The database has three types of users:
Admin type: 0
student type:1
teacher type: 2
I got the login to work perfectly, according to username and password I verify with another table to see the user type and redirect the person either to admin.php, teacher.php or student.php
The problem I'm having is that, when i login in as a student I can go to the url and access addstudent.php which adds a student (only admin should be able to use this form) How can i secure this page so that only an admin who logs in can view the file?, thanks
please explain as simple as possible, I'm a beginner
ok, I have login.php which shows a form that form then calls on the verify_login.php file, here i have something like this:
<?php
require("../includes/connect_variables.php");
require("../includes/connection.php");
require("../login/functions.php");
/* Username and password sent from form*/
$username = $_POST['username'];
$password = $_POST['password'];
/* To protect MySQL injection*/
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
/*Query to check if user exits in database*/
$query = "select account_type from users where username = '$username' and password = '".md5($password)."'";
$result = mysql_query($query);
while($row = mysql_fetch_assoc($result))
{
$id= "{$row['account_type']}";
}
/*If user exits then there will be one row with the person's information*/
$count = mysql_num_rows($result);
/*If user exits*/
if($count == 1)
{
/*Register Session*/
/*Register Session*/
session_register("username");
session_register("password");
switch($id)
{
case 0:
header("location:../users/admin/admin.php");/*Redirect to admin page*/
break;
case 1:
header("location:../users/teacher/teacher.php");/*Redirect to teacher page*/
break;
case 2:
header("location:../users/student/student.php");/*Redirect to student page*/
break;
}
}
else /*Redirect to second login page where error message appears*/
{
fail_login();/*Display Information*/
}
?>
please explain the logged in flag thing
Admin type: 0
student type:1
teacher type: 2
I got the login to work perfectly, according to username and password I verify with another table to see the user type and redirect the person either to admin.php, teacher.php or student.php
The problem I'm having is that, when i login in as a student I can go to the url and access addstudent.php which adds a student (only admin should be able to use this form) How can i secure this page so that only an admin who logs in can view the file?, thanks
please explain as simple as possible, I'm a beginner
ok, I have login.php which shows a form that form then calls on the verify_login.php file, here i have something like this:
<?php
require("../includes/connect_variables.php");
require("../includes/connection.php");
require("../login/functions.php");
/* Username and password sent from form*/
$username = $_POST['username'];
$password = $_POST['password'];
/* To protect MySQL injection*/
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
/*Query to check if user exits in database*/
$query = "select account_type from users where username = '$username' and password = '".md5($password)."'";
$result = mysql_query($query);
while($row = mysql_fetch_assoc($result))
{
$id= "{$row['account_type']}";
}
/*If user exits then there will be one row with the person's information*/
$count = mysql_num_rows($result);
/*If user exits*/
if($count == 1)
{
/*Register Session*/
/*Register Session*/
session_register("username");
session_register("password");
switch($id)
{
case 0:
header("location:../users/admin/admin.php");/*Redirect to admin page*/
break;
case 1:
header("location:../users/teacher/teacher.php");/*Redirect to teacher page*/
break;
case 2:
header("location:../users/student/student.php");/*Redirect to student page*/
break;
}
}
else /*Redirect to second login page where error message appears*/
{
fail_login();/*Display Information*/
}
?>
please explain the logged in flag thing