Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Page 1 of 2 12 LastLast
Results 1 to 15 of 16
  1. #1
    Regular Coder
    Join Date
    Oct 2012
    Location
    mother land --india
    Posts
    161
    Thanks
    37
    Thanked 2 Times in 2 Posts

    Admin page redirect

    Hi all,

    here I come with new project and however I am using old scrip .

    my new project requirement is .

    1) If admin login he should go to admin_main.php.

    2) If normal user login he should go to main.php.

    I know I should create data based field for usergroup and fill it with 1 or 0.

    I should need your help making above conditions work on below code.


    Code:
    <?php session_start(); ?>
    <?php
    $host="localhost"; // Host name 
    $username="test"; // Mysql username 
    $password="1234"; // Mysql password 
    $db_name="test"; // Database name 
    $tbl_name="members"; // Table name 
    
    // Connect to server and select databse.
    mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
    mysql_select_db("$db_name")or die("cannot select DB");
    
    // username and password sent from form 
    $myusername=$_POST['myusername']; 
    $mypassword=$_POST['mypassword']; 
    
    // To protect MySQL injection (more detail about MySQL injection)
    $myusername = stripslashes($myusername);
    $mypassword = stripslashes($mypassword);
    $myusername = mysql_real_escape_string($myusername);
    $mypassword = hash('sha256', $salt.$mypassword);
    $sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
    $result=mysql_query($sql);
    
    if (mysql_num_rows($result) === 1) {
    
    // Register $myusername, $mypassword and redirect to file "login_success.php"
    $_SESSION['myusername']=$myusername;
    
    // $_SESSION['LoggedIn'] = 1;
    header("location:main.php");
    }
    else {
    //echo "Wrong Username or Password";
    header("location:wrong.php");
    }
    ?>

  • #2
    Supreme Master coder! abduraooft's Avatar
    Join Date
    Mar 2007
    Location
    N/A
    Posts
    14,801
    Thanks
    160
    Thanked 2,216 Times in 2,203 Posts
    Blog Entries
    1
    PHP Code:
    // Register $myusername, $mypassword and redirect to file "login_success.php"
    $_SESSION['myusername']=$myusername;

    // $_SESSION['LoggedIn'] = 1;
    header("location:main.php"); 
    That should be something like


    PHP Code:
    $_SESSION['myusername']=$myusername;
    $row=mysql_fetch_assoc($result);
    if(
    $row['usergroup']==1)
    header("location:main.php");
    else
    header("location:admin_main.php"); 
    PS: You'd need to add proper checks on top of all protected pages to ensure the usergroup status of the user when accessing them.
    The Dream is not what you see in sleep; Dream is the thing which doesn't let you sleep. --(Dr. APJ. Abdul Kalam)

  • #3
    Regular Coder Redcoder's Avatar
    Join Date
    May 2012
    Location
    /dev/null
    Posts
    332
    Thanks
    2
    Thanked 47 Times in 46 Posts
    Quote Originally Posted by abduraooft View Post


    PHP Code:
    $_SESSION['myusername']=$myusername;
    $row=mysql_fetch_assoc($result);
    if(
    $row['usergroup']==1)
    header("location:main.php");
    else
    header("location:admin_main.php"); 
    I hope that you understand that $row['usergroup'] has the contents of the field that shows whether the user is an admin or not. If the content is 1, in the above code, it means that the user is not an admin i.e a normal user so is redirected to the relevant page.

    To make it more specific to your case:

    PHP Code:
    $_SESSION['myusername']=$myusername;
    $row=mysql_fetch_assoc($result);
    if(
    $row['usergroup']==1//normal user
    header("location: main.php");
    elseif(
    $row['usergroup']==0//admin
    header("location: admin_main.php");
    else 
    //If the username/password combination has not been found in the dbase
    header("location: wrong.php"); 

  • #4
    Regular Coder
    Join Date
    Oct 2012
    Location
    mother land --india
    Posts
    161
    Thanks
    37
    Thanked 2 Times in 2 Posts
    Quote Originally Posted by Redcoder View Post
    I hope that you understand that $row['usergroup'] has the contents of the field that shows whether the user is an admin or not. If the content is 1, in the above code, it means that the user is not an admin i.e a normal user so is redirected to the relevant page.

