CodingForums.com
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

CodingForums.com (http://www.codingforums.com/index.php)
-   PHP (http://www.codingforums.com/forumdisplay.php?f=6)
-   -   Admin page redirect (http://www.codingforums.com/showthread.php?t=276170)

nani_nisha06 10-11-2012 05:27 PM
Admin page redirect
 
Hi all,

here I come with new project and however I am using old scrip ;).

my new project requirement is .

1) If admin login he should go to admin_main.php.

2) If normal user login he should go to main.php.

I know I should create data based field for usergroup and fill it with 1 or 0.

I should need your help making above conditions work on below code.


Code:
<?php session_start(); ?>
<?php
$host="localhost"; // Host name
$username="test"; // Mysql username
$password="1234"; // Mysql password
$db_name="test"; // Database name
$tbl_name="members"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = hash('sha256', $salt.$mypassword);
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

if (mysql_num_rows($result) === 1) {

// Register $myusername, $mypassword and redirect to file "login_success.php"
$_SESSION['myusername']=$myusername;

// $_SESSION['LoggedIn'] = 1;
header("location:main.php");
}
else {
//echo "Wrong Username or Password";
header("location:wrong.php");
}
?>

abduraooft 10-12-2012 11:13 AM
Quote:
PHP Code:
// Register $myusername, $mypassword and redirect to file "login_success.php"
$_SESSION['myusername']=$myusername;

// $_SESSION['LoggedIn'] = 1;
header("location:main.php"); 
That should be something like


PHP Code:
$_SESSION['myusername']=$myusername;
$row=mysql_fetch_assoc($result);
if($row['usergroup']==1)
header("location:main.php");
else
header("location:admin_main.php"); 
PS: You'd need to add proper checks on top of all protected pages to ensure the usergroup status of the user when accessing them.

Redcoder 10-12-2012 07:26 PM
Quote:
Originally Posted by abduraooft (Post 1279058)


PHP Code:
$_SESSION['myusername']=$myusername;
$row=mysql_fetch_assoc($result);
if($row['usergroup']==1)
header("location:main.php");
else
header("location:admin_main.php"); 
I hope that you understand that $row['usergroup'] has the contents of the field that shows whether the user is an admin or not. If the content is 1, in the above code, it means that the user is not an admin i.e a normal user so is redirected to the relevant page.

To make it more specific to your case:

PHP Code:
$_SESSION['myusername']=$myusername;
$row=mysql_fetch_assoc($result);
if($row['usergroup']==1//normal user
header("location: main.php");
elseif($row['usergroup']==0//admin
header("location: admin_main.php");
else //If the username/password combination has not been found in the dbase
header("location: wrong.php"); 

nani_nisha06 10-12-2012 07:58 PM
Quote:
Originally Posted by Redcoder (Post 1279191)
I hope that you understand that $row['usergroup'] has the contents of the field that shows whether the user is an admin or not. If the content is 1, in the above code, it means that the user is not an admin i.e a normal user so is redirected to the relevant page.

To make it more specific to your case:

PHP Code:
$_SESSION['myusername']=$myusername;
$row=mysql_fetch_assoc($result);
if($row['usergroup']==1//normal user
header("location: main.php");
elseif($row['usergroup']==0//admin
header("location: admin_main.php");
else //If the username/password combination has not been found in the dbase
header("location: wrong.php"); 
Thanks above and Redcoder,

As per your suggestion I will get this altered and post the update.....

nani_nisha06 10-13-2012 07:08 PM
Redcoder,

what about SQl command, Is there anything I need to change ???


Regards,
nani

Redcoder 10-13-2012 08:12 PM
You should change this:
Quote:
Originally Posted by nani_nisha06 (Post 1278823)
PHP Code:
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'"
To:
PHP Code:
$sql="SELECT * FROM `".$tbl_name."` WHERE username='$myusername' and password='$mypassword'"
And another thing: escape input from the user to prevent SQL injection. Never trust input from the user.

nani_nisha06 10-14-2012 08:29 PM
Quote:
Originally Posted by Redcoder (Post 1279912)
You should change this:


To:
PHP Code:
$sql="SELECT * FROM `".$tbl_name."` WHERE username='$myusername' and password='$mypassword'"
And another thing: escape input from the user to prevent SQL injection. Never trust input from the user.
HI redcoder,

