View Full Version : permission to access certain links

02-01-2010, 09:20 AM
in my website i have done a log in page (PHP & SQL) . all users can log in using there email and password
after logging in ,
code is below


$message = "Invalid Email or Password";

$result=mysql_query("SELECT * FROM ".TABLE_USERS." where email='".mysql_real_escape_string

($_POST['email'])."' AND password = '".mysql_real_escape_string($_POST['password'])."' LIMIT 1 ");

$rowsReturnedByMatch = mysql_num_rows($result);
if ($rowsReturnedByMatch != 1)
echo $message;
header('location: after_login.php');

above code is working fine.
in the after_login.php page
there are 3 links to 3 other php pages ...
like this

<a href ="link1.php">link1</a>
<a href ="link2.php">link2</a>
<a href ="link3.php">link3</a>

all users should not have permission to follow all link , suppose user1 can only access link1 , if he clicks link 2 / link 3 ...it will show an alert message "no permission" .
user2 has permission to acces link 2 and link 3 , not link 1 ...if he clicks link 1 , it will show alert message

in database there is a USERS table with fields email , password , link1 , link2 , link3






what i was planning to do is. when user1 clicks the link1 , it should check whether the corresponding value for link1 / link2 / link3 for tat email is set to 1 or not and act accordingly..

hope you understood the fact ??

can anyone suggest a way to implement this... any help will be appreciated ... it will be very helpful to me..
thank you..

02-01-2010, 02:34 PM
You need role-based authorization. I would set permissions for each user and save them in the DB. Most probably in the same table TABLE_USERS.

In the query where you select "*", I would list explicitly the fields I would like to select. Among these fields I would select permissions (depending on the system they could be defined as a bit flag or as separate fields for different roles).

If authentication was successful, I would store an array "user" with all user-relevant data to a session variable. Never store the user password there - once the user is authenticated, the password is not required any more. Still user permissions could be stored here. Also use could store in this array user name, e-mail and some other data you could need at other page and for which you would not like to query the DB each time.

At the next pages I would check if the session variable "user" is set. If it is not, user has not authenticated and can not view this page. If the session variable "user" is set and it is an array, I would check the user permissions (stored in this user array along with some other user-related data). If the user does not have permissions to view this page he is not authorized to view the page. Then I would redirect to the login page and show some error message.

02-02-2010, 07:17 AM
Thanks a lot for your suggestion ... :thumbsup: