here I come with new project and however I am using old scrip .
my new project requirement is .
1) If admin login he should go to admin_main.php.
2) If normal user login he should go to main.php.
I know I should create data based field for usergroup and fill it with 1 or 0.
I should need your help making above conditions work on below code.
Code:
<?php session_start(); ?>
<?php
$host="localhost"; // Host name
$username="test"; // Mysql username
$password="1234"; // Mysql password
$db_name="test"; // Database name
$tbl_name="members"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = hash('sha256', $salt.$mypassword);
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);
if (mysql_num_rows($result) === 1) {
// Register $myusername, $mypassword and redirect to file "login_success.php"
$_SESSION['myusername']=$myusername;
// $_SESSION['LoggedIn'] = 1;
header("location:main.php");
}
else {
//echo "Wrong Username or Password";
header("location:wrong.php");
}
?>
I hope that you understand that $row['usergroup'] has the contents of the field that shows whether the user is an admin or not. If the content is 1, in the above code, it means that the user is not an admin i.e a normal user so is redirected to the relevant page.
To make it more specific to your case:
PHP Code:
$_SESSION['myusername']=$myusername; $row=mysql_fetch_assoc($result); if($row['usergroup']==1) //normal user header("location: main.php"); elseif($row['usergroup']==0) //admin header("location: admin_main.php"); else //If the username/password combination has not been found in the dbase header("location: wrong.php");
__________________
For professional Hosting and Web design.....
I hope that you understand that $row['usergroup'] has the contents of the field that shows whether the user is an admin or not. If the content is 1, in the above code, it means that the user is not an admin i.e a normal user so is redirected to the relevant page.
To make it more specific to your case:
PHP Code:
$_SESSION['myusername']=$myusername;
$row=mysql_fetch_assoc($result);
if($row['usergroup']==1) //normal user
header("location: main.php");
elseif($row['usergroup']==0) //admin
header("location: admin_main.php");
else //If the username/password combination has not been found in the dbase
header("location: wrong.php");
Thanks above and Redcoder,
As per your suggestion I will get this altered and post the update.....
$sql="SELECT * FROM `".$tbl_name."` WHERE username='$myusername' and password='$mypassword'";
And another thing: escape input from the user to prevent SQL injection. Never trust input from the user.
HI redcoder,
As you suggested i have change my login script as below,
Code:
<?php session_start(); ?>
<?php
$host="localhost"; // Host name
$username="testDBuser"; // Mysql username
$password="1234"; // Mysql password
$db_name="testdb"; // Database name
$tbl_name="members"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = hash('sha256', $salt.$mypassword);
if (preg_match("/^\w{8,12}$/", $myusername, $matches))
{
$sql="SELECT * FROM `".$tbl_name."` WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);
}
else
{
header("location: wrong.php");
}
if (mysql_num_rows($result) === 1) {
// Register $myusername, $mypassword and redirect to file "login_success.php"
$_SESSION['myusername']=$myusername;
}
$row=mysql_fetch_assoc($result);
if($row['usergroup']==1) //normal user
{
header("location: /MYM/main.php");
}
elseif($row['usergroup']==0) //admin
{
header("location: /MYM/admin/admin_main.php");
}
else //If the username/password combination has not been found in the dbase
{
header("location: wrong.php");
}
?>
But, Now I see when i am trying to use the admin login it is redirecting correctly. In case of normal user login I see it is redirecting me to unknown extension to "admin/index.html".
More over, I see preg_match("/^\w{8,12}$/", $myusername, $matches) doesn't work for me ?? .
Any suggestion....even i am thinking about Sql injection will get some what over leaded by implementing preg_match().
But, Now I see when i am trying to use the admin login it is redirecting correctly. In case of normal user login I see it is redirecting me to unknown extension to "admin/index.html".
More over, I see preg_match("/^\w{8,12}$/", $myusername, $matches) doesn't work for me ?? .
Any suggestion....even i am thinking about Sql injection will get some what over leaded by implementing preg_match().
Regards,
nani
For the Preg_match, the code below should do it. It will check the username for characters between 2 and 20 characters and containing alphanumeric characters and underscores.
For SQL injection, mysql_real_escape_string should escape the input off quotes.
Just some advice: change to the mysqli or PDO database driver. The mysql driver is deprecated and slow too. Mysqli(mysql improved) is an easy transition from the mysql extension. Check out this comparison of PDO and mysqli.
As you suggested i have change my login script as below,
Code:
<?php session_start(); ?>
<?php
$host="localhost"; // Host name
$username="testDBuser"; // Mysql username
$password="1234"; // Mysql password
$db_name="testdb"; // Database name
$tbl_name="members"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = hash('sha256', $salt.$mypassword);
if (preg_match("/^\w{8,12}$/", $myusername, $matches))
{
$sql="SELECT * FROM `".$tbl_name."` WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);
}
else
{
header("location: wrong.php");
}
if (mysql_num_rows($result) === 1) {
// Register $myusername, $mypassword and redirect to file "login_success.php"
$_SESSION['myusername']=$myusername;
}
$row=mysql_fetch_assoc($result);
if($row['usergroup']==1) //normal user
{
header("location: /MYM/main.php");
}
elseif($row['usergroup']==0) //admin
{
header("location: /MYM/admin/admin_main.php");
}
else //If the username/password combination has not been found in the dbase
{
header("location: wrong.php");
}
?>
But, Now I see when i am trying to use the admin login it is redirecting correctly. In case of normal user login I see it is redirecting me to unknown extension to "admin/index.html".
