0

I have a user login system for a website set up with PHP and MySQL. My question was whether or not I could modify what I have now, to create a "permissions" system. In other words, only display certain controls for users and different ones for administrators. In my mysql table I have columns 'id', 'username', 'password', and an ENUM 'permissions' with 'a','b'. 'a' is default (not admin). Below I will show you what I have tried.

This file is "checklogin.php" (for the sake of saving space I will not add all of the code)

//First I include variables to connect to the database & connect
//Then I define username and password as $_POST from a form on an earlier page
$user=a;
$admin=b;
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword' and permissions='$user'";
$sqladmin="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword' and permissions='$admin'";
$result=mysql_query($sql);
$resultadmin=mysql_query($sqladmin);

$count=mysql_num_rows($result);
$countadmin=mysql_num_rows($resultadmin);

// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){
 // Register $myusername, $mypassword and redirect to file "login_success.php"
 session_register("myusername");
 session_register("mypassword"); 
 session_register("user"); 
 header("location:login_success.php");
}
else {
  if($countadmin==1){
   session_register("myusername");
   session_register("mypassword"); 
   session_register("admin"); 
   header("location:login_success.php");
  }
  else {
    if($count==0) {
      if($countadmin==0) {
       echo "Wrong Username or Password";
      }
    }
  }
}

So in this file I am checking how many rows of the table match the user input and whether or not it is admin, and if there is one, then I register a session with username, password, and permissions.

Next, I have the file "login_success.php"

<?php
session_start();
if(!session_is_registered(myusername)){
 header("location:main_login.php");
}
else {
}
?>
<html>
<body>
Login Successful

<?php
if(session_is_registered(admin)){
echo "Welcome Admin!";
}
else {
echo "Not admin...";
}
?>

The code above simply checks if the session is registered and if not, sends you back to the login form. Below that is a section of code that checks if the user is an admin. The login part of this works I just can't work out the permissions.

So finally, I guess my question is why does this not work? It seems logically correct. Sorry for the lengthy post. Thanks for any help.

Improve this question
0

3 Answers 3

Reset to default
2

First of all, you are using deprecated session_register,session_is_registered. Php manual recommends using $_SESSION. session_is_registered expects string, but you don't pass string - it should be something like session_is_registered("admin"), not session_is_registered(admin)

Also, I think you can improve the whole routine :

  1. Read from database SELECT * FROM $tbl_name WHERE username='$myusername'(assuming $myusername properly escaped );
  2. If record doesn't exist, then username is invalid
  3. Check if password (or hashsum which is much better from security point of view) matches stored value. If not you may want to increment "failed_login_attempts" field
  4. Then check permissions. I guess customer may have more than 1 role.
Improve this answer
Sign up to request clarification or add additional context in comments.

4 Comments

Right, there are on many places missing quotes... it's very bad coding style and shame on PHP allowing it syntactically
Yeah this is kind of scratch code right now... When I do session_is_registered(admin) with no quotes isn't it checking against the previously declared $admin? I believe I am able to check permissions, but how can I store that permissions info across multiple pages? registering the session? Thanks!
@Denim Vallorosi: Usually you register session, and store some information about user there so you don't have to query db every time. I prefer to define a class that has fields for basic user data which needed almost on each page (like username, maybe email, avatar, roles, etc) and store and instance of this class in session. Many other people use array instead of class.
@a1ex07 Yes i see about registering sessions. For some reason I am having trouble taking the information in another column and registering that. Is my logic incorrect? What I am trying to do was to read username and password, and if they match, to register the session. Then i am just having trouble checking another field in the table.
2

First, you are lazy with quotation marks, for example in the following lines:

$user=a;
$admin=b;
if(!session_is_registered(myusername)){

But I don't know if that's the issue.

Second, you need to call session_start() before using a session.

Why don't you just do the following query?

SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'

Then you could read the returned permission instead having to fiddle with your complicated dual query setup. Of course, you would have to make sure there are no duplicate usernames, but that's always the case.

Improve this answer

4 Comments

I suppose I could do it that way, but that would not be the issue either. I think my problem lies within registering the session. Is there a way to register the permission so that I could read it in another page? Thanks for the response
Yes, you forgot to use session_start(). I haven't noticed this earlier. Also, as a1ex07 said, you should use the $_SESSION array instead of session_register()
I used session_start() i just did not show it in the code. Sorry. But I think I am missing this: how could the permission be read? Thanks again!
According to the code you posted, you are using session_start() in login_success.php before reading session variables, but you don't use it in checklogin.php before writing them.
1

I would suggest you the logic as follows: if a user has "a" in one of his columns, then you treat him differently. That means that still one only row is coming up for every user. One only session. Same data strusture. Same session. But basing on what is the value of, say, column "permissions" you open him more "doors" in your application. Where everything you gonna have to do is to check if the "permission" of his session is set to "a" or whatever identifies him as admin.

Hope this helps. maxim

Improve this answer

5 Comments

Thanks for the input. I'm a little confused as per what you mean by treat him differently. If I query SELECT*FROM $tbl WHERE username='$username' and password='$mypassword' and permissions='a'then if the permissions='b' then he will not show up
Every user has to have one only record (row) in your table. So you do SELECT*FROM $tbl WHERE username='$username' and password='$mypassword' and this record comes out. You authenticated him. next you see what value is in the column permissions, and base on that you do your "if" statements to give him administrative priviledges.
Thank you this helps a little. Could I use mysql_fetch_field to read the value in the column?
Not necessarily, you're anyway catching the whole row with the SELECT * FROM.. so you gonna get the permission's field and value in the array. From there you structure your page based on what permission is assigned to the logged user. It's really more about the site's architecture, not much of a technical problem..
I will accept this answer because it gives a better overview of the logic of this.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.