As you suggested i have change my login script as below,


Code:
<?php session_start(); ?>
<?php
$host="localhost"; // Host name
$username="testDBuser"; // Mysql username
$password="1234"; // Mysql password
$db_name="testdb"; // Database name
$tbl_name="members"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = hash('sha256', $salt.$mypassword);
if (preg_match("/^\w{8,12}$/", $myusername, $matches))
{
$sql="SELECT * FROM `".$tbl_name."` WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);
}
else
{
  header("location: wrong.php");
}

if (mysql_num_rows($result) === 1) {

// Register $myusername, $mypassword and redirect to file "login_success.php"
$_SESSION['myusername']=$myusername;
}
$row=mysql_fetch_assoc($result);
if($row['usergroup']==1)  //normal user
{
header("location: /MYM/main.php");
}
elseif($row['usergroup']==0) //admin
{
header("location: /MYM/admin/admin_main.php");
}
else //If the username/password combination has not been found in the dbase
{
header("location: wrong.php"); 
}
?>
But, Now I see when i am trying to use the admin login it is redirecting correctly. In case of normal user login I see it is redirecting me to unknown extension to "admin/index.html".

More over, I see preg_match("/^\w{8,12}$/", $myusername, $matches) doesn't work for me ?? .

Any suggestion....even i am thinking about Sql injection will get some what over leaded by implementing preg_match().

Regards,
nani

Redcoder 10-14-2012 09:00 PM
Quote:
Originally Posted by nani_nisha06 (Post 1280117)
But, Now I see when i am trying to use the admin login it is redirecting correctly. In case of normal user login I see it is redirecting me to unknown extension to "admin/index.html".

More over, I see preg_match("/^\w{8,12}$/", $myusername, $matches) doesn't work for me ?? .

Any suggestion....even i am thinking about Sql injection will get some what over leaded by implementing preg_match().

Regards,
nani
For the Preg_match, the code below should do it. It will check the username for characters between 2 and 20 characters and containing alphanumeric characters and underscores.
PHP Code:
if(preg_match(preg_match('/^[a-z\d_]{2,20}$/i'$myusername
For SQL injection, mysql_real_escape_string should escape the input off quotes.

Just some advice: change to the mysqli or PDO database driver. The mysql driver is deprecated and slow too. Mysqli(mysql improved) is an easy transition from the mysql extension. Check out this comparison of PDO and mysqli.

To really check the SQL injection stuff, look into Prepared Statements.

Also check out : http://25yearsofprogramming.com/blog/2011/20110205.htm , it's relevant to your code. It just reiterates what i've told ya.

69 post haha.

nani_nisha06 10-15-2012 08:44 AM
Quote:
Originally Posted by nani_nisha06 (Post 1280117)
HI redcoder,

As you suggested i have change my login script as below,


Code:
<?php session_start(); ?>
<?php
$host="localhost"; // Host name
$username="testDBuser"; // Mysql username
$password="1234"; // Mysql password
$db_name="testdb"; // Database name
$tbl_name="members"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = hash('sha256', $salt.$mypassword);
if (preg_match("/^\w{8,12}$/", $myusername, $matches))
{
$sql="SELECT * FROM `".$tbl_name."` WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);
}
else
{
  header("location: wrong.php");
}

if (mysql_num_rows($result) === 1) {

// Register $myusername, $mypassword and redirect to file "login_success.php"
$_SESSION['myusername']=$myusername;
}
$row=mysql_fetch_assoc($result);
if($row['usergroup']==1)  //normal user
{
header("location: /MYM/main.php");
}
elseif($row['usergroup']==0) //admin
{
header("location: /MYM/admin/admin_main.php");
}
else //If the username/password combination has not been found in the dbase
{
header("location: wrong.php"); 
}
?>
But, Now I see when i am trying to use the admin login it is redirecting correctly. In case of normal user login I see it is redirecting me to unknown extension to "admin/index.html".
Regards,
nani
Redcoder,

As above comment still I see this default redirection for normal user any clue ???

Also, If you can help me on the below threads would be great phase & help for my learning.


Code:
http://www.codingforums.com/showthread.php?t=275718

http://www.codingforums.com/showthread.php?t=275610

http://www.codingforums.com/showthread.php?t=275611
Please note: I have made more research but as I am a self learner still this things bother me so I wanted to check if you can help me here as well.

