...

View Full Version : Admin page redirect



nani_nisha06
10-11-2012, 06:27 PM
Hi all,

here I come with new project and however I am using old scrip ;).

my new project requirement is .

1) If admin login he should go to admin_main.php.

2) If normal user login he should go to main.php.

I know I should create data based field for usergroup and fill it with 1 or 0.

I should need your help making above conditions work on below code.




<?php session_start(); ?>
<?php
$host="localhost"; // Host name
$username="test"; // Mysql username
$password="1234"; // Mysql password
$db_name="test"; // Database name
$tbl_name="members"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = hash('sha256', $salt.$mypassword);
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

if (mysql_num_rows($result) === 1) {

// Register $myusername, $mypassword and redirect to file "login_success.php"
$_SESSION['myusername']=$myusername;

// $_SESSION['LoggedIn'] = 1;
header("location:main.php");
}
else {
//echo "Wrong Username or Password";
header("location:wrong.php");
}
?>

abduraooft
10-12-2012, 12:13 PM
// Register $myusername, $mypassword and redirect to file "login_success.php"
$_SESSION['myusername']=$myusername;

// $_SESSION['LoggedIn'] = 1;
header("location:main.php");
That should be something like



$_SESSION['myusername']=$myusername;
$row=mysql_fetch_assoc($result);
if($row['usergroup']==1)
header("location:main.php");
else
header("location:admin_main.php");

PS: You'd need to add proper checks on top of all protected pages to ensure the usergroup status of the user when accessing them.

Redcoder
10-12-2012, 08:26 PM
$_SESSION['myusername']=$myusername;
$row=mysql_fetch_assoc($result);
if($row['usergroup']==1)
header("location:main.php");
else
header("location:admin_main.php");


I hope that you understand that $row['usergroup'] has the contents of the field that shows whether the user is an admin or not. If the content is 1, in the above code, it means that the user is not an admin i.e a normal user so is redirected to the relevant page.

To make it more specific to your case:


$_SESSION['myusername']=$myusername;
$row=mysql_fetch_assoc($result);
if($row['usergroup']==1) //normal user
header("location: main.php");
elseif($row['usergroup']==0) //admin
header("location: admin_main.php");
else //If the username/password combination has not been found in the dbase
header("location: wrong.php");

nani_nisha06
10-12-2012, 08:58 PM
I hope that you understand that $row['usergroup'] has the contents of the field that shows whether the user is an admin or not. If the content is 1, in the above code, it means that the user is not an admin i.e a normal user so is redirected to the relevant page.

To make it more specific to your case:


$_SESSION['myusername']=$myusername;
$row=mysql_fetch_assoc($result);
if($row['usergroup']==1) //normal user
header("location: main.php");
elseif($row['usergroup']==0) //admin
header("location: admin_main.php");
else //If the username/password combination has not been found in the dbase
header("location: wrong.php");


Thanks above and Redcoder,

As per your suggestion I will get this altered and post the update.....

nani_nisha06
10-13-2012, 08:08 PM
Redcoder,

what about SQl command, Is there anything I need to change ???


Regards,
nani

Redcoder
10-13-2012, 09:12 PM
You should change this:




$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";


To:


$sql="SELECT * FROM `".$tbl_name."` WHERE username='$myusername' and password='$mypassword'";


And another thing: escape input from the user to prevent SQL injection. Never trust input from the user.

nani_nisha06
10-14-2012, 09:29 PM
You should change this:


To:


$sql="SELECT * FROM `".$tbl_name."` WHERE username='$myusername' and password='$mypassword'";


And another thing: escape input from the user to prevent SQL injection. Never trust input from the user.

