I have a login script which checks if the authority id is 5 = admin, 6 = employee, or 7 = student.
Please check below:
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql = "SELECT * FROM users WHERE username='$myusername' and password='$mypassword'";
$result = mysql_query($sql);
// Mysql_num_row is counting table row
$count = mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){
// Register $myusername, $mypassword and redirect to file "main.php"
$_SESSION["myusername"] = $myusername;
$_SESSION["mypassword"] = $mypassword;
while($count = mysql_fetch_assoc($result)) {
//echo $row['Username'];
//echo $row['access_level'];
if ($count['AuthorityId']== 5) {
//add custom content here for this user access level
header("location: adminpage.php");
exit();
} // end of if
else if ($count['AuthorityId']== 6 ){
//add custom content here for this user access level
header("location: employeepage.php");
exit();
} // end of else if
else{
header("location: studentpage.php");
exit();
}
} // end of while
}
else if( $myusername == '' || $mypassword == '' ){
echo '<script type="text/javascript">
alert("There are empty fields!");
</script>';
}
else {
echo '<script type="text/javascript">
alert("Wrong Username or Password")
</script>';
}
?>
When the user is an admin, he then goes to adminpage.php, but when I would directly put the url for employeepage.php, the user can access it. How can I restrict users from accessing other pages? thanks.
Store the authority in another session variable like so:
And then use:
On restricted pages.