echo "Welcome ".$username."!". "Logon time is: ".Date("m/d/Y");


                $queryAdmin="select admin from Webusers where username='$username'";
                $rsAdmin=mysql_query($queryAdmin);
                $rowAdmin=mysql_result($rsAdmin,'admin');
                        if($rowAdmin=='yes'){
                                require("logoffheaderAdmin.php");
                        }
                        else
                {
                require("logoffheader.php");
           
        }else{
             header("Location:http://www.domain.com/Staff/loginform.php");
        }
?>

Thank you in advance,
Xenia

Just store in the session the admin status as well. Then the following should work

PHP Code:

session_start();
 
if (isset($_SESSION['username'])==FALSE)
{
    header("Location:http://www.domain.com/Staff/loginform.php");
    exit;
}
 
echo "Welcome ".$_SESSION['username']."!". "Logon time is: ".Date("m/d/Y");
require($_SESSION['isAdmin']?'logoffheaderAdmin.php':'logoffheader.php'); 


Now you only need to store in the admin status in the place where you log in the user

PHP Code:

$_SESSION['isAdmin']=$row['admin']=='yes'; 


Hi neroux,

Thank you for the fast answer. I would like to ask you regarding the code you wrote.Do i have to include also mine coding or just what you wrote me? As I tryied to do what you told me but again it does not display the admin menu. This is what i have written

PHP Code:


<?$_SESSION['isAdmin']=$row['admin']=='yes';?>



<?
    session_start();
        if (isset($_SESSION['username'])==FALSE)
        {
                 header("Location:http://www.domain.com/Staff/loginform.php");
                 exit;


                  echo "Welcome ".$_SESSION['username']."!". "Logon time is: ".Date("m/d/Y");
                         require($_SESSION['isAdmin']?'logoffheaderAdmin.php':'logoffheader.php');



                         }
                                                                                                ?>

Do you think i miss something?Moreover, don't i need to include the select statement?



Thank you again,
Xenia

Hi neroux,

Thank you for the fast answer. I would like to ask you regarding the code you wrote.Do i have to include also mine coding or just what you wrote me? As I tryied to do what you told me but again it does not display the admin menu. This is what i have written

PHP Code:


<?$_SESSION['isAdmin']=$row['admin']=='yes';?>



<?
    session_start();
        if (isset($_SESSION['username'])==FALSE)
        {
                 header("Location:http://www.domain.com/Staff/loginform.php");
                 exit;


                  echo "Welcome ".$_SESSION['username']."!". "Logon time is: ".Date("m/d/Y");
                         require($_SESSION['isAdmin']?'logoffheaderAdmin.php':'logoffheader.php');



                         }
                                                                                                ?>

Do you think i miss something?Moreover, don't i need to include the select statement?



Thank you again,
Xenia

The

PHP Code:

$_SESSION['isAdmin']=$row['admin']=='yes'; 


part needs to be set where you also set the username session variable (maybe you also need to include the "admin" column in your query).

The other part is the actual code you will need to use.

Thank you very much neroux. I will try it and if i have any problem i will post it here.Again thank you.

Xenia

Hello neroux,

I would like to ask you about this part of code

PHP Code:

$_SESSION['isAdmin']=$row['admin']=='yes'; 


Do I have to put this part of code in the page where
the user is validated called "check_password" only or in every page?Also do i have to include the following code when assiging the variable "isAdmin"?

PHP Code:

                $queryAdmin="select admin from Webusers where username='$username'";
                $rsAdmin=mysql_query($queryAdmin);
                $rowAdmin=mysql_result($rsAdmin,'admin'); 


Because how the system will understand how to see is if the user is administrator?

The rest part i have put it in the page where the system check if
the user has been login and where to be redirected called "check_login".

Sorry if i am asking so many questions but i am new in php.
Thank you again for your valuable help.

Xenia

Quote:

Originally Posted by xenia

I would like to ask you about this part of code

PHP Code:

$_SESSION['isAdmin']=$row['admin']=='yes'; 


Do I have to put this part of code in the page where
the user is validated called "check_password" only or in every page?

Yes, it needs to be put where you validate the user and set the username session variable. If you post your code, I can do the modifications.

Quote:

Originally Posted by xenia

Also do i have to include the following code when assiging the variable "isAdmin"?

PHP Code:

$queryAdmin="select admin from Webusers where username='$username'";
$rsAdmin=mysql_query($queryAdmin);
$rowAdmin=mysql_result($rsAdmin,'admin'); 


Because how the system will understand how to see is if the user is administrator?