Regards,
nani
Redcoder,
As above comment still I see this default redirection for normal user any clue ???
Also, If you can help me on the below threads would be great phase & help for my learning.
Hmm...does the /MYM/main.php page exsist? If it doesn't exsist, .htacess rules may be written to redirect to index.html incase of a 404 error.
Also it could be just a simple case of /MYM/main.php has code that redirects to admin/index.html everytime. Try checking your main.php code and whether the file itself exsists.
__________________
For professional Hosting and Web design.....
Hmm...does the /MYM/main.php page exsist? If it doesn't exsist, .htacess rules may be written to redirect to index.html incase of a 404 error.
Also it could be just a simple case of /MYM/main.php has code that redirects to admin/index.html everytime. Try checking your main.php code and whether the file itself exsists.
Redcoder,
With Your support I have change the above code as below, But now problem is when a normal user login in to his account he is successfully getting redirected to main.php now, if the same user enter the admin folder path he is successfully able to see all the admin features so, Now I want to block him go in to admin privilege.
I know that my model is typically old model of thinking but as I am learner I have just started with this....so help me with any framework for this issues if you think I am still thinking wrong.
Code:
<?php session_start(); ?>
<?php
$host="localhost"; // Host name
$username="naveen"; // Mysql username
$password="1234"; // Mysql password
$db_name="testdata"; // Database name
$tbl_name="test"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
function DoubleSaltedHash($pass, $salt) {
return sha1($salt.sha1($salt.sha1($pass)));
}
$path = "wrong.php";
$usercond = true;
preg_match("/^\w{2,10}$/", $myusername,$match);
$row = 0;
if (!empty($match[0]))
{
$sql="SELECT * FROM `".$tbl_name."` WHERE username='$myusername'";
$result=mysql_query($sql);
$row=mysql_fetch_assoc($result);
$mypassword = mysql_real_escape_string(DoubleSaltedHash($mypassword,$row['salt']));
if($mypassword != $row['password'])
$row = 0;
}
//echo "SDFSD". $row ;exit;
if ( !empty($row) > 0)
{
$_SESSION['myusername']=$myusername;// Register $myusername, $mypassword and redirect to file "login_success.php"
if($row['usertype']==1) //normal user
{
$path = "main.php";
}
elseif($row['usertype']==0) //admin
{
$path ="/MYM/admin/admin_main.php";
}
}
header("Location: ".$path);
?>
Last edited by nani_nisha06; 10-17-2012 at 08:34 AM..
With Your support I have change the above code as below, But now problem is when a normal user login in to his account he is successfully getting redirected to main.php now, if the same user enter the admin folder path he is successfully able to see all the admin features so, Now I want to block him go in to admin privilege.
You should introduce session variables to hold info on whether the user is an admin or not.
Like this
PHP Code:
//If user is admin $_SESSION['user_type'] = 'admin';
//For normal users $_SESSION['user_type'] = 'normal';
So here's how you'd implement it:
PHP Code:
<?php session_start(); ?> <?php $host="localhost"; // Host name $username="naveen"; // Mysql username $password="1234"; // Mysql password $db_name="testdata"; // Database name $tbl_name="test"; // Table name
// Connect to server and select databse. mysql_connect("$host", "$username", "$password")or die("cannot connect"); mysql_select_db("$db_name")or die("cannot select DB");
// username and password sent from form $myusername=$_POST['myusername']; $mypassword=$_POST['mypassword'];
// To protect MySQL injection (more detail about MySQL injection) $myusername = stripslashes($myusername); $mypassword = stripslashes($mypassword); $myusername = mysql_real_escape_string($myusername); function DoubleSaltedHash($pass, $salt) { return sha1($salt.sha1($salt.sha1($pass))); } $path = "wrong.php"; $usercond = true; preg_match("/^\w{2,10}$/", $myusername,$match); $row = 0; if (!empty($match[0])) { $sql="SELECT * FROM `".$tbl_name."` WHERE username='$myusername'";
You should introduce session variables to hold info on whether the user is an admin or not.
Like this
PHP Code:
//If user is admin
$_SESSION['user_type'] = 'admin';
//For normal users
$_SESSION['user_type'] = 'normal';
So here's how you'd implement it:
PHP Code:
<?php session_start(); ?>
<?php
$host="localhost"; // Host name
$username="naveen"; // Mysql username
$password="1234"; // Mysql password
$db_name="testdata"; // Database name
$tbl_name="test"; // Table name
// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");
// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
function DoubleSaltedHash($pass, $salt) {
return sha1($salt.sha1($salt.sha1($pass)));
}
$path = "wrong.php";
$usercond = true;
preg_match("/^\w{2,10}$/", $myusername,$match);
$row = 0;
if (!empty($match[0]))
{
$sql="SELECT * FROM `".$tbl_name."` WHERE username='$myusername'";
By the way any comments on the way I am planning to learn?
Well, knowing is not enough, we must apply - Bruce Lee.
Applying your knowledge in a vast array of real-life projects is the best way to learn. It gives you skills like speed and also reinforces what you know making programming in the future for you.
__________________
For professional Hosting and Web design.....
Before you post, read our: 
.
for you.
