Page protection for the Admin page not working

Question

I have been trying to make a page protection for the Administrator page, and I can not get it to work. I am sure this would not have been a problem if I was not new to PHP coding, hehe.

So what I am trying to do is, when a normal user with the type '0' is trying to access the administrator page, index_admin.php, the user will get redirected to the normal user page, index.php. And if the user have the type '1', then the user/admin will stay on the page.

So here is the code I have been trying to get working. (This file is required in index_admin.php and it is called index_admin_check.php):

<?php
  session_start();
?>

<?php
    $vert = "localhost";
    $brukarnamn = "root";
    $passord = "";
    $db_namn = "nettsidebunad";
    $tbl_namn = "kunde_register";

    // Connecting to the MySQL database.
    mysql_connect("$vert", "$brukarnamn", "$passord") or die ("Kan dessverre ikkje koble til databasen.");
    mysql_select_db("$db_namn") or die ("Kan ikkje finna den ynkjande databasen.");
?>

<?php
        // *** Page protection *** \\

        // Admin check. If `type` = 1, let the user (admin) stay on the site. If `type` = 0 kick the user (normal) off the site.
        $sql = "SELECT `type` FROM $tbl_namn";
        $res = mysql_query($sql);
        $tell = mysql_num_rows($res);

    if ($tell == 0) {
        header ("location: index.php");
        exit();
}
?>

Some of this text is in norwegian.

$vert = $host (in english)

$brukarnamn = $usernamn (in english)

$passord = $password (in english)

$db_namn = $db_name (in english)

$tbl_namn = $tbl_name (in english)

You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). — Quentin, Feb 01 '13 at 14:26
Your not sending the query the user id or name or anything how does it know which row to check the type on? — Pitchinnate, Feb 01 '13 at 14:27
Probably also need to specify in your query that you are only looking for `type=1` — Pitchinnate, Feb 01 '13 at 14:29

score 0 · Answer 1 · answered Feb 01 '13 at 14:31

$sql = "SELECT `type` FROM $tbl_namn";

This SQL query will return a row for every user in your database. Using your method of simply checking whether the query returned a result or not, you need to select just the row for the current user, and then only if the user has type=1.

You need to make sure that:

The user has previously logged into the system using a username and password or some such
You have saved their details to the session.

If your user table has an ID column, and you saved the ID of the logged in user to the session as 'userid', you might use the query:

$sql = "SELECT `type` FROM $tbl_namn WHERE id = {$_SESSION['userid']} AND type = 1";

But of course that would be moot, because you would just have save the user's type in the session when you first logged them in, wouldn't you?

Hmm.. Trying to get it to work. But the code that I am using (a new one from below that is changed a bit), does not seem to work. Thank you for your help :) — ravo10, Feb 01 '13 at 20:58

score 0 · Answer 2 · answered Feb 01 '13 at 14:36

Well for what I can see, you don't actually check for user. I will make some remarks to your code to make situation clear:

    $sql = "SELECT `type` FROM $tbl_namn";   //Return all values of column "type" from table - instead you should search for specifyc user
    $res = mysql_query($sql);    
    $tell = mysql_num_rows($res);   //Count returned rows

So instead of finding out the user type, you get the count of registered users. What you should do to search for user name and get user type for that name. So lets think of this table concept: ID | name | type |
Now we can start our user check up. We will ask mysql for type of user "admin".

$name = $_POST["username"];   //username submited in POST HTML form
$name = mysql_real_escape_string($name);  //Replace dangerous characters from name. This is important to avoid your database being hacked
$data = mysql_query("SELECT type FROM $tbl_namn WHERE name='$name'") or die(mysql_error());  //On failure, you will is if there is some error
$data=mysql_fetch_row($data);  //Get actual data
if($data["type"]==0) {
   header("HTTP/1.1 403 Acces Forbidden");
   header("Location: forbidden.html");  //send user to page telling me he is not allowed to enter. As well you can use include here.
   exit;

Hmm... I have tried to using this code in index_admin_check.php and replacing the code with some changes ofcoures to use it to login into the user and admin page, but it does not seem to work for me :S Maybe I am doing something wrong? I am not sure.. Well, thank you for your help :) — ravo10, Feb 03 '13 at 17:59
You must keep on mind that this is just example code. Some parts must be replaced with working context. $_POST["username"] must be really sent by user, meaning you must submit a form with this field. Also 'name' column must exits in your table, because this field is criterium for the user search. Let me know if some edits of my post would make it clearer for you. — Tomáš Zato - Reinstate Monica, Feb 03 '13 at 18:37

score 0 · Answer 3 · edited Jan 04 '15 at 01:16

put this to login page:

<?php session_start();
if ($_POST['type'] = "1") {
    Header('location: http://example.com/admin.php/');
    $_SESSION['admin']; = "yes";
    exit;
} else { 
    Header('location: http://example.com/user.php/');
    $_SESSION['admin']; = "no";
    exit;
}
//modify as needed
?>

and this one into admin.php filename can be any but extension needs to be .php:

<?php session_start():
if ($_SESSION['admin']; = "no") {
    Header('location: http://example.com/user.php/');
    exit;
}
//modify as needed
?>

and remember to put this in the very beggining of the file otherwise sessions won't work

Page protection for the Admin page not working

3 Answers3