No, because the admin status information should be already retrieved with the user validation query and then its assigned to the session variable (see previous part).

Quote:

Originally Posted by xenia

Sorry if i am asking so many questions but i am new in php.
Thank you again for your valuable help.

No problem

I feel that i have the solution in front of me and I can't find what i am doing wrong. I will write the code that i have developed untill now and i would be very gretfull if somebody could help me.

loginform.php. In this page the user is prompt to write the username and password in order to login.

PHP Code:

<? 
    session_start();
   if(session_is_registered('username')){
       echo $username.". You have logged on!";
       require("logoffheader.php");
   }else{
?>
<form action="password_input.php" method="POST" name = "login">
<table align="center" bgcolor="#FFCC66">
    <tr>
       <td align="center" colspan="2">Log On</td>
    </tr>
    <tr>
       <td>Username:</td>
       <td><input type="text" name="uname"></td>
    </tr>
    <tr>
       <td>Password:</td>
       <td><input type="password" name="passwd"></td>
    </tr>
    <tr>
       <td></td>
<td><input type="submit" value="Log in" name="submit"><input type="reset" value="Reset" name="reset"></td>
    </tr>
</table>
</form>
<? }?>

When the user click the submit button is redirected to the page
"password_input" which is performing the validation of the user:

PHP Code:

<?
   include "dbconnect.php";
   if(empty($_POST['uname'])||empty($_POST['passwd'])){
        header("Location: http://www.domain.com/Staff/loginform.php");
   }else{
        $uname= $_POST['uname'];
                $query = "SELECT * FROM Webusers WHERE username='$uname'";
        $result = mysql_query($query);
        $row = mysql_fetch_array($result);
        $encrypted_password = md5($_POST['passwd']);
            if($encrypted_password!=$row[password]){
                    echo "<h3>Your password is not correct. Please log on again!</h3>";
                    require("loginform.php");
                }else{
                            session_start();
                            session_register('username');
                                $username= $uname;
//this part has been added as neroux suggested

                              $SESSION['isAdmin']=$row[admin]=='yes';
                              header("Location:http://www.domain.com/Staff/check_login.php");
        }
   }
?>

When the user has been verified and enter the website will display a navigation menu called "logoffheader.php". I want when the user is admin to display the menu called "logoffheaderAdmin.php" otherwise to display the "logoffheader.php". The following code i have written in order to display the menu "check_login".

PHP Code:

  session_start();
       if(session_is_registered('username')){
                                    echo "Welcome ".$username."!". "Logon time is: ".Date("m/d/Y");
                                    require($_SESSION['isAdmin']?'logoffheaderAdmin.php':'logoffheader.php');

                                    }else{
                                           header("Location:http://www.domain.com/Staff/loginform.php");

                                   } 


Using all the above code it doesn't work .I tryied to write the following code and is working but only for the first page:

PHP Code:

<?
    session_start();
            if(session_is_registered('username')){
                 echo "Welcome ".$username."!". "Logon time is: ".Date("m/d/Y");

                                $queryAdmin="select admin from Webusers where username='$username'";
                                $rsAdmin=mysql_query($queryAdmin);
                                $rowAdmin=mysql_result($rsAdmin,'admin');
                        

 if ($rowAdmin=='yes'){ require("logoffheaderAdmin.php");
                                        }
else{ require("logoffheader.php");}

 } else{ header("Location:http://www.domain.com/Staff/loginform.php"); } 

 ?>

I am really sorry about this big coding but i don't know where i am doing wrong.So i will appreciate any help.

Thank you in advance,
Xenia

First of all, it would be better to use the super global array $_SESSION (unless you are using a PHP version less than 4.1), as session_register() is deprecated.

Below is a version of password_input.php with the modifications.

PHP Code:

<?
    session_start();
 
    include "dbconnect.php";
 
    if (empty($_POST['uname'])||empty($_POST['passwd'])){
        header("Location: http://www.domain.com/Staff/loginform.php");
        exit;
    }
 
    $uname= $_POST['uname'];
    $query = "SELECT * FROM Webusers WHERE username='$uname'";
    $result = mysql_query($query);
    $row = mysql_fetch_array($result);
    $encrypted_password = md5($_POST['passwd']);
 
    if($encrypted_password!=$row['password']){
        echo "<h3>Your password is not correct. Please log on again!</h3>";
        require("loginform.php");
    }else{
        $_SESSION['username']=$uname;
        $_SESSION['isAdmin']=$row['admin']=='yes';
        header("Location:http://www.domain.com/Staff/check_login.php");
    }
?>

Now you can refer on each page to

PHP Code:

$_SESSION['isAdmin'] 


to see whether the user has an admin status.