HI redcoder,

As you suggested i have change my login script as below,




<?php session_start(); ?>
<?php
$host="localhost"; // Host name
$username="testDBuser"; // Mysql username
$password="1234"; // Mysql password
$db_name="testdb"; // Database name
$tbl_name="members"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = hash('sha256', $salt.$mypassword);
if (preg_match("/^\w{8,12}$/", $myusername, $matches))
{
$sql="SELECT * FROM `".$tbl_name."` WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);
}
else
{
header("location: wrong.php");
}

if (mysql_num_rows($result) === 1) {

// Register $myusername, $mypassword and redirect to file "login_success.php"
$_SESSION['myusername']=$myusername;
}
$row=mysql_fetch_assoc($result);
if($row['usergroup']==1) //normal user
{
header("location: /MYM/main.php");
}
elseif($row['usergroup']==0) //admin
{
header("location: /MYM/admin/admin_main.php");
}
else //If the username/password combination has not been found in the dbase
{
header("location: wrong.php");
}
?>


But, Now I see when i am trying to use the admin login it is redirecting correctly. In case of normal user login I see it is redirecting me to unknown extension to "admin/index.html".

More over, I see preg_match("/^\w{8,12}$/", $myusername, $matches) doesn't work for me ?? .

Any suggestion....even i am thinking about Sql injection will get some what over leaded by implementing preg_match().

Regards,
nani

Redcoder
10-14-2012, 10:00 PM
But, Now I see when i am trying to use the admin login it is redirecting correctly. In case of normal user login I see it is redirecting me to unknown extension to "admin/index.html".

More over, I see preg_match("/^\w{8,12}$/", $myusername, $matches) doesn't work for me ?? .

Any suggestion....even i am thinking about Sql injection will get some what over leaded by implementing preg_match().

Regards,
nani

For the Preg_match, the code below should do it. It will check the username for characters between 2 and 20 characters and containing alphanumeric characters and underscores.

if(preg_match(preg_match('/^[a-z\d_]{2,20}$/i', $myusername)

For SQL injection, mysql_real_escape_string should escape the input off quotes.

Just some advice: change to the mysqli (http://php.net/manual/en/book.mysqli.php) or PDO (http://www.phpeveryday.com/articles/PHP-Data-Object/PDO-Tutorial-P842.html) database driver. The mysql driver is deprecated and slow too. Mysqli(mysql improved) is an easy transition from the mysql extension. Check out this comparison of PDO and mysqli (http://net.tutsplus.com/tutorials/php/pdo-vs-mysqli-which-should-you-use/).

To really check the SQL injection stuff, look into Prepared Statements (http://php.net/manual/en/mysqli.prepare.php).

Also check out : http://25yearsofprogramming.com/blog/2011/20110205.htm , it's relevant to your code. It just reiterates what i've told ya.

69 post haha.

nani_nisha06
10-15-2012, 09:44 AM
HI redcoder,

As you suggested i have change my login script as below,




<?php session_start(); ?>
<?php
$host="localhost"; // Host name
$username="testDBuser"; // Mysql username
$password="1234"; // Mysql password
$db_name="testdb"; // Database name
$tbl_name="members"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = hash('sha256', $salt.$mypassword);
if (preg_match("/^\w{8,12}$/", $myusername, $matches))
{
$sql="SELECT * FROM `".$tbl_name."` WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);
}
else
{
header("location: wrong.php");
}

if (mysql_num_rows($result) === 1) {

// Register $myusername, $mypassword and redirect to file "login_success.php"
$_SESSION['myusername']=$myusername;
}
$row=mysql_fetch_assoc($result);
if($row['usergroup']==1) //normal user
{
header("location: /MYM/main.php");
}
elseif($row['usergroup']==0) //admin
{
header("location: /MYM/admin/admin_main.php");
}
else //If the username/password combination has not been found in the dbase
{
header("location: wrong.php");
}
?>


But, Now I see when i am trying to use the admin login it is redirecting correctly. In case of normal user login I see it is redirecting me to unknown extension to "admin/index.html".
Regards,
nani

Redcoder,

As above comment still I see this default redirection for normal user any clue ???

Also, If you can help me on the below threads would be great phase & help for my learning.



http://www.codingforums.com/showthread.php?t=275718

http://www.codingforums.com/showthread.php?t=275610

http://www.codingforums.com/showthread.php?t=275611

Please note: I have made more research but as I am a self learner still this things bother me so I wanted to check if you can help me here as well.

Regards,
Nani

Redcoder
10-15-2012, 11:33 AM
Redcoder,

As above comment still I see this default redirection for normal user any clue ???

Also, If you can help me on the below threads would be great phase & help for my learning.



http://www.codingforums.com/showthread.php?t=275718

http://www.codingforums.com/showthread.php?t=275610

http://www.codingforums.com/showthread.php?t=275611

Regards,
Nani

Hmm...does the /MYM/main.php page exsist? If it doesn't exsist, .htacess rules may be written to redirect to index.html incase of a 404 error.

Also it could be just a simple case of /MYM/main.php has code that redirects to admin/index.html everytime. Try checking your main.php code and whether the file itself exsists.

nani_nisha06
10-17-2012, 09:27 AM
Hmm...does the /MYM/main.php page exsist? If it doesn't exsist, .htacess rules may be written to redirect to index.html incase of a 404 error.

Also it could be just a simple case of /MYM/main.php has code that redirects to admin/index.html everytime. Try checking your main.php code and whether the file itself exsists.

Redcoder,

With Your support I have change the above code as below, But now problem is when a normal user login in to his account he is successfully getting redirected to main.php now, if the same user enter the admin folder path he is successfully able to see all the admin features so, Now I want to block him go in to admin privilege.

I know that my model is typically old model of thinking but as I am learner I have just started with this....so help me with any framework for this issues if you think I am still thinking wrong.


<?php session_start(); ?>
<?php
$host="localhost"; // Host name
$username="naveen"; // Mysql username
$password="1234"; // Mysql password
$db_name="testdata"; // Database name
$tbl_name="test"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
function DoubleSaltedHash($pass, $salt) {
return sha1($salt.sha1($salt.sha1($pass)));
}
$path = "wrong.php";
$usercond = true;
preg_match("/^\w{2,10}$/", $myusername,$match);
$row = 0;
if (!empty($match[0]))
{
$sql="SELECT * FROM `".$tbl_name."` WHERE username='$myusername'";

$result=mysql_query($sql);
$row=mysql_fetch_assoc($result);
$mypassword = mysql_real_escape_string(DoubleSaltedHash($mypassword,$row['salt']));
if($mypassword != $row['password'])
$row = 0;
}

//echo "SDFSD". $row ;exit;
if ( !empty($row) > 0)
{
$_SESSION['myusername']=$myusername;// Register $myusername, $mypassword and redirect to file "login_success.php"


if($row['usertype']==1) //normal user
{
$path = "main.php";
}
elseif($row['usertype']==0) //admin
{
$path ="/MYM/admin/admin_main.php";
}
}
header("Location: ".$path);


?>

nani_nisha06
10-17-2012, 10:37 AM
Redcoder,

it would be great if you can suggest me on the below post.

http://www.codingforums.com/showthread.php?t=276288

Regards,
Nani

Redcoder
10-17-2012, 04:49 PM
Redcoder,

With Your support I have change the above code as below, But now problem is when a normal user login in to his account he is successfully getting redirected to main.php now, if the same user enter the admin folder path he is successfully able to see all the admin features so, Now I want to block him go in to admin privilege.




You should introduce session variables (http://www.php.net/manual/en/book.session.php) to hold info on whether the user is an admin or not.

Like this



//If user is admin
$_SESSION['user_type'] = 'admin';

//For normal users
$_SESSION['user_type'] = 'normal';


So here's how you'd implement it:




<?php session_start(); ?>
<?php
$host="localhost"; // Host name
$username="naveen"; // Mysql username
$password="1234"; // Mysql password
$db_name="testdata"; // Database name
$tbl_name="test"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
function DoubleSaltedHash($pass, $salt) {
return sha1($salt.sha1($salt.sha1($pass)));
}
$path = "wrong.php";
$usercond = true;
preg_match("/^\w{2,10}$/", $myusername,$match);
$row = 0;
if (!empty($match[0]))
{
$sql="SELECT * FROM `".$tbl_name."` WHERE username='$myusername'";