Regards,
Nani

Redcoder 10-15-2012 10:33 AM
Quote:
Originally Posted by nani_nisha06 (Post 1280250)
Redcoder,

As above comment still I see this default redirection for normal user any clue ???

Also, If you can help me on the below threads would be great phase & help for my learning.


Code:
http://www.codingforums.com/showthread.php?t=275718

http://www.codingforums.com/showthread.php?t=275610

http://www.codingforums.com/showthread.php?t=275611
Regards,
Nani
Hmm...does the /MYM/main.php page exsist? If it doesn't exsist, .htacess rules may be written to redirect to index.html incase of a 404 error.

Also it could be just a simple case of /MYM/main.php has code that redirects to admin/index.html everytime. Try checking your main.php code and whether the file itself exsists.

nani_nisha06 10-17-2012 08:27 AM
Quote:
Originally Posted by Redcoder (Post 1280276)
Hmm...does the /MYM/main.php page exsist? If it doesn't exsist, .htacess rules may be written to redirect to index.html incase of a 404 error.

Also it could be just a simple case of /MYM/main.php has code that redirects to admin/index.html everytime. Try checking your main.php code and whether the file itself exsists.
Redcoder,

With Your support I have change the above code as below, But now problem is when a normal user login in to his account he is successfully getting redirected to main.php now, if the same user enter the admin folder path he is successfully able to see all the admin features so, Now I want to block him go in to admin privilege.

I know that my model is typically old model of thinking but as I am learner I have just started with this....so help me with any framework for this issues if you think I am still thinking wrong.

Code:
<?php session_start(); ?>
<?php
$host="localhost"; // Host name
$username="naveen"; // Mysql username
$password="1234"; // Mysql password
$db_name="testdata"; // Database name
$tbl_name="test"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
function DoubleSaltedHash($pass, $salt) {
    return sha1($salt.sha1($salt.sha1($pass)));
}
$path = "wrong.php";
$usercond = true;
preg_match("/^\w{2,10}$/", $myusername,$match);
$row = 0;
if (!empty($match[0]))
{
        $sql="SELECT * FROM `".$tbl_name."` WHERE username='$myusername'";
       
        $result=mysql_query($sql);
        $row=mysql_fetch_assoc($result);
        $mypassword = mysql_real_escape_string(DoubleSaltedHash($mypassword,$row['salt']));
        if($mypassword != $row['password'])
                $row = 0;
}

//echo "SDFSD". $row ;exit;
if (  !empty($row) > 0)
{
        $_SESSION['myusername']=$myusername;// Register $myusername, $mypassword and redirect to file "login_success.php"
       

        if($row['usertype']==1)  //normal user
        {
                $path = "main.php";
        }
        elseif($row['usertype']==0) //admin
        {
                $path ="/MYM/admin/admin_main.php";
        }
}
header("Location: ".$path);


?>

nani_nisha06 10-17-2012 09:37 AM
Redcoder,

it would be great if you can suggest me on the below post.

http://www.codingforums.com/showthread.php?t=276288

Regards,
Nani

Redcoder 10-17-2012 03:49 PM
Quote:
Originally Posted by nani_nisha06 (Post 1281074)
Redcoder,

With Your support I have change the above code as below, But now problem is when a normal user login in to his account he is successfully getting redirected to main.php now, if the same user enter the admin folder path he is successfully able to see all the admin features so, Now I want to block him go in to admin privilege.
You should introduce session variables to hold info on whether the user is an admin or not.

Like this
PHP Code:

//If user is admin
$_SESSION['user_type'] = 'admin';

//For normal users
$_SESSION['user_type'] = 'normal'
So here's how you'd implement it:

PHP Code:

<?php session_start(); ?>
<?php
$host="localhost"// Host name 
$username="naveen"// Mysql username 
$password="1234"// Mysql password 
$db_name="testdata"// Database name 
$tbl_name="test"// Table name 

// Connect to server and select databse.
mysql_connect("$host""$username""$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form 
$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword']; 

// To protect MySQL injection (more detail about MySQL injection)
$myusername stripslashes($myusername);
$mypassword stripslashes($mypassword);
$myusername mysql_real_escape_string($myusername);
function DoubleSaltedHash($pass$salt) {
    return sha1($salt.sha1($salt.sha1($pass)));
}
$path "wrong.php";
$usercond true;
preg_match("/^\w{2,10}$/"$myusername,$match);
$row 0;
if (!empty($match[0]))
{
     $sql="SELECT * FROM `".$tbl_name."` WHERE username='$myusername'";
    