Also your code requires magic_quotes_gpc to be always enabled, otherwise it is vulnerable to SQL injections.

For example imagine $_POST['uname'] contains

Code:

someone';DELETE FROM Webusers --

This

PHP Code:

$uname= $_POST['uname'];
$query = "SELECT * FROM Webusers WHERE username='$uname'"; 


would become this

Code:

SELECT * FROM Webusers WHERE username='someone';DELETE FROM Webusers --'

Basically your table would be emptied (admittedly, someone would need to know your database structure).

Thank you very much for one more time neroux.I did whatever you told me but when i tryied it didn't let me login.When i clicked the submit button it displayed this symbol " } ". When i tryied to print the variable "$_SESSION['isAdmin'];" it displayed the number "1" instead of "yes".

What do you think?What you have to suggest?

Xenia

When you clicked where? Can you post the code you used?

I add the following code to the page "password_input":

PHP Code:


<?
   session_start();

   include "dbconnect.php";

   if(empty($_POST['uname'])||empty($_POST['passwd'])){
                   header("Location: http://www.domain.com/Staff/loginform.php");
                   exit;
   }

    $uname= $_POST['uname'];
    $query = "SELECT * FROM Webusers WHERE username='$uname'";
    $result = mysql_query($query);
    $row = mysql_fetch_array($result);
    $encrypted_password = md5($_POST['passwd']);

    if($encrypted_password!=$row['password']){
         echo "<h3>Your password is not correct. Please log on again!</h3>";
         require("loginform.php");
    }else{

         $_SESSION['username']=$uname;
         $_SESSION['isAdmin']=$row['admin']=='yes';
         header("Location:http://www.domain.com/Staff/check_login.php");
    }

//echo $_SESSION['isAdmin'];


?>

So when i clicked the submit button from the page "loginform" using the following code:

PHP Code:

<?
   
   session_start();
   if($_SESSION['username']){
          echo $username.". You have logged on!";
      require($_SESSION['isAdmin']?'logoffheaderAdmin.php':'logoffheader.php');
       
   }else{
   ?>
<form action="password_input.php" method="POST" name = "login">
<table align="center" bgcolor="#FFCC66">
    <tr>
           <td align="center" colspan="2">Log On</td>
        </tr>
        <tr>
           <td>Username:</td>
       <td><input type="text" name="uname"></td>
        </tr>
        <tr>
           <td>Password:</td>
       <td><input type="password" name="passwd"></td>
    </tr>
        <tr>
           <td></td>
<td><input type="submit" value="Log in" name="submit"><input type="reset" value="Reset" name="reset"></td>
        </tr>
</table>
</form>
<? }?>

Finnally,the code from the page check_login is the following:

PHP Code:

 <? session_start();
                          if (isset($_SESSION['username'])==FALSE)
                          {
header("Location:http://www.domain.com/Staff/loginform.php"); exit;
                          }

                         echo "Welcome ".$_SESSION['username']."!". "Logon time is: ".Date("m/d/Y");
                         require($_SESSION['isAdmin']?'logoffheaderAdmin.php':'logoffheader.php');

 ?>

What do you think?

Xenia

This looks more or less fine. Do you get any error?

No i don't get any error.
The strange thing is that when i am trying to access another page when i use the command

PHP Code:

require($_SESSION['isAdmin']?'logoffheaderAdmin.php':'logoffheader.php'); 


It is working.But when i am trying to login the first time it just display a blank page.
Which command do i have to write in order to display any possible error?

PHP Code:

var_dump($_SESSION); 


will output the content of $_SESSION

I run the command you told me var_dump($_SESSION);
and the output that it gave me was the following:

PHP Code:

array(2) {   ["username"]=>   &string(4) "test"   ["isAdmin"]=>   &bool(true) } 


Do you think there is any problem there?
Any other suggestion?

No, if "test" is an administrator .

But there are the correct values, so I doubt its an error of the session values. You would need to debug the page which comes out as blank to see on which values you are working.

OK neroux i will try to figure out what's wrong. In the meantime if you thing anything else please post it here.
Thank you very much for your time and your advice you helped me very much.