$result=mysql_query($sql);
$row=mysql_fetch_assoc($result);
$mypassword = mysql_real_escape_string(DoubleSaltedHash($mypassword,$row['salt']));
if($mypassword != $row['password'])
$row = 0;
}

//echo "SDFSD". $row ;exit;
if ( !empty($row) > 0)
{
$_SESSION['myusername']=$myusername;// Register $myusername, $mypassword and redirect to file "login_success.php"


if($row['usertype']==1) //normal user
{
$path = "main.php";

$_SESSION['user_type'] = 'normal';

}
elseif($row['usertype']==0) //admin
{
$path ="/MYM/admin/admin_main.php";

$_SESSION['user_type'] = 'admin';
}
}
header("Location: ".$path);


?>



And then on top of admin PHP script write this:



<?php

session_start();

if($_SESSION['user_type'] != 'admin') //If not admin
{

header("Location: main.php"); //Redirect to main.php

}

//The rest of the admin.php code here

?>

nani_nisha06
10-17-2012, 07:29 PM
You should introduce session variables (http://www.php.net/manual/en/book.session.php) to hold info on whether the user is an admin or not.

Like this



//If user is admin
$_SESSION['user_type'] = 'admin';

//For normal users
$_SESSION['user_type'] = 'normal';


So here's how you'd implement it:




<?php session_start(); ?>
<?php
$host="localhost"; // Host name
$username="naveen"; // Mysql username
$password="1234"; // Mysql password
$db_name="testdata"; // Database name
$tbl_name="test"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
function DoubleSaltedHash($pass, $salt) {
return sha1($salt.sha1($salt.sha1($pass)));
}
$path = "wrong.php";
$usercond = true;
preg_match("/^\w{2,10}$/", $myusername,$match);
$row = 0;
if (!empty($match[0]))
{
$sql="SELECT * FROM `".$tbl_name."` WHERE username='$myusername'";

$result=mysql_query($sql);
$row=mysql_fetch_assoc($result);
$mypassword = mysql_real_escape_string(DoubleSaltedHash($mypassword,$row['salt']));
if($mypassword != $row['password'])
$row = 0;
}

//echo "SDFSD". $row ;exit;
if ( !empty($row) > 0)
{
$_SESSION['myusername']=$myusername;// Register $myusername, $mypassword and redirect to file "login_success.php"


if($row['usertype']==1) //normal user
{
$path = "main.php";

$_SESSION['user_type'] = 'normal';

}
elseif($row['usertype']==0) //admin
{
$path ="/MYM/admin/admin_main.php";

$_SESSION['user_type'] = 'admin';
}
}
header("Location: ".$path);


?>



And then on top of admin PHP script write this:



<?php

session_start();

if($_SESSION['user_type'] != 'admin') //If not admin
{

header("Location: main.php"); ..Redirect to main.php

}

//The rest of the admin.php code here

?>


Thanks Redcoder.....This worked like a charm...:)

by the way any comments on the way I am planning to learn?

Redcoder
10-17-2012, 07:34 PM
By the way any comments on the way I am planning to learn?


Well, knowing is not enough, we must apply - Bruce Lee.

Applying your knowledge in a vast array of real-life projects is the best way to learn. It gives you skills like speed and also reinforces what you know making programming in the future :thumbsup: for you.

nani_nisha06
10-20-2012, 02:36 PM
Well, knowing is not enough, we must apply - Bruce Lee.

Applying your knowledge in a vast array of real-life projects is the best way to learn. It gives you skills like speed and also reinforces what you know making programming in the future :thumbsup: for you.

Hi Red,

I am sorry for still bugging you with the problems i am getting but, before I am asking you I have tried to check with more search results & parameters but I don't see any correct answer. of course same with the below post link:

http://www.codingforums.com/showthread.php?t=275552


Can I ask you help me if your are okay with CSS.

to just summarize on the above issue:

1) I have a table content with tons data projected on the user window, where in my CSS header & footer is not stretching as the data.

2) second problem is I want to insert a wrap text in some of the table feild tired many ways but dint success.

Any help or suggestion would be appreciated.

Regards,
nani



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum