Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Restrict access to pages

Status
Not open for further replies.
trufla

trufla

Programmer
Aug 9, 2004
31
GB
In a nutshell what I am trying to do is protect certain pages of a site. The way I attempted to do this was by way of this include file accesscontrol.php. Any page I wish to protect, I would simply add <?php include 'accesscontrol.php';>

The problem is that a session is not being created because of an undefined index (error I keep getting).

I wanted the code to create session variable based on email_ID and pwd_ID and Usergroup. (Usergroup is a value pre determined in the database set to either visitor or admin.)

How can I pull Usergroup up when the user logs in to add it to the session ID?

accesscontrol.php below.
Code:

<?php // accesscontrol.php
include_once 'common.php';
include_once 'db.php';

session_start();
//At this point, the user's login details should be available whether they were just submitted from a login form
//(in the $_POST array) or stored in the user's session (in the $_SESSION array).
//The script pulls the login credentials out of either the $_POST or the $_SESSION array:

$uid = isset($_POST['email_ID']) ? $_POST['email_ID'] : $_SESSION['email_ID'];
$pwd = isset($_POST['pwd_ID']) ? $_POST['pwd_ID'] : $_SESSION['pwd_ID'];
$ugroup = isset($_POST['Usergroup']) ? $_POST['Usergroup'] : $_SESSION['Usergroup'];

if(!isset($uid)) {
?>
<!DOCTYPE html PUBLIC "-//W3C/DTD XHTML 1.0 Transitional//EN"
" <html xmlns=" <head>
<title> Please Log In for Access </title>
<meta http-equiv="Content-Type"
content="text/html; charset=iso-8859-1" />
</head>
<body>
<h1> Login Required </h1>
<p>You must log in to access this area of the site. If you are
not a registered user, <a href="signup.php">click here</a>
to sign up for instant access!</p>
<p><form action="<?=$_SERVER['PHP_SELF']?>" method="post" name="log_frm" id="log_frm">
User ID: <input name="email_ID" type="text" id="email_ID" size="8" />
Password: <input name="pwd_ID" type="password" id="pwd_ID" SIZE="8" />
<input type="submit" value="Log in" />
</form></p>
</body>
</html>
<?php
exit;
}
$_SESSION['email_ID'] = $uid;
$_SESSION['pwd_ID'] = $pwd;
$_SESSION['Usergroup'] = $ugroup;

dbConnect("db");
$sql = "SELECT * FROM users WHERE
Email = '$uid' AND Password = PASSWORD('$pwd')";
$result = mysql_query($sql);
if (!$result) {
error('A database error occurred while checking your '.
'login details.\\nIfhis error persists, please '.
'contact blah@blah.com.');
}

if (mysql_num_rows($result) == 0) {
unset($_SESSION['email_ID']);
unset($_SESSION['pwd_ID']);

?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
" <html xmlns=" <head>
<title> Access Denied </title>
<meta http-equiv="Content-Type"
content="text/html; charset=iso-8859-1" />
</head>
<body>
<h1> Access Denied </h1>
<p>You do not have permission to access these pages.<br>
Click <a href="self_service.php">here</a> to return to<br>
the self service point.</p>
</body>
</html>
<?php
exit;
}

$username = mysql_result($result,0,'Firstname');
?>
[/color red]
I keep getting these errors:

Notice: Undefined index: email_ID in c:\easyphp1-7\ on line 10

Notice: Undefined index: pwd_ID in c:\easyphp1-7\ on line 11

Notice: Undefined index: Usergroup in c:\easyphp1-7\ on line 12
[/color red]
 
Sort by date Sort by votes
Your script is assuming that the values its looking for must be in either $_POST or $_SESSION. This is not a valid assumption -- suppose that your user is going to a protected page and must login for the first time -- the values will be in neither place.

It seems to me that your program logic should be:
Look in $_POST
If not in $_POST, look in $_SESSION
If not in $_SESSION, get values from the user.


Want the best answers? Ask the best questions!

TANSTAAFL!!
 
Upvote 0 Downvote
It seems to me that your program logic should be:
Look in $_POST
If not in $_POST, look in $_SESSION
If not in $_SESSION, get values from the user. "

are you referring to this:

"$uid = isset($_POST['email_ID']) ? $_POST['email_ID'] : $_SESSION['email_ID'];
$pwd = isset($_POST['pwd_ID']) ? $_POST['pwd_ID'] : $_SESSION['pwd_ID'];
$ugroup = isset($_POST['Usergroup']) ? $_POST['Usergroup'] : $_SESSION['Usergroup']; "

I thought that was what I had done. Obviously not....How would I do this?

 
Upvote 0 Downvote
I am referring to this.

Your logic is:
Code: 
if (isset ($_POST['email_ID']))
{
   $uid = $_POST['email_ID'];
else
{
   $uid = $_SESSION['email_ID'];
}

What you need is:
Code: 
if (isset ($_POST['email_ID']))
{
   $uid = $_POST['email_ID'];
else
{
   if (isset ($_SESSION['email_ID']))
   {
      $uid = $_SESSION['email_ID'];
   }
   else
   {
      $uid = <some default value>;
   }
}

A PHP script runs from beginning to end, producing output. By the time the browser renders the HTML output to something a user can manipulate, the script has already stopped running.

So on your first run with a user logging, neither $_POST nor $_SESSION will have the value your code is looking for. That's what that error is telling you -- the information cannot be found in the array.


Want the best answers? Ask the best questions!

TANSTAAFL!!
 
Upvote 0 Downvote
sleipnir214 I am a noob!

I am using the ternary operator? Have you just coded

"$uid = isset($_POST['email_ID']) ? $_POST['email_ID'] : $_SESSION['email_ID'];

by doing this:

if (isset ($_POST['email_ID']))
{
$uid = $_POST['email_ID'];
else
{
$uid = $_SESSION['email_ID'];
}


sorry, at this point I don't know what you are referring too.

if (isset ($_POST['email_ID']))
{
$uid = $_POST['email_ID'];
else
{
if (isset ($_SESSION['email_ID']))
{
$uid = $_SESSION['email_ID'];
}
else
{
$uid = <some default value>;
}
}

What is some default value?

Help the noob!
 
Upvote 0 Downvote
The ternary operator:

[tt]$uid = isset($_POST['email_ID']) ? $_POST['email_ID'] : $_SESSION['email_ID'];[/tt]

Is functionally equivalent to and less readable than:

[tt]if (isset ($_POST['email_ID']))
{
$uid = $_POST['email_ID'];
}
else
{
$uid = $_SESSION['email_ID'];
}[/tt]

I am pointing out the logical error of your code -- that it assumes a value will be somewhere, namely in $_SESSION, without checking first. The first time the script is run, there will be no values in $_SESSION.

And some default value is just that -- a default value the variable will take on when the element 'email_ID' can be found in neither $_POST nor $_SESSION.

The code I posted was to illustrate a point, not to be run. It has syntax errors, the most noticeable of which is a missing close brace in one place.


Want the best answers? Ask the best questions!

TANSTAAFL!!
 
Upvote 0 Downvote
So the code is saying

//if a value is entered into textfield 'email_ID', then $uid will hold that value, else get the value from $SESSION['email_ID'] that was specified earlier in the session ID or use a default value already accounted for ?

if (isset ($_POST['email_ID']))
{
$uid = $_POST['email_ID'];
else
{
if (isset ($_SESSION['email_ID']))
{
$uid = $_SESSION['email_ID'];
}
else
{
$uid = <some default value>;
}
}
 
Upvote 0 Downvote
Maybe.

More specifically:

1. If $_POST['email_ID'] exists, then set $uid to that value and go to END. Otherwise go to step 2.

2. If $_SESSION['email_ID'] exists, set $uid to that value and go to END. Otherwise go to step 3.

3. Set $uid to some default value.

END


The default value which you place in $uid can be anything. It could be nothing. You may not elect to set $uid to any value at all if both $_POST['email_ID'] or $_SESSION['email_ID'] exist.

But, if you want to make the errors your originally reported go away, your code must check that $_SESSION['email_ID'] exists before it attempts to use it. This is for two reasons:[ul][li]it's good general programming practice, and[/li][li]the first time your script is run, $_SESSION['email_ID'] will not exist[/li][/ul]


Also, the structure of your code is not the best for a web application. I see the code to set values in $_SESSION appearing after your script outputs the form. The problem is that a web application does not, as a desktop application does, wait for the user to fill out the form then continue running. A web application runs, producing output. By the time the browser has rendered the output and the user has manipulated that output, the script which produced the page has already stopped running. When the form is submitted, a script must then process the data from the form. This will be in another script or in another run of the same script.