    To make it more specific to your case:

    PHP Code:
    $_SESSION['myusername']=$myusername;
    $row=mysql_fetch_assoc($result);
    if(
    $row['usergroup']==1//normal user
    header("location: main.php");
    elseif(
    $row['usergroup']==0//admin
    header("location: admin_main.php");
    else 
    //If the username/password combination has not been found in the dbase
    header("location: wrong.php"); 
    Thanks above and Redcoder,

    As per your suggestion I will get this altered and post the update.....

  • #5
    Regular Coder
    Join Date
    Oct 2012
    Location
    mother land --india
    Posts
    161
    Thanks
    37
    Thanked 2 Times in 2 Posts
    Redcoder,

    what about SQl command, Is there anything I need to change ???


    Regards,
    nani

  • #6
    Regular Coder Redcoder's Avatar
    Join Date
    May 2012
    Location
    /dev/null
    Posts
    332
    Thanks
    2
    Thanked 47 Times in 46 Posts
    You should change this:
    Quote Originally Posted by nani_nisha06 View Post
    PHP Code:
    $sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'"
    To:
    PHP Code:
    $sql="SELECT * FROM `".$tbl_name."` WHERE username='$myusername' and password='$mypassword'"
    And another thing: escape input from the user to prevent SQL injection. Never trust input from the user.

  • Users who have thanked Redcoder for this post:

    nani_nisha06 (10-14-2012)

  • #7
    Regular Coder
    Join Date
    Oct 2012
    Location
    mother land --india
    Posts
    161
    Thanks
    37
    Thanked 2 Times in 2 Posts
    Quote Originally Posted by Redcoder View Post
    You should change this:


    To:
    PHP Code:
    $sql="SELECT * FROM `".$tbl_name."` WHERE username='$myusername' and password='$mypassword'"
    And another thing: escape input from the user to prevent SQL injection. Never trust input from the user.
    HI redcoder,

    As you suggested i have change my login script as below,


    Code:
    <?php session_start(); ?>
    <?php
    $host="localhost"; // Host name 
    $username="testDBuser"; // Mysql username 
    $password="1234"; // Mysql password 
    $db_name="testdb"; // Database name 
    $tbl_name="members"; // Table name 
    
    // Connect to server and select databse.
    mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
    mysql_select_db("$db_name")or die("cannot select DB");
    
    // username and password sent from form 
    $myusername=$_POST['myusername']; 
    $mypassword=$_POST['mypassword']; 
    
    // To protect MySQL injection (more detail about MySQL injection)
    $myusername = stripslashes($myusername);
    $mypassword = stripslashes($mypassword);
    $myusername = mysql_real_escape_string($myusername);
    $mypassword = hash('sha256', $salt.$mypassword);
    if (preg_match("/^\w{8,12}$/", $myusername, $matches))
    {
    $sql="SELECT * FROM `".$tbl_name."` WHERE username='$myusername' and password='$mypassword'";
    $result=mysql_query($sql);
    }
    else 
    {
       header("location: wrong.php");
    }
    
    if (mysql_num_rows($result) === 1) {
    
    // Register $myusername, $mypassword and redirect to file "login_success.php"
    $_SESSION['myusername']=$myusername;
    }
    $row=mysql_fetch_assoc($result);
    if($row['usergroup']==1)  //normal user
    { 
    header("location: /MYM/main.php"); 
    }
    elseif($row['usergroup']==0) //admin
    { 
    header("location: /MYM/admin/admin_main.php"); 
    }
    else //If the username/password combination has not been found in the dbase
    { 
    header("location: wrong.php");  
    }
    ?>
    But, Now I see when i am trying to use the admin login it is redirecting correctly. In case of normal user login I see it is redirecting me to unknown extension to "admin/index.html".

