Hope you can help me with this, (again in some cases!)
I have a php login system which is using a mysql database connection, first the user fills in a login form:
Code: admin/index.php:
<link rel="stylesheet" href="/styles/style-new.css" type="text/css" />
<script type="text/javascript">
function formfocus() {
document.getElementById('myusername').focus();
}
window.onload = formfocus;
</script>
<table width="300" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
<tr>
<form action="/?module=admin&n=checklogin" method="post" enctype="multipart/form-data" name="form1" id="form1">
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
<tr>
<td colspan="3"><strong>Administrator Login </strong></td>
</tr>
<tr>
<td width="78">Username</td>
<td width="6">:</td>
<td width="294"><input type="text" name="myusername" id="myusername" tabindex="1"></td>
</tr>
<tr>
<td>Password</td>
<td>:</td>
<td><input name="mypassword" type="password" id="mypassword" tabindex="2"></td>
</tr>
<tr>
<td> </td>
<td> </td>
<td> <button type="submit" name="Submit" tabindex="3">Login</button>
<img src="../images/ajax-loader.gif" width="16" height="16" style="display: none"/>
<script>
$("button").click(function () {
$("img").show("slow");
});
</script>
</td>
</tr>
</table>
</td>
</form>
</tr>
</table>
<p align="center">Clicked on the wrong link? <a href="javascript: history.go(-1)">Click Here</a></p>
</div>
This is then sent for verification by checklogin.php:
Code: checklogin.php:
<?php
sleep(3)
?>
<link rel="stylesheet" href="../styles/style-new.css" type="text/css" />
<?php
session_start();
$host="localhost"; // Host name
$username="david_bpd"; // Mysql username
$password="documents123456"; // Mysql password
$db_name="david_bpd"; // Database name
$tbl_name="members"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die(mysql_error());
mysql_select_db("$db_name")or die("cannot select DB");
// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql) or die(mysql_error());
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
$cdata = mysql_query("SELECT * FROM cuser");
$cdata = mysql_num_rows($cdata);
echo $cdata;
if($count==1){
//If a user is not already logged on
if($cdata == 1){
echo "<meta http-equiv='refresh' content='0;url=/?module=admin&n=Login_unavailable'>";
}
else {
//Register username
echo $myusername;
$_SESSION['myusername'] = $myusername;
var_dump($_SESSION['myusername']);
$_SESSION['myusername'] == $myusername;
$sql2="INSERT INTO cuser(myusername)VALUES('$myusername')";
$result2 = mysql_query($sql2) or die(mysql_error());
echo '<meta http-equiv="refresh" content="0;url=/?module=admin&n=Login_success">';
}
}
elseif($count==0) {
echo '<meta http-equiv="refresh" content="0;url=/?module=admin&n=Login_Unsuccessful">';
}
?>
<?php
mysql_close();
?>
It is then re-registered using admin/Login_name.php: which checks the last access name in the mysql database and registers it again
<?php
/* Mysql connection */
$tbl_name="cuser"; // Table name
$query = "SELECT MAX(`id`) AS 'max' FROM $tbl_name";
$result = mysql_query($query) or die(mysql_error());
$row = mysql_fetch_assoc($result);
$max = $row['max'];
$query1 = "SELECT * FROM $tbl_name WHERE id= '$max'";
$result1 = mysql_query($query1) or die(mysql_error());
$row1 = mysql_fetch_row($result1);
//check username
$myusername=$row1[1];
//register username
$_SESSION['myusername'] = $myusername;
?>
The problem i have is I have to restrict access to the the admin area by using this:
Code:
<?php
session_start ();
if ($_REQUEST ['module'] == 'admin' && $_REQUEST ['n'] != 'index' && $_REQUEST ['n'] != 'Login_Unsuccessful' && $_REQUEST ['n'] != 'checklogin' && $_REQUEST ['n'] != 'Logout' && $_REQUEST ['n'] != 'Login_name') {
include ("admin/Login_name.php");
// var_dump ( $myusername );
//echo $myusername;
//echo "<br />";
//echo "<br />";
if (isset ( $_SESSION ['myusername'] )) {
//var_dump($myusername);
//echo "SESSION IS SET";
if ($_SESSION ['myusername'] == $myusername) {
//echo "User should be allowed to be on page";
} else {
//echo"User not allowed";
echo '<meta http-equiv="refresh" content="0;url=/?module=admin&n=index">';
}
} else {
//var_dump(($_SESSION['myusername']));
//echo "SESSION IS NOT SET(username not registered)";
echo '<meta http-equiv="refresh" content="0;url=/?module=admin&n=index">';
}
}
?>
The problem i have found is that if an administrator is already logged in a person that hasn’t logged in can still access the restricted areas but i dont want that to happen.
I think it may have something to do with the if statements in the last bit of source code however i do not know.
Any Ideas?
Thanks
P.S. Sorry for the long post the only way to describe fully!
I think it would be easier to check user login by doing something like this.
so in your when you are processing the form just set the
$_SESSION['user']and set$_SESSION['user']['admin']to true;Again this is a simple login method.