Typically, the structure of such a script will be (in PHP-looking pseudocode):

[tt]if (!isset ($_SESSION[['expected_element']))
{
//session login value not found
display_login_page();
}
else
{
if ($_SESSION['expected_element'] != 'expected_value')
{
//session login value found, but user is not apparently not already logged in
if (isset ($_POST['expected_field']))
{
//the script is being run after the user has filled in a form
$good_login = check_login_credentials();
if ($good_login)
{
//the user's login credentials checked out
$_SESSION['expected_element'] = 'expected_value';
}
else
{
//the user's login credentials did not check out
display_login_page_with_errors();
}
}
else
{
//the script is not being run after the user has filled in a form
display_login_page();
}
}
else
{
//everything checks out
perform_script_main_functionality();
}
}[/tt]



Want the best answers? Ask the best questions!

TANSTAAFL!!
 
Upvote 0 Downvote
Now I AM confused.

Are you saying that I need another function of some sort in the same script?

What is to stop that from knackering up? I mean if the script is run before the user inputs their details, How can I specify a default value?

I do not think I want it to be a default value, it needs to come from the user surely.
 
Upvote 0 Downvote
sleipnir214 (Programmer) Aug 18, 2004
Your script is assuming that the values its looking for must be in either $_POST or $_SESSION. This is not a valid assumption -- suppose that your user is going to a protected page and must login for the first time -- the values will be in neither place.

It seems to me that your program logic should be:
Look in $_POST
If not in $_POST, look in $_SESSION
If not in $_SESSION, get values from the user.
"

I thought the first '$_POST' variable was getting the values from the user and the $_SESSIOn from the session variables.

$uid = isset($_POST['uid']) ? $_POST['uid'] : $_SESSION['uid'];
$pwd = isset($_POST['pwd']) ? $_POST['pwd'] : $_SESSION['pwd'];

So that is why the sessions are not being created?
The values have not been pulled from the user?
 
Upvote 0 Downvote
Please don't bump your threads.


Think about that is going on the first time your security code runs during a browser session.

None of $_POST['email_ID'], $_POST['pwd_ID'], and $_POST['Ussergroup'] will exist because no form with those fields has been submitted to the script.

But also none of $_SESSION['email_ID'], $_SESSION['pwd_ID'], and $_SESSION['Ussergroup'] will exist because no code to set those elements will have yet been run. They don't get set until later in your code.

Your code checks using isset() for the presence of values in $_POST before using them. It assumes that $_SESSION['email_ID'], $_SESSION['pwd_ID'], and $_SESSION['Ussergroup'] must exist if $_POST['email_ID'], $_POST['pwd_ID'], and $_POST['Ussergroup'], respectively, don't exist. It just uses them.

And this is a false assumption. The first time within a browser session that this code is run neither of $_POST nor $_SESSION will have the values you're looking for. Your code then references an array element that does not exist, and generates the notices you've seen.



Want the best answers? Ask the best questions!

TANSTAAFL!!
 
Upvote 0 Downvote
So I guess what I am asking is, how would you code:

"Look in $_POST
If not in $_POST, look in $_SESSION
If not in $_SESSION, get values from the user."

I understand what you are saying now, but I do not know how to approach coding it.
 
Upvote 0 Downvote
look in the manual under array_key_exists. You logic would something like
Code: 
if (array_key_exists("pwd_ID",$_POST))
 echo "got it";
else
 echo "not there yet !";
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

P
  • Question
JPgraph - How to stop a line graph from dropping to zero?
Replies
2
Views
220
Chris Miller
Chris Miller
rogerte
  • Locked
  • Question
How to parse associative array
Replies
13
Views
582
Chris Miller
Chris Miller
rmak78
  • Locked
  • Helpful tip
LIMIT USERS ACCESS PER DAY BY IP
Replies
0
Views
108
rmak78
rmak78
PeDa
  • Locked
  • Question
Basic Authentication fails to authenicate
Replies
0
Views
106
PeDa
PeDa
EdLentz
  • Locked
  • Question
I need a simple example of how to send a table of info .
Replies
8
Views
260
EdLentz
EdLentz

Part and Inventory Search

Sponsor

Back
Top