    More over, I see preg_match("/^\w{8,12}$/", $myusername, $matches) doesn't work for me ?? .

    Any suggestion....even i am thinking about Sql injection will get some what over leaded by implementing preg_match().

    Regards,
    nani

  • #8
    Regular Coder Redcoder's Avatar
    Join Date
    May 2012
    Location
    /dev/null
    Posts
    332
    Thanks
    2
    Thanked 47 Times in 46 Posts
    Quote Originally Posted by nani_nisha06 View Post
    But, Now I see when i am trying to use the admin login it is redirecting correctly. In case of normal user login I see it is redirecting me to unknown extension to "admin/index.html".

    More over, I see preg_match("/^\w{8,12}$/", $myusername, $matches) doesn't work for me ?? .

    Any suggestion....even i am thinking about Sql injection will get some what over leaded by implementing preg_match().

    Regards,
    nani
    For the Preg_match, the code below should do it. It will check the username for characters between 2 and 20 characters and containing alphanumeric characters and underscores.
    PHP Code:
    if(preg_match(preg_match('/^[a-z\d_]{2,20}$/i'$myusername
    For SQL injection, mysql_real_escape_string should escape the input off quotes.

    Just some advice: change to the mysqli or PDO database driver. The mysql driver is deprecated and slow too. Mysqli(mysql improved) is an easy transition from the mysql extension. Check out this comparison of PDO and mysqli.

    To really check the SQL injection stuff, look into Prepared Statements.

    Also check out : http://25yearsofprogramming.com/blog/2011/20110205.htm , it's relevant to your code. It just reiterates what i've told ya.

    69 post haha.
    Last edited by Redcoder; 10-14-2012 at 09:24 PM.

  • Users who have thanked Redcoder for this post:

    nani_nisha06 (10-15-2012)

  • #9
    Regular Coder
    Join Date
    Oct 2012
    Location
    mother land --india
    Posts
    161
    Thanks
    37
    Thanked 2 Times in 2 Posts
    Quote Originally Posted by nani_nisha06 View Post
    HI redcoder,

    As you suggested i have change my login script as below,


    Code:
    <?php session_start(); ?>
    <?php
    $host="localhost"; // Host name 
    $username="testDBuser"; // Mysql username 
    $password="1234"; // Mysql password 
    $db_name="testdb"; // Database name 
    $tbl_name="members"; // Table name 
    
    // Connect to server and select databse.
    mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
    mysql_select_db("$db_name")or die("cannot select DB");
    
    // username and password sent from form 
    $myusername=$_POST['myusername']; 
    $mypassword=$_POST['mypassword']; 
    
    // To protect MySQL injection (more detail about MySQL injection)
    $myusername = stripslashes($myusername);
    $mypassword = stripslashes($mypassword);
    $myusername = mysql_real_escape_string($myusername);
    $mypassword = hash('sha256', $salt.$mypassword);
    if (preg_match("/^\w{8,12}$/", $myusername, $matches))
    {
    $sql="SELECT * FROM `".$tbl_name."` WHERE username='$myusername' and password='$mypassword'";
    $result=mysql_query($sql);
    }
    else 
    {
       header("location: wrong.php");
    }
    
    if (mysql_num_rows($result) === 1) {
    
    // Register $myusername, $mypassword and redirect to file "login_success.php"
    $_SESSION['myusername']=$myusername;
    }
    $row=mysql_fetch_assoc($result);
    if($row['usergroup']==1)  //normal user
    { 
    header("location: /MYM/main.php"); 
    }
    elseif($row['usergroup']==0) //admin
    { 
    header("location: /MYM/admin/admin_main.php"); 
    }
    else //If the username/password combination has not been found in the dbase
    { 
    header("location: wrong.php");  
    }
    ?>
    But, Now I see when i am trying to use the admin login it is redirecting correctly. In case of normal user login I see it is redirecting me to unknown extension to "admin/index.html".
    Regards,
    nani
    Redcoder,

    As above comment still I see this default redirection for normal user any clue ???

