User levels and security

Dev Articles Community Forums Sponsor:

December 23rd, 2003, 08:47 AM

q3utom

Registered User

Join Date: Nov 2003

Posts: 16

Time spent in forums: < 1 sec
Reputation Power: 0

User levels and security

I'm tyring to work out user authentication for php and having levels of access. Logging in I can easily do and I worked out how to do the access levels but the problem is when your logged in on any level you can still access the admin pages if your a guest say if your logged in and know the right url.

So what I would like to know how I can stop this.
This is the login script I use, it is probably faulty anyway as it uses the old session_register instead of the new $_SESSION. So any help there would be appreciated.

Thanks.

PHP Code:


		
			
<?php

/* Program: Login.php

   Desc:    Login program for the Members Only section. 

 */

session_start();

session_register('auth');

session_register('logname');

session_register('authlevel');

include("config.php");                                          

  switch (@$do)                                                 

  {

    case "login":                                               

      $connection = mysql_connect($host,$user,$password)      

               or die ("Couldn't connect to server.");

      $db = mysql_select_db($database,$connection)

               or die ("Couldn't select database.");



      $sql = "SELECT loginName FROM Member                     

              WHERE loginName='$fusername'";

      $result = mysql_query($sql)

                  or die("Couldn't execute query.");

      $num = mysql_num_rows($result);                           

      if ($num == 1)  // login name was found                     

      {

         $sql = "SELECT loginName FROM Member                   

                 WHERE loginName='$fusername'

                 AND password=password('$fpassword')";

         $result2 = mysql_query($sql)

                   or die("Couldn't execute query.");

         $num2 = mysql_num_rows($result2);

         if ($num2 > 0)  // password is correct                 

         {

         // generate and execute query

$sql = "SELECT auth_level 

FROM Member 

WHERE loginName='$fusername' 

AND password=password('$fpassword') 

"; 



    $result = mysql_query($sql); 

    while ($row = mysql_fetch_array($result)) { 

        $auth_level = $row["auth_level"]; 

    } 

           $auth="yes";                                         

           $logname=$fusername;

           $authlevel=auth_level;                                 

           $today = date("Y-m-d h:m:s");                        

           $sql = "INSERT INTO Login (loginName,auth_level,loginTime)

                   VALUES ('$logname','auth_level','$today')";

           mysql_query($sql) or die("Can't execute query.");

         

           if ($auth_level == "1") { 

         

        echo "You are logged in as a Guest.<br /> 

<a href='next1.php'>Click here for options</a> 

"; 

         

    

    } elseif ($auth_level == "2") { 

         

        echo "You have Editor level access.<br /> 

<a href='next2.php'>Click here for options</a> 

"; 

         

    } elseif ($auth_level == "3") { 

         

        echo "You have full Administrative access.<br /> 

<a href='next3.php'>Click here for options</a> 

"; 

    }                  

         }

         else    // password is not correct                     

         {

           unset($do);                                          

           $message="The Login Name, '$fusername' exists,       

                     but you have not entered the correct 

                     password! Please try again.br>";

           include("login_form.php");                           

         } 

      }                                                         

      elseif ($num == 0)  // login name not found               

      {   

         unset($do);                                            

         $message = "The Login Name you entered does not 

                     exist! Please try again.<br>";

         include("login_form.php");

      }

    

        

      }

      if (!ereg("^.+@.+\\..+$",$email))                       

      {

        unset($do);

        $message_new = "$email is not a valid email address. 

                         Please try again.";

        include("login_form.php");

        exit();

      }

      /* check to see if login name already exists */

      $connection = mysql_connect($host,$user,$password)      

                or die ("Couldn't connect to server.");

      $db = mysql_select_db($database,$connection)

                or die ("Couldn't select database.");

      $sql = "SELECT loginName FROM Member 

                WHERE loginName='$newname'";

      $result = mysql_query($sql)

                or die("Couldn't execute query.");

      $num = mysql_numrows($result);

      if ($num > 0)                                           

      {

        unset($do);

        $message_new = "$newname already used. Select another 

                         member ID.";

        include("login_form.php");

        exit();

      } ?>

the login form.php

<html>
<head><title>onfolkestone ::: Login</title>
<link href="../includes/layout.css" rel="stylesheet" type="text/css">
</head>

<body class="body" topmargin="0" leftmargin="0" marginheight="0" marginwidth="0">
<div style="position:absolute; left:90; top:50;" width="100%" ><table width="100%" >

<tr bgcolor="#000066">
<td width="100%" height="149" valign="top">
<p>

<form action="login.php?do=login" method="post">
<table border="0" class="forumline">
<?php
if (isset($message))
echo "<tr><td colspan='2'>$message </td></tr>";
?>
<tr>
<td align=right><b><font size="1" face="Verdana, Arial, Helvetica, sans-serif">Username</font></b></td>
<td><input type="text" name="fusername" size="20" maxsize="20"> </td>
</tr>
<tr>
<td width="120" align="right"><b><font size="1" face="Verdana, Arial, Helvetica, sans-serif">Password</font></b></td>
<td><input type="password" name="fpassword"
size="20" maxsize="20"></td>
</tr>
<tr>
<td align="center" colspan="2"> <br> <input type="submit" name="log" value="Enter" class="box"></td>
</tr>
</table>
</form></td>
</tr>
</table>
</div>
</body>

Thanks again.

q3

December 23rd, 2003, 09:20 AM

dhouston

Contributing User

Dev Articles Beginner (1000 - 1499 posts)

Join Date: May 2003

Location: Tennessee

Posts: 1,355

Time spent in forums: < 1 sec
Reputation Power: 7

This seems a pretty verbose way to handle it. Couldn't you consolidate several of your queries into one?

