Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations biv343 on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Storing Session Variables retrieved from MySQL Database??

Status
Not open for further replies.
Tasuki

Tasuki

MIS
Jul 26, 2002
169
US
I've been searching through the threads to retrieve and store a session variable that is obtained from a MySQL database after authentication. So along with name and password as session variables, I also want to add another session variable, namely security... which gives the users' access level.

The site will check the name, pass, and then security to see if they have access to admin features or not, and dynamicaly change the menu according to that session variable.

Yes, I'm still new to this. Any help is appreciated.

Thanks,

-T
 
Sort by date Sort by votes
Oops, nevermind. I just figured it out. The safer way is to query again with the session variables passed from Authentication and retrieve their userSecurity level, and then play around with it from there....

Please disregard this message.

-T
 
Upvote 0 Downvote
Type this in your login page: (login.php)

<?php
// First we start session
session_start();
ob_start()
?>

<?php
if (!isset($_SERVER['PHP_AUTH_USER'])) {
header(' Basic realm="Only authorized access"');
header('HTTP/1.0 401 Unauthorized');
echo 'Authorization Required.'; // If the user clicks cancel button
exit;
}

//connection to the database
$link = mysql_connect("localhost", "root", "root") or die("cant connect");

mysql_select_db("db", $link) or die("cant find the database");

$result = mysql_query("SELECT * FROM usuarios", $link);

$ok = false;
while(($row = mysql_fetch_array($result)) && !$ok) {
if (($_SERVER['PHP_AUTH_USER']==$row['user']) && (md5($_SERVER['PHP_AUTH_PW'])==$row['password']))
$ok=true;
$user = $_SERVER['PHP_AUTH_USER'];
}

// Now we see if user has admin features

$result = mysql_query("SELECT * FROM users WHERE user='$user'") or die("cant find the user");
$row = mysql_fetch_array($result);
$feature = $row['feature'];


// And we put this variables on the session

$_SESSION['user'] = $user;
$_SESSION['feature'] = $feature;

?>

/* Note this code uses a database called "db" which contains three tables: user, password and feature (password is encrypted using md5 algorithm) */



Now all your pages (must be *.php) must begin with this:

<?php

session_start();
$user = $_SESSION['user'];

if (!isset($user)) {
header(' Basic realm="Only authorized access"');
header('HTTP/1.0 401 Unauthorized');
echo 'Authorization Required.';
exit;
}

$link = mysql_connect("localhost", "root", "root") or die("cant connect");
mysql_select_db("db", $link) or die("cant find database");
$result = mysql_query("SELECT feature FROM users WHERE user='$user'", $link);
$row = mysql_fetch_array($result);

if ($row[0] != "admin") { // this is not necessary if this page is for all users
echo "This is only for admin features";
exit;
}

?>


Hope this helps,
Daniel
 
Upvote 0 Downvote
dmengual:
I think it's easier to retrieve content that is allowed per user, rather than retrieve all content and then deny what is not allowed.

eg. Dont show pages the user can not access.

1: check if user is logged in, if not, assume he is userlevel 0. (public).
2: Run query and gather pages where userlevel >= required_userlevel
3: Show page(s) that are availible to the user.

You might also consider simply not having the admin features in the same system at all. They might be in another db, in another folder, etc. So the public users will never know of the admin features.

Olav Alexander Mjelde
Admin & Webmaster
 
Upvote 0 Downvote
Sorry I missed this, but thanks for your replies! :)

This is how I did it...

User is authenticated to see if they have access. In the database they could be one of two types (Admin or User). If they are authenticated and they are an Admin, show them menu with Admin Features, else show them menu with no Admin Features. A menu contains links to different parts/features of the database website. So if they are not Admin, the menu will not display the links that were not made specifically for them.

So far it's working great... even if a normal user was to type in the URL PHP page that specifically belongs to an Admin user only (if they knew it), they would be redirected to an Error page and taken back to Main. This is done by adding a variable at the very top of the page like $userlevel = "Admin"; which gets checked with the database and the authenticated user before letting them see any of the content of the restricted page.

If anyone wants to debate or explain why this may be an unsecure way to protect certain pages, please share. As I am still new to this and may be doing it very unprofessionally.

Thanks again for your comments & advice!

-T
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

R
  • Locked
  • Question
How Can I Use MySQL To Send Data To An Email
Replies
1
Views
387
Chris Miller
Chris Miller
SashaBuilder3
  • Locked
  • Question
import CSV file into MySql table in PhpMyAdmin
Replies
0
Views
488
SashaBuilder3
SashaBuilder3
ersatz
  • Locked
  • Question
How to send 2 select from mysql database in email like tables
Replies
5
Views
602
ersatz
ersatz
lexer
  • Locked
  • Question
Join two mysql tables for populate datatable
Replies
3
Views
327
spamjim
spamjim
P
  • Locked
  • Question
JPgraph - How to stop a line graph from dropping to zero?
Replies
2
Views
440
Chris Miller
Chris Miller

Part and Inventory Search

Sponsor

Back
Top