    Also, If you can help me on the below threads would be great phase & help for my learning.


    Code:
    http://www.codingforums.com/showthread.php?t=275718
    
    http://www.codingforums.com/showthread.php?t=275610
    
    http://www.codingforums.com/showthread.php?t=275611
    Please note: I have made more research but as I am a self learner still this things bother me so I wanted to check if you can help me here as well.

    Regards,
    Nani

  • #10
    Regular Coder Redcoder's Avatar
    Join Date
    May 2012
    Location
    /dev/null
    Posts
    332
    Thanks
    2
    Thanked 47 Times in 46 Posts
    Quote Originally Posted by nani_nisha06 View Post
    Redcoder,

    As above comment still I see this default redirection for normal user any clue ???

    Also, If you can help me on the below threads would be great phase & help for my learning.


    Code:
    http://www.codingforums.com/showthread.php?t=275718
    
    http://www.codingforums.com/showthread.php?t=275610
    
    http://www.codingforums.com/showthread.php?t=275611
    Regards,
    Nani
    Hmm...does the /MYM/main.php page exsist? If it doesn't exsist, .htacess rules may be written to redirect to index.html incase of a 404 error.

    Also it could be just a simple case of /MYM/main.php has code that redirects to admin/index.html everytime. Try checking your main.php code and whether the file itself exsists.

  • #11
    Regular Coder
    Join Date
    Oct 2012
    Location
    mother land --india
    Posts
    161
    Thanks
    37
    Thanked 2 Times in 2 Posts
    Quote Originally Posted by Redcoder View Post
    Hmm...does the /MYM/main.php page exsist? If it doesn't exsist, .htacess rules may be written to redirect to index.html incase of a 404 error.

    Also it could be just a simple case of /MYM/main.php has code that redirects to admin/index.html everytime. Try checking your main.php code and whether the file itself exsists.
    Redcoder,

    With Your support I have change the above code as below, But now problem is when a normal user login in to his account he is successfully getting redirected to main.php now, if the same user enter the admin folder path he is successfully able to see all the admin features so, Now I want to block him go in to admin privilege.

    I know that my model is typically old model of thinking but as I am learner I have just started with this....so help me with any framework for this issues if you think I am still thinking wrong.

    Code:
    <?php session_start(); ?>
    <?php
    $host="localhost"; // Host name 
    $username="naveen"; // Mysql username 
    $password="1234"; // Mysql password 
    $db_name="testdata"; // Database name 
    $tbl_name="test"; // Table name 
    
    // Connect to server and select databse.
    mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
    mysql_select_db("$db_name")or die("cannot select DB");
    
    // username and password sent from form 
    $myusername=$_POST['myusername']; 
    $mypassword=$_POST['mypassword']; 
    
    // To protect MySQL injection (more detail about MySQL injection)
    $myusername = stripslashes($myusername);
    $mypassword = stripslashes($mypassword);
    $myusername = mysql_real_escape_string($myusername);
    function DoubleSaltedHash($pass, $salt) {
        return sha1($salt.sha1($salt.sha1($pass)));
    }
    $path = "wrong.php";
    $usercond = true;
    preg_match("/^\w{2,10}$/", $myusername,$match);
    $row = 0;
    if (!empty($match[0]))
    {
     	$sql="SELECT * FROM `".$tbl_name."` WHERE username='$myusername'";
    	
    	$result=mysql_query($sql);
    	$row=mysql_fetch_assoc($result);
    	$mypassword = mysql_real_escape_string(DoubleSaltedHash($mypassword,$row['salt']));
    	if($mypassword != $row['password'])
    		$row = 0;
    }
    
    //echo "SDFSD". $row ;exit;
    if (  !empty($row) > 0) 
    {
    	$_SESSION['myusername']=$myusername;// Register $myusername, $mypassword and redirect to file "login_success.php"
    	
    
    	if($row['usertype']==1)  //normal user
    	{
    		$path = "main.php";
    	}
    	elseif($row['usertype']==0) //admin
    	{ 
    		$path ="/MYM/admin/admin_main.php";
    	}
    }
    header("Location: ".$path);
    
    
    ?>
    Last edited by nani_nisha06; 10-17-2012 at 08:34 AM.

