|
|
Posted by Nosferatum on 03/28/07 15:40
This script is meant to limit access by sessions, using username and
password from mysql db and redirect users after login according to a
given value belonging to each user in the db (10,20,30,40).
(the included config is just server settings, the login is just a
login form).
The script appear to connect but will not redirect users, it seems
that even with correct login details, it won't validate.
this code is in top of each protected page granting access to users
with user level 10:
<?php $allow = array (10);include ("../protect/protect.php"); ?>
THE SCRIPT (protect.php):
<?php
session_start ();
// --------------------------------THE
VARIABLES---------------------------------- //
@include ("config.php");
// ----------------------------------THE CODE
------------------------------------ //
function clearance ($user_value, $pass_value, $level_value,
$userlevel_value, $table_value, $column1, $column2, $path) { //
Function to see if user can login
$check = mysql_query ("SELECT $userlevel_value FROM $table_value
WHERE username='$user_value' AND password='$pass_value'"); // Query to
see if user exists
$verify = mysql_num_rows ($check);
$get = mysql_fetch_array ($check);
if (count ($level_value) != 0) { // If the allow array contains
userlevels
if (in_array ($get[$userlevel_value], $level_value) && $verify > 0)
{ // Search allow to see if userlevels match
$_SESSION['username'] = $user_value; // Register sessions
$_SESSION['password'] = $pass_value; // password
$_SESSION['userlevel'] = $get[$userlevel_value];
}
//redirect users according to user level
if ($verify > 0); {
$row = mysql_fetch_array($check);
}
switch($row['userlevel_value']) {
case '10':
header("location:/hidden/folder1/index.php");
break;
case '20':
header("location:/hidden/folder2/index.php");
break;
case '30':
header("location:/hidden/folder3/index.php");
break;
case '40':
header("location:/hidden/folder4/index.php");
break;
default:
printf("Invalid username and password<br>\n");
}
//end redirect
} else {
if ($verify == 0) { // If attempt fails then redirect to login page
$_SESSION = array();
$error = "Sorry, invalig login";
@include ("login.php");
exit;
}
if ($verify > 0) { // If attempt is good then register the user
$_SESSION['username'] = $user_value;
$_SESSION['password'] = $pass_value;
}
}
}
function protect ($level_value, $password_value, $userlevel_value,
$table_value, $column1, $path) { // Function to keep pages secure
if (!isset ($_SESSION['username'])) { // If session doesn't exist
then get user to login
if (isset ($_POST['username']) && isset ($_POST['password'])) {
$error = "Sorry, username or password doesnt fit";
}
$_SESSION = array();
@include ("login.php");
exit;
} else { // If user is logged in check to see if session is valid and
that they have the required userlevel
$check = mysql_query ("SELECT $password_value, $userlevel_value FROM
$table_value WHERE $column1='$_SESSION[username]'"); // Query to see
if user exists
$verify = mysql_num_rows ($check);
$get = mysql_fetch_array ($check);
if ($verify == 0) {
$_SESSION = array();
$error = "Something wrong with your login";
@include ("login.php");
exit;
}
if ($verify > 0 && count ($level_value) != 0) {
if (!in_array ($get[$userlevel_value], $level_value)) { // Check to
see if the users userlevel allows them to view the page
$error = "Sorry, no access";
@include ("login.php");
exit; // Ensure no other data is sent
}
}
}
}
if (isset ($_POST['username']) && isset ($_POST['password'])) { // If
user submits login information then validate it
clearance ($_POST['username'], $_POST['password'], $allow,
$userlevel, $table, $username, $password, $path);
}
protect ($allow, $password, $userlevel, $table, $username, $path);
mysql_close ($link); // Close the database connection for security
reasons
// -----------------------------------THE END
------------------------------------ //
?>
Navigation:
[Reply to this message]
|