1

i have here the code for login and it works fine i also use session here but my problem now is that how can i suppose to make a user access level?.in my login database i have username, password and level, now admin=1 and guest=0. what i want to happen is that when i login as admin it will redirect me to signup.php and if i login as guest it will redirect me to index.php, please help me i'm working this for almost two weeks.. here is my code..

db.php

<?php

session_start();

$DB_host = "localhost";
$DB_user = "root";
$DB_pass = "";
$DB_name = "survey";
$charset = "utf8";


try
{
  $DB_con = new PDO("mysql:host={$DB_host};dbname={$DB_name};charset={$charset}",$DB_user,$DB_pass);
  $DB_con->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
  $DB_con->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);
}
  catch(PDOException $e)
{
  echo $e->getMessage();
}

?>

class.user.login.php

<?php

class crud
{
private $db;

function __construct($DB_con)
{
  $this->db = $DB_con;
}

public function login($uname,$upass)
{
try
{
  $stmt = $this->db->prepare("SELECT * FROM users WHERE user_name=:uname AND level=:level LIMIT 1");
  $stmt->execute(array(':uname'=>$uname));
  $userRow=$stmt->fetch(PDO::FETCH_ASSOC);

    if($stmt->rowCount() > 0)
    {
    if(password_verify($upass, $userRow['user_pass']))
    {
      $_SESSION['user_session'] = $userRow['user_id'];
      return true;
    }
    else
    {
      return false;
    }
  }
}
    catch(PDOException $e)
  {
    echo $e->getMessage();
  }
}

public function is_loggedin()
{
if(isset($_SESSION['user_session']))
{
    return true;
  }
}

public function redirect($url)
{
header("Location: $url");
}
?>

****login.php****

<?php
include_once 'dbconfig.php';

    if($crud->is_loggedin()!="")
    {
    $crud->redirect('insert.php');
    }

    if ($_SERVER["REQUEST_METHOD"] == "POST")
    {
    $uname = $_POST['user'];
    $upass = $_POST['pass'];

    if($crud->login($uname,$upass))
    {
    $crud->redirect('index.php');
    }
    else
    {
    echo "<script type='text/javascript'>alert('Invalid Username or Password');</script>";
    }   
}
?>

home.php

<?php
include_once 'dbconfig.php';

    if(!$crud->is_loggedin())
    {
    $crud->redirect('home.php');
    }
    $ID = $_SESSION['user_session'];
    $stmt = $DB_con->prepare("SELECT * FROM survey_section WHERE ID=:ID");
    $stmt->execute(array(":ID"=>$ID));
    $userRow=$stmt->fetch(PDO::FETCH_ASSOC);
?>
Trojan
  • 91
  • 2
  • 12

1 Answers1

0

The term you're looking for is ACL (Access Control List)

This should help you gain an understanding :-)

For your current implementation, there is no checking what level the logged in user is, you only seem to $crud->redirect('index.php'); if the login is successful.

But before we get to that section; you're trying to bind :level yet not specifying it or implementing it anywhere...

In your login() method you have:

$stmt = $this->db->prepare("SELECT * FROM users WHERE user_name=:uname AND level=:level LIMIT 1");
$stmt->execute(array(':uname'=>$uname));

That is going to fail as you haven't specified what :level is, hence you'll be thrown an invalid parameter count error -> meaning this function will always return false.

You need to modify that query (either removing AND level = :level or specifying what :level is in your execute().)

From there, you'll need to modify your functions appropriately - in this case, setting level into a session variable would be more fitting:

//.....code above...
if(password_verify($upass, $userRow['user_pass']))
{
  $_SESSION['user_session'] = $userRow['user_id'];
  $_SESSION['user_level'] = $userRow['level'];
  return true;
}
//.....cove below...

Now; from within your login.php, you can redirect accordingly:

if($crud->login($uname,$upass))
{
    switch($_SESSION['user_level']) {
        case "0": // regular user
        $crud->redirect('index.php');
        break;
        case "1": // admin
        $crud->redirect('signup.php');
        break;
    }
}
Community
  • 1
  • 1
Darren
  • 13,050
  • 4
  • 41
  • 79