  • #12
    Regular Coder
    Join Date
    Oct 2012
    Location
    mother land --india
    Posts
    161
    Thanks
    37
    Thanked 2 Times in 2 Posts
    Redcoder,

    it would be great if you can suggest me on the below post.

    Need help to get the Alert message after redirect

    Regards,
    Nani

  • #13
    Regular Coder Redcoder's Avatar
    Join Date
    May 2012
    Location
    /dev/null
    Posts
    332
    Thanks
    2
    Thanked 47 Times in 46 Posts
    Quote Originally Posted by nani_nisha06 View Post
    Redcoder,

    With Your support I have change the above code as below, But now problem is when a normal user login in to his account he is successfully getting redirected to main.php now, if the same user enter the admin folder path he is successfully able to see all the admin features so, Now I want to block him go in to admin privilege.

    You should introduce session variables to hold info on whether the user is an admin or not.

    Like this
    PHP Code:

    //If user is admin
    $_SESSION['user_type'] = 'admin';

    //For normal users
    $_SESSION['user_type'] = 'normal'
    So here's how you'd implement it:

    PHP Code:

    <?php session_start(); ?>
    <?php
    $host
    ="localhost"// Host name 
    $username="naveen"// Mysql username 
    $password="1234"// Mysql password 
    $db_name="testdata"// Database name 
    $tbl_name="test"// Table name 

    // Connect to server and select databse.
    mysql_connect("$host""$username""$password")or die("cannot connect"); 
    mysql_select_db("$db_name")or die("cannot select DB");

    // username and password sent from form 
    $myusername=$_POST['myusername']; 
    $mypassword=$_POST['mypassword']; 

    // To protect MySQL injection (more detail about MySQL injection)
    $myusername stripslashes($myusername);
    $mypassword stripslashes($mypassword);
    $myusername mysql_real_escape_string($myusername);
    function 
    DoubleSaltedHash($pass$salt) {
        return 
    sha1($salt.sha1($salt.sha1($pass)));
    }
    $path "wrong.php";
    $usercond true;
    preg_match("/^\w{2,10}$/"$myusername,$match);
    $row 0;
    if (!empty(
    $match[0]))
    {
         
    $sql="SELECT * FROM `".$tbl_name."` WHERE username='$myusername'";
        
        
    $result=mysql_query($sql);
        
    $row=mysql_fetch_assoc($result);
        
    $mypassword mysql_real_escape_string(DoubleSaltedHash($mypassword,$row['salt']));
        if(
    $mypassword != $row['password'])
            
    $row 0;
    }

    //echo "SDFSD". $row ;exit;
    if (  !empty($row) > 0
    {
        
    $_SESSION['myusername']=$myusername;// Register $myusername, $mypassword and redirect to file "login_success.php"
        

        
    if($row['usertype']==1)  //normal user
        
    {
            
    $path "main.php";
          
            
    $_SESSION['user_type'] = 'normal';
                    
        }
        elseif(
    $row['usertype']==0//admin
        

            
    $path ="/MYM/admin/admin_main.php";
                
            
    $_SESSION['user_type'] = 'admin';   
        }
    }
    header("Location: ".$path);


    ?>
    And then on top of admin PHP script write this:

    PHP Code:
    <?php

    session_start
    ();

    if(
    $_SESSION['user_type'] != 'admin'//If not admin
    {

            
    header("Location: main.php"); //Redirect to main.php

    }

    //The rest of the admin.php code here

    ?>
    Last edited by Redcoder; 10-17-2012 at 06:37 PM.

  • The Following 2 Users Say Thank You to Redcoder For This Useful Post:

    hujan (10-29-2012), nani_nisha06 (10-17-2012)

  • #14
    Regular Coder
    Join Date
    Oct 2012
    Location
    mother land --india
    Posts
    161
    Thanks
    37
    Thanked 2 Times in 2 Posts
    Quote Originally Posted by Redcoder View Post
    You should introduce session variables to hold info on whether the user is an admin or not.

    Like this
    PHP Code:

    //If user is admin
    $_SESSION['user_type'] = 'admin';

    //For normal users
    $_SESSION['user_type'] = 'normal'
    So here's how you'd implement it:

    PHP Code:

    <?php session_start(); ?>
    <?php
    $host
    ="localhost"// Host name 
    $username="naveen"// Mysql username 
    $password="1234"// Mysql password 
    $db_name="testdata"// Database name 
    $tbl_name="test"// Table name 

    // Connect to server and select databse.
    mysql_connect("$host""$username""$password")or die("cannot connect"); 
    mysql_select_db("$db_name")or die("cannot select DB");

    // username and password sent from form 
    $myusername=$_POST['myusername']; 
    $mypassword=$_POST['mypassword']; 

    // To protect MySQL injection (more detail about MySQL injection)
    $myusername stripslashes($myusername);
    $mypassword stripslashes($mypassword);
    $myusername mysql_real_escape_string($myusername);
    function 
    DoubleSaltedHash($pass$salt) {
        return 
    sha1($salt.sha1($salt.sha1($pass)));
    }
    $path "wrong.php";
    $usercond true;
    preg_match("/^\w{2,10}$/"$myusername,$match);
    $row 0;
    if (!empty(
    $match[0]))
    {
         
    $sql="SELECT * FROM `".$tbl_name."` WHERE username='$myusername'";
        
        
    $result=mysql_query($sql);
        
    $row=mysql_fetch_assoc($result);
        
    $mypassword mysql_real_escape_string(DoubleSaltedHash($mypassword,$row['salt']));
        if(
    $mypassword != $row['password'])
            
    $row 0;
    }

    //echo "SDFSD". $row ;exit;
    if (  !empty($row) > 0
    {
        
    $_SESSION['myusername']=$myusername;// Register $myusername, $mypassword and redirect to file "login_success.php"
        

        
    if($row['usertype']==1)  //normal user
        
    {
            
    $path "main.php";
          
            
    $_SESSION['user_type'] = 'normal';
                    
        }
        elseif(
    $row['usertype']==0//admin
        

            
    $path ="/MYM/admin/admin_main.php";
                
            
    $_SESSION['user_type'] = 'admin';   
        }
    }
    header("Location: ".$path);


    ?>
    And then on top of admin PHP script write this:

    PHP Code:
    <?php

    session_start
    ();

    if(
    $_SESSION['user_type'] != 'admin'//If not admin
    {

            
    header("Location: main.php"); ..Redirect to main.php

    }

    //The rest of the admin.php code here

    ?>
    Thanks Redcoder.....This worked like a charm...

    by the way any comments on the way I am planning to learn?

  • Users who have thanked nani_nisha06 for this post:

    hujan (10-29-2012)

  • #15
    Regular Coder Redcoder's Avatar
    Join Date
    May 2012
    Location
    /dev/null
    Posts
    332
    Thanks
    2
    Thanked 47 Times in 46 Posts
    Quote Originally Posted by nani_nisha06 View Post
    By the way any comments on the way I am planning to learn?
    Well, knowing is not enough, we must apply - Bruce Lee.

    Applying your knowledge in a vast array of real-life projects is the best way to learn. It gives you skills like speed and also reinforces what you know making programming in the future for you.

  • Users who have thanked Redcoder for this post:

    nani_nisha06 (10-18-2012)


  •  
    Page 1 of 2 12 LastLast

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •