[PHP] Restrictions

Masius

Masius

Custom Title Activated
Loyal Member
Discord 1000 Posts Trophy Point Collector
Joined
Dec 21, 2007
Messages
1,049
Reaction score
220
Well, here I am again with my noob questions =D
I kinda made a PHP study-plan which consists in studying and coding for 1 hour each day..
Today's lesson was to make an restricted login system.
What is a restricted login system?
Well, when the user submits his login info, if correct, it will check on the database if his user rights are 2.
I thought, "well, that's easy.." , but i seem to be getting some problems..
To do the check-if user rights = 2 function , i added it near the session_Start.

So you can understand and help me out, ill show you what I did

using the function said:
<?
session_start();
if(isset($_SESSION['user'])) {
if($userrrr = true) {
header('location: inside.php');
} else {
if($userrrr = false) {
echo "You don't have enough rights to login into the admin panel.";
session_destroy();
}
} }
else {
echo "You are not logged in.";
}
require("main.php");
?>
Click to expand...

My $userrrr function =
Code: 
function userrrr() {
$userr = mysql_query("SELECT * FROM accounts WHERE user-rights = '2'");
$userrr = mysql_num_rows($userr);
return $userrr;

Yet, i can't seem to do this right.
Any ideas on whats wrong or if im not doing it by the correct way? Any advice on other ways of doing this? :blush:
 
theres simpler ways of handling this. if you have the login, find the location of acc and then check their rank.
so for example.
PHP: 
if($mysql_query) { //this will have mysql_query("SELECT user-rights FROM accounts WHERE username = $_SESSION['username']")
something like that. then all you would have to do is if user rights == 2 then w.e. lol.
 
Hmm see it seems your function is wrong, here is what i would do:
Code: 
<?
session_start();
if(isset($_SESSION['user'])) {
if(userCheck($_SESSION['user'] == 1) {
header('location: inside.php');
} else {
if(!userCheck($_SESSION['user']) {
echo "You don't have enough rights to login into the admin panel.";
session_destroy();
}
} }
else {
echo "You are not logged in.";
}
require("main.php");
?>

I also cut down the r's , i ain't sure why you need so many.. that's just going to lead to mistakes.

Code: 
function userCheck($userName) {
$queryUser = mysql_query("SELECT * FROM accounts WHERE user-rights = '2' AND user-name = '".$userName."'");
$userExists = mysql_num_rows($queryUser);
return $userExists;

Now i think that will work, but i ain't sure as i haven't tested it, and i also don't know what your username field is called. :wink:

What's happening? Well what you are now doing is passing the username to the function, this is then checked in the database to see if there is a user with 'entered username' which has user-rights = 2, if so then 1 should be returned (assuming your database is setup correctly and so there won't be 2 identical users) if the user has access, or false (due to mysql_num_rows returning false on no rows) if the user doesn't have access rights set to 2.

Edit: I would also assume you have sanatized that session variable of user, if not then you will have to sanatize it before it gets queried or you will have problems of SQL injection.

Hopefully that sort of explains my thinking here, incase it doesn't work you can adapt it.
 
Yes, what fedexer said, you never call the function and it has a very bad name.

However, now it will select in the database twice, and database searches are slow, so you should limit the code in a way that the database is only selected once.

PHP: 
<?php
function userCheck($userName)
{
    $queryUser = mysql_query('SELECT * FROM accounts WHERE user-rights = \'2\' AND user-name = \''.$userName.'\'');
    return mysql_num_rows($queryUser);
}

session_start();
if (isset($_SESSION['user']))
{
    $userCheck = userCheck($_SESSION['user']);
    if ($userCheck) 
    {
        header('Location: inside.php');
    }
    else
    {
        echo 'You don\'t have enough rights to login into the admin panel.';
        session_destroy();
    }
}
else
{
    echo 'You are not logged in.';
}

require_once('main.php');
?>

Also, you don't do any security checks on the value you put in the query, look here for security:
http://daniel0.net/phpfreaks_tutorials/php_security/php_security.pdf
 
Hmm i was thinking the two calls would be a bad idea, but i was in a rush to get it out before leaving for school and it was still pretty early and the caveman was only waking up ^^
 
You must log in or register to reply here.

RaGEZONE Sponsor

    HyperFilter

About RaGEZONE

RaGEZONE® is the top forum for MMO, MMORPG, and mobile game development. We provide binaries, source codes, and tutorials for your favorite games, making it the go-to resource for developers and fans. You can also find and share private servers, fostering a vibrant gamer community.

Forum Statistics

Members online
1,181
Guests online
2,789
Total visitors
3,970
Totals may include hidden visitors.

RaGEZONE Partners

    nongamstopbets.com UK sites not on GamStop Casino Deps NZ
Back