    $result=mysql_query($sql);
    $row=mysql_fetch_assoc($result);
    $mypassword mysql_real_escape_string(DoubleSaltedHash($mypassword,$row['salt']));
    if($mypassword != $row['password'])
        $row 0;
}

//echo "SDFSD". $row ;exit;
if (  !empty($row) > 0
{
    $_SESSION['myusername']=$myusername;// Register $myusername, $mypassword and redirect to file "login_success.php"
    

    if($row['usertype']==1)  //normal user
    {
        $path "main.php";
      
        $_SESSION['user_type'] = 'normal';
                
    }
    elseif($row['usertype']==0//admin
    
        $path ="/MYM/admin/admin_main.php";
            
        $_SESSION['user_type'] = 'admin';   
    }
}
header("Location: ".$path);


?>
And then on top of admin PHP script write this:

PHP Code:
<?php

session_start();

if($_SESSION['user_type'] != 'admin'//If not admin
{

        header("Location: main.php"); //Redirect to main.php

}

//The rest of the admin.php code here

?>

nani_nisha06 10-17-2012 06:29 PM
Quote:
Originally Posted by Redcoder (Post 1281216)
You should introduce session variables to hold info on whether the user is an admin or not.

Like this
PHP Code:

//If user is admin
$_SESSION['user_type'] = 'admin';

//For normal users
$_SESSION['user_type'] = 'normal'
So here's how you'd implement it:

PHP Code:

<?php session_start(); ?>
<?php
$host="localhost"// Host name 
$username="naveen"// Mysql username 
$password="1234"// Mysql password 
$db_name="testdata"// Database name 
$tbl_name="test"// Table name 

// Connect to server and select databse.
mysql_connect("$host""$username""$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form 
$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword']; 

// To protect MySQL injection (more detail about MySQL injection)
$myusername stripslashes($myusername);
$mypassword stripslashes($mypassword);
$myusername mysql_real_escape_string($myusername);
function DoubleSaltedHash($pass$salt) {
    return sha1($salt.sha1($salt.sha1($pass)));
}
$path "wrong.php";
$usercond true;
preg_match("/^\w{2,10}$/"$myusername,$match);
$row 0;
if (!empty($match[0]))
{
     $sql="SELECT * FROM `".$tbl_name."` WHERE username='$myusername'";
    
    $result=mysql_query($sql);
    $row=mysql_fetch_assoc($result);
    $mypassword mysql_real_escape_string(DoubleSaltedHash($mypassword,$row['salt']));
    if($mypassword != $row['password'])
        $row 0;
}

//echo "SDFSD". $row ;exit;
if (  !empty($row) > 0
{
    $_SESSION['myusername']=$myusername;// Register $myusername, $mypassword and redirect to file "login_success.php"
    

    if($row['usertype']==1)  //normal user
    {
        $path "main.php";
      
        $_SESSION['user_type'] = 'normal';
                
    }
    elseif($row['usertype']==0//admin
    
        $path ="/MYM/admin/admin_main.php";
            
        $_SESSION['user_type'] = 'admin';   
    }
}
header("Location: ".$path);


?>
And then on top of admin PHP script write this:

PHP Code:
<?php

session_start();

if($_SESSION['user_type'] != 'admin'//If not admin
{

        header("Location: main.php"); ..Redirect to main.php

}

//The rest of the admin.php code here

?>
Thanks Redcoder.....This worked like a charm...:)

by the way any comments on the way I am planning to learn?

Redcoder 10-17-2012 06:34 PM
Quote:
Originally Posted by nani_nisha06 (Post 1281275)
By the way any comments on the way I am planning to learn?
Well, knowing is not enough, we must apply - Bruce Lee.

Applying your knowledge in a vast array of real-life projects is the best way to learn. It gives you skills like speed and also reinforces what you know making programming in the future :thumbsup: for you.


All times are GMT +1. The time now is 04:12 AM.
Page 1 of 2 1 2
Show 40 post(s) from this thread on one page

Powered by vBulletin®
Copyright ©2000 - 2013, Jelsoft Enterprises Ltd.