php login script using $_SESSION please help

Associate
Joined
4 Mar 2007
Posts
315
Location
United Kingdom
Ok i have db which has
Users and their admin status.
for instance table:
USER ID USERNAME PASSWORD userStatusID userActive
0 lol lol 1 1

basically 1 = admin for userStatusID userActive = 1 (self explanatory)

anyway im trying to make a page only visible for the user who has a statusID of 1 and other to display an error msg or redirect them to another page for their statusID.

Heres my login code.


Code:
<?php
session_start();

mysql_connect("somethinggoeshere", "somethinggoeshere", "somethinggoeshere") or die(mysql_error());
mysql_select_db("vle") or die(mysql_error());

$userName = $_POST["username"];
$password = $_POST["password"];

if($userName != "" && $password != "")
{
$encryptPassword = md5($password);
$authSql = "SELECT userID,userStatusID FROM users
WHERE userName = '".$userName."'
AND password = '".$encryptPassword."'
AND userActive = 1";

$authResult = mysql_query($authSql)OR die('Couldn\'t Authenticate Visitor:'.mysql_error());
$authRow = mysql_fetch_array($authResult);
$userID= $authRow['userID'];
$userStatus= $authRow['userStatusID'];

if ($userID > 0)//If user with this username and password actually fetched from db
{
$_SESSION['USER_ID'] = $userID;
$_SESSION['USR_LOGIN'] = $userName;
$_SESSION['USR_STATUS'] = $userStatus;
//Redirect user after being login to a page where you want.
header("Location: members.php");
}
else //User have entered either password or username wrong or he is disabled or does not exist.
{
header("Location: login.php?msg=invalid");
}
}
else
{
// The value of user name or password not entered
header ("Location: login.php?msg=missing");
}
?>

Now within the page i wish to restrict anyone under the StatusID of 1 i have put.

Code:
<?php session_start();

if (isset($_SESSION['USR_LOGIN'])== 1)
header('Location:admin.php');

?>

but if i log in as someone with a flag of 2 or 3 it will still locate me to admin.php ive tried else and get php errors stating that there was an unknown else or elseif command.
Im out of ideas, anyone?
 
As far as I'm aware isset() returns 1 if the variable is assigned to regardless of its value.

How about something like:

if (isset($_SESSION['USR_STATUS']) && $_SESSION['USR_STATUS'] == 1)
{
// good
header('Location:admin.php');

}
else
{
// bad
header('Location:user.php');
}
 
Last edited:
isset checks if its set and returns true or false if its set or not.
You want to check that it isset and then check the value of it and redirect accordingly :)

edited :)
 
Last edited:
also you appear to be using register_globals and not escaping any of them going into the SQL statements, please do yourself a favour and read up on basic web app security at the very least.
 
also you appear to be using register_globals and not escaping any of them going into the SQL statements, please do yourself a favour and read up on basic web app security at the very least.

I gathered the security in this was quite low prone to sql injection such im learning sql and php in college and this is 2 days of learning php and sql with little to no knowledge of how some elements work, :P i thought i did well for 2 days in :P
 
Back
Top Bottom