As for applying the auth levels to individual pages, you'll need to add code to restricted pages that checks the session variable authlevel and prints an error or redirects if the user doesn't have it.

December 23rd, 2003, 09:22 AM

dhouston

Contributing User

Join Date: May 2003

Location: Tennessee

Posts: 1,355

Time spent in forums: < 1 sec
Reputation Power: 7

I'd also be more cautious with my error messages. If somebody's trying to log in by guessing usernames and passwords and you confirm that they've guessed a valid username, then you've given them half of what they need to get in. I'd suggest more generic error messages.

December 23rd, 2003, 09:59 AM

q3utom

Registered User

Join Date: Nov 2003

Posts: 16

Time spent in forums: < 1 sec
Reputation Power: 0

I will sort out the error messages when I sort out this authentication. Thanks for the tip though.

ok ive put in the new sessions:

PHP Code:


		
			
<?php 

/* Program: Login.php 

   Desc:    Login program for the Members Only section. 

 */ 

session_start(); 



include("config.php");                                          

  switch (@$do)                                                  

  { 

    case "login":                                                

      $connection = mysql_connect($host,$user,$password)      

               or die ("Couldn't connect to server."); 

      $db = mysql_select_db($database,$connection) 

               or die ("Couldn't select database."); 



      $sql = "SELECT loginName FROM Member                      

              WHERE loginName='".$_POST['fusername']."'"; 

      $result = mysql_query($sql) 

                  or die("Couldn't execute query."); 

      $num = mysql_num_rows($result);                            

      if ($num == 1)  // login name was found                      

      { 

         $sql = "SELECT loginName FROM Member                    

                 WHERE loginName='".$_POST['fusername']."' 

                 AND password=password('".$_POST['fpassword']."')"; 

         $result2 = mysql_query($sql) 

                   or die("Couldn't execute query."); 

         $num2 = mysql_num_rows($result2); 

         if ($num2 > 0)  // password is correct                  

         { 

       // generate and execute query 

$sql = "SELECT auth_level 

FROM Member 

WHERE loginName='".$_POST['fusername']."' 

AND password=password('".$_POST['fpassword']."') 

"; 



    $result = mysql_query($sql); 

    while ($row = mysql_fetch_array($result)) { 

        $_SESSION['auth_level'] = $row["auth_level"]; 

    } 

           $_SESSION['auth'] = "yes";                                          

           $_SESSION['logname'] = $_POST['fusername']; 

                                       

           $today = date("Y-m-d h:m:s");                        

           $sql = "INSERT INTO Login (loginName,auth_level,loginTime) 

                   VALUES ('".$_SESSION['logname']."','".$_SESSION['auth_level']."','$today')"; 

           mysql_query($sql) or die("Can't execute query."); 

          

         if ($_SESSION['auth_level'] == "1") { 

          

        echo "You are logged in as a Guest.<br /> 

<a href='next1.php'>Click here for options</a> 

"; 

          

    

    } elseif ($_SESSION['auth_level'] == "2") { 

          

        echo "You have Editor level access.<br /> 

<a href='next2.php'>Click here for options</a> 

"; 

          

    } elseif ($_SESSION['auth_level'] == "3") { 

          

        echo "You have full Administrative access.<br /> 

<a href='next4.php'>Click here for options</a> 

"; 

    }                  

         } 

         else    // password is not correct                      

         { 

           unset($do);                                          

           $message="The Login Name, '$fusername' exists,        

                     but you have not entered the correct 

                     password! Please try again.br>"; 

           include("login_form.php");                            

         } 

      }                                                          

      elseif ($num == 0)  // login name not found                

      {    

         unset($do);                                            

         $message = "The Login Name you entered does not 

                     exist! Please try again.<br>"; 

         include("login_form.php"); 

      } 

    

        

      } 

      if (!ereg("^.+@.+\\..+$",$email))                        

      { 

        unset($do); 

        $message_new = "$email is not a valid email address. 

                         Please try again."; 

        include("login_form.php"); 

        exit(); 

      } 

      /* check to see if login name already exists */ 

      $connection = mysql_connect($host,$user,$password)      

                or die ("Couldn't connect to server."); 

      $db = mysql_select_db($database,$connection) 

                or die ("Couldn't select database."); 

      $sql = "SELECT loginName FROM Member 

                WHERE loginName='$newname'"; 

      $result = mysql_query($sql) 

                or die("Couldn't execute query."); 

      $num = mysql_numrows($result); 

      if ($num > 0)                                            

      { 

        unset($do); 

        $message_new = "$newname already used. Select another 

                         member ID."; 

        include("login_form.php"); 

        exit(); 

      } ?>

and the session tag i have 2 check pages that i want secure is:

PHP Code:


		
			
<?php 

session_start();

if (!isset($_SESSION['auth']) || !isset($_SESSION['auth_level']) || !isset($_SESSION['logname'])) 

{ 

    header("Location: ../members/login.php");

    exit;

}

if ($_SESSION['auth'] !== "yes")

{

header("Location: ../members/login.php");

exit();

}

if($_SESSION['auth_level'] !=="3");

{

die("your access level was ".$_SESSION['auth_level']);



exit();

}

echo("welcome");

?>

now what is very odd is that it doesnt work. So i echoed the lines and it is reading the right auth level password and user. So I have no idea what is going on.
Any ideas?

Thanks

December 23rd, 2003, 10:10 AM

q3utom

Registered User

Join Date: Nov 2003

Posts: 16

Time spent in forums: < 1 sec
Reputation Power: 0

dont worry its all sorted i had stuck a ; at the end of a statement that shouldnt of been there.

thanks for all your help

Thread Tools	Search this Thread
Email this Page	Search this Thread: Advanced Search
Display Modes	Rate This Thread
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode	Rate This Thread: