php login script using $_SESSION please help

black-ops · 20 Oct 2008 at 14:23

Ok i have db which has
Users and their admin status.
for instance table:
USER ID USERNAME PASSWORD userStatusID userActive
0 lol lol 1 1

basically 1 = admin for userStatusID userActive = 1 (self explanatory)

anyway im trying to make a page only visible for the user who has a statusID of 1 and other to display an error msg or redirect them to another page for their statusID.

Heres my login code.

Code:

<?php
session_start();

mysql_connect("somethinggoeshere", "somethinggoeshere", "somethinggoeshere") or die(mysql_error());
mysql_select_db("vle") or die(mysql_error());

$userName = $_POST["username"];
$password = $_POST["password"];

if($userName != "" && $password != "")
{
$encryptPassword = md5($password);
$authSql = "SELECT userID,userStatusID FROM users
WHERE userName = '".$userName."'
AND password = '".$encryptPassword."'
AND userActive = 1";

$authResult = mysql_query($authSql)OR die('Couldn\'t Authenticate Visitor:'.mysql_error());
$authRow = mysql_fetch_array($authResult);
$userID= $authRow['userID'];
$userStatus= $authRow['userStatusID'];

if ($userID > 0)//If user with this username and password actually fetched from db
{
$_SESSION['USER_ID'] = $userID;
$_SESSION['USR_LOGIN'] = $userName;
$_SESSION['USR_STATUS'] = $userStatus;
//Redirect user after being login to a page where you want.
header("Location: members.php");
}
else //User have entered either password or username wrong or he is disabled or does not exist.
{
header("Location: login.php?msg=invalid");
}
}
else
{
// The value of user name or password not entered
header ("Location: login.php?msg=missing");
}
?>

Now within the page i wish to restrict anyone under the StatusID of 1 i have put.

Code:

<?php session_start();

if (isset($_SESSION['USR_LOGIN'])== 1)
header('Location:admin.php');

?>

but if i log in as someone with a flag of 2 or 3 it will still locate me to admin.php ive tried else and get php errors stating that there was an unknown else or elseif command.
Im out of ideas, anyone?

Pho · 20 Oct 2008 at 14:51

As far as I'm aware isset() returns 1 if the variable is assigned to regardless of its value.

How about something like:

if (isset($_SESSION['USR_STATUS']) && $_SESSION['USR_STATUS'] == 1)
{
// good
header('Location:admin.php');

}
else
{
// bad
header('Location:user.php');
}

unwashed potato! · 20 Oct 2008 at 14:52

ignore

Dj_Jestar · 20 Oct 2008 at 15:04

isset() returns boolean, not numeric.

tsinc80697 · 20 Oct 2008 at 15:39

isset checks if its set and returns true or false if its set or not.
You want to check that it isset and then check the value of it and redirect accordingly

edited

philjohn · 20 Oct 2008 at 15:45

also you appear to be using register_globals and not escaping any of them going into the SQL statements, please do yourself a favour and read up on basic web app security at the very least.

Dj_Jestar · 20 Oct 2008 at 16:33

tsinc80697 said:
isset checks if its set and returns 0 or 1 if its set or not.
You want to check that it isset and then check the value of it and redirect accordingly

http://uk.php.net/isset

isset() returns a boolean.

black-ops · 20 Oct 2008 at 17:57

philjohn said:
also you appear to be using register_globals and not escaping any of them going into the SQL statements, please do yourself a favour and read up on basic web app security at the very least.

I gathered the security in this was quite low prone to sql injection such im learning sql and php in college and this is 2 days of learning php and sql with little to no knowledge of how some elements work,

i thought i did well for 2 days in