PHP - How To Restrict Files Only For Login Users.

I am trying to make a login and direct for my clients. I have all the login stuff working but can't figure out how to redirect specific clients to their pages only. Any help anyone can offer would be great.

Code: [Select]
<?php
//Start session
session_start();

//Include database connection details
require_once('config.php');

//Array to store validation errors
$errmsg_arr = array();

//Validation error flag
$errflag = false;

//Connect to mysql server
$link = mysql_connect(DB_HOST, DB_USER, DB_PASSWORD);
if(!$link) {
die('Failed to connect to server: ' . mysql_error());
}

//Select database
$db = mysql_select_db(DB_DATABASE);
if(!$db) {
die("Unable to select database");
}

//Function to sanitize values received from the form. Prevents SQL injection
function clean($str) {
$str = @trim($str);
if(get_magic_quotes_gpc()) {
$str = stripslashes($str);
}
return mysql_real_escape_string($str);
}

//Sanitize the POST values
$login = clean($_POST['login']);
$password = clean($_POST['password']);

//Input Validations
if($login == '') {
$errmsg_arr[] = 'Login ID missing';
$errflag = true;
}
if($password == '') {
$errmsg_arr[] = 'Password missing';
$errflag = true;
}

//If there are input validations, redirect back to the login form
if($errflag) {
$_SESSION['ERRMSG_ARR'] = $errmsg_arr;
session_write_close();
header("location: login-form.php");
exit();
}

//Create query
$qry="SELECT * FROM members WHERE login='$login' AND passwd='".md5($_POST['password'])."'";
$result=mysql_query($qry);

//Check whether the query was successful or not
if($result) {
if(mysql_num_rows($result) == 1) {
//Login Successful
session_regenerate_id();
$member = mysql_fetch_assoc($result);
$_SESSION['SESS_MEMBER_ID'] = $member['member_id'];
$_SESSION['SESS_FIRST_NAME'] = $member['firstname'];
$_SESSION['SESS_LAST_NAME'] = $member['lastname'];
session_write_close();
header("location: member-index.php");
exit();
}else {
//Login failed
header("location: login-failed.php");
exit();
}
}else {
die("Query failed");
}
?>

Hi,

I have a restricted area for my work's company. This is an area where registered users with their own user name and password can access to download technical documents etc.

I am hearing some reports that users will have to login twice to get to the area - This happens in Chrome, IE 7/8 and some Firefox's.

It has only happened to me once or twice. Does anyone know why this may be?

Here is the HTML code from the login form on the index page:

Code: [Select]
      <form name="login_form" method="post" action="log.php?action=login">
        <p>Login:<br /> <input type="text" name="user" />
        </p>
     
       <p>Password: <br /><input type="password" name="pwd" />  </p>
       
        <p class="submit">
          <input type="submit" value="Submit" name="submit" class="submit" />
          </p>
        </form>


Here is the log.php File:

(personal connection details edited)

Code: [Select]
<?php

    $hostname = "IP:3306";
    $username = "user";
    $password = "password";
    $database = "db_name";

    $link = MYSQL_CONNECT($hostname,$username,$password);
    
    mysql_select_db($database);    
?>

<?php
session_name("MyWebsiteLogin");
session_start();

if($_GET['action'] == "login") {
$conn = mysql_connect("IP:3306","user","password");
$db = mysql_select_db("db_name"); //Your database name goes in this field. 
$name = $_POST['user'];
$ip=$_SERVER['REMOTE_ADDR'];
$country = file_get_contents('http://api.hostip.info/country.php?ip='.$ip);
$q_user = mysql_query("SELECT * FROM customer WHERE username='$name'");

?>

<?php
               $insert_query = ("INSERT INTO login(username, ip, country) VALUES ('$name','$ip','$country');");
               mysql_query($insert_query) or die('Error, insert query failed');

?>

<?php
if(mysql_num_rows($q_user) == 1) {

$query = mysql_query("SELECT * FROM customer WHERE username='$name'");
$data = mysql_fetch_array($query);
if($_POST['pwd'] == $data['password'])
{
session_register("name");
header("Location: http://#/download/index.php?un=$name"); // This is the page that you want to open if the user successfully logs in to your website.
exit;
} else {
header("Location: login.php?login=failed&cause=".urlencode('Wrong Password'));
exit;
}
} else {
header("Location: login.php?login=failed&cause=".urlencode('Invalid User'));
exit;
}
}


?>

Any help or ideas would be greatly appreciated.

My server is Linux/Apache/PHP.   When a file is uploaded, I use PHP's finfo_open to confirm that the file have the correct file extension matches and delete them if it doesn't match.  I also which file mimi types and size could be uploaded.   Things I do with the files include: Upload user's files and store them in some public directory (/var/www/html/users_public_directory/), and allow other users to directly download them. Upload user's files and store them in some private directory (/var/www/users_private_directory/), and allow other users to download them using X-Sendfile. Upload user's ZIP files and convert them to PDF files (unzip the ZIP file, and uses Libreoffice and Imagemagick's convert to convert them to PDFs). From the server's prospective, what are the risks of allowing users to upload files?  Are there some file types which are more dangerous to the server?  Could they be executed on the server, and if so, how could this be prevented?

Hi! I have read like crazy to find a tutorial on a login page without My_SQL. Anyway I am working on a easy login/logged out page with sessions. Here is the login page with tree users in an array. The things that I need some hints to solve is, when clicking on login the error message don't show. Instead the script goes to the logged in page right away. And when you write the wrong password you get loged in anyway.   I am not sure how or if it's possible to write a varible to a file this way. But I tried and recived a parse error with the txt varible.   When searching for topics I get more confused with the My_SQL varibles. I am near a breaking point at cracking the first step on PHP, but need some advice.

<?php 
$page_title = 'Logged in'; //Dynamic title 
include('C:/wamp/www/PHP/includes/header.html');
?> 
<?php
session_start();
//A array for the sites users with passwords
$users = array(
                'Dexter'=>'meow1',
                'Garfield'=>'meow2',
		'Miro'=>'meow3'
                );

//A handle to save the varible users to file on a new line from the last entry				
$handle = fopen("newusers.txt, \n\r")
$txt = $users;
fclose($handle);


if(isset($_GET['logout'])) {
    $_SESSION['username'] = '';
    header('Location:  ' . $_SERVER['PHP_SELF']);
}

if(isset($_POST['username'])) {
    if($users[$_POST['username']] == $_POST['password']) { 
        $_SESSION['username'] = $_POST['username'];
    }else {
        echo "Something went wrong, Please try again";
    }
}
?>

<?php 
echo "<h3>Login</h3>";
echo "<br />";
?>
<!--A legend form to login-->
		<fieldset><legend>Fill in your username and password</legend>
        <form name="login" action="777log.php" method="post">
            Username: <br /> 
			<input type="text" name="username" value="" /><br />
            Password: <br /> 
			<input type="password" name="password" value="" /><br />
			<br />
            <input type="submit" name="submit" value="Login" />
	</fieldset>
	</form> 

<?php //Footer include file 
include('C:/wamp/www/PHP/includes/footer.html');
?>

The logged in page

<?php //Header
$page_title = 'Reading a file'; 
include('C:/wamp/www/PHP/includes/header.html');
?> 

<?php 
	session_start();
	//Use an array forthe sites users  
$users = array(
                'Dexter'=>'meow1',
                'Garfield'=>'meow2',
		'Miro'=>'meow3'
                );
//
if(isset($_GET['logout'])) {
    $_SESSION['username'] = '';
	echo "You are now loged out";
	//The user is loged out and returned to the login page
    header('Location:  ' . $_SERVER['PHP_SELF']); 
}

if(isset($_POST['username'])) {
	//Something goes wrong here when login without any boxes filled
    if($users[$_POST['username']] == $_POST['password']) { 
        $_SESSION['username'] = $_POST['username'];
    }else {
        echo "Something went wrong, Please try again";
		$redirect = "Location: 777.php";
    }
}
?>
        <?php if($_SESSION['username']): ?>
            <p><h2>Welcome <?=$_SESSION['username']?></h2></p> 
			<p align="right"><a href="777.php">Logga ut</a></p><?php endif; ?>
			<p>Today Ben&Jerrys Chunky Monkey is my favorite!</p>	

<?php //Footer
include('C:/wamp/www/PHP/includes/footer.html');
?>

I have dynamic images that have the "Like" button, it's basically like a wishlist. The way I want it to work is that when a user is not logged in, the 'Like' button will navigate them to a login popup (which I already made). 

I have a login script that pulls from a DB and in that i have a column called "Allowed" that either has a 0 for not allowed or a 1 for allowed.
How would I implement that into a login script to either allow the login or die?

Hello   I am trying to work out how many regular users I have to my site and how long those users tend to be users..   So, I have a table that logs every time a user visits my site and logs in, it stores the date / time as a unix timestamp and it logs their user id.   I started by getting the id's of any user who logs in more than 5 times in a specified period, but now I want to extend that...  

 
SELECT userID as user, count(userID) as logins FROM login_history where timestamp > UNIX_TIMESTAMP('2014-06-01 00:00:00') and timestamp < UNIX_TIMESTAMP('2014-07-01 00:00:00') group by user having logins > 5;
 

I just discovered that I have a major security flaw with my website.
Anyone who logs in to the website can easily access other users information as well as delete and edit other users information just by changing the ID variable in the address bar.
I have user ID Session started on these pages but still people can do anything they like with other users information just by editing the address bar.
For example if your logged in in the address bar of www.mywebsite.com/delete_mystuff.php?id=5 and change the "5" say to a "9" then you will have access to user#9 information.

Every important page that I have has this code:
Code: [Select]
 session_start();

if (!isset($_SESSION['user_id'])) {
// Start defining the URL.
         $url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);
// Check for a trailing slash.
         if ((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) {
         $url = substr ($url, 0, -1); // Chop off the slash.
}
// Add the page.
$url .= '/index.php';
ob_end_clean(); // Delete the buffer.
header("Location: $url");
exit(); // Quit the script.
} else {
                //Else If Logged In Run The Script

if((isset($_GET['id'])) && (is_numeric($_GET['id']))) {
         $id = (int) $_GET['id'];
} elseif ((isset($_POST['id'])) && (is_numeric($_POST['id']))) {
         $id = (int) $_POST['id'];
} else {
         echo ' No valid ID found, passed in url or form element';
        
         exit();
}



What am I doing wrong?
Please help if you know how to correct this.

Many thanks in advance.

Hey guys i have a script that i made with multiple permissions..

i need to add in the pages restitutions for diffrent levels..


so i got the level


$query = "SELECT * FROM users WHERE `username`='$username_from_cookie'"; 

$numresults=mysql_query($query);
$numrows=mysql_num_rows($numresults); 

// get results
$result = mysql_query($query) or die("Couldn't execute query");

// now you can display the results returned
while ($row10= mysql_fetch_array($result)) {

$permissions= $row10["permissions"];

echo '$permissions';

}


Now to restick im ok with like to but more then that i get confused..

this shows navigation on levels of permissions..


if ($row10['permissions'] == 2) {
print "<a href=\"U.php\"><img src=\"./Icons/Users.png\" title=\"Prof\" /></a>";
}
else {
print "<img src=\"./Icons/Users_o.png\"/>";
}


2 levels


 if ($row10['permissions'] == 5) {
print "<a href=\"Prof_1.php\"><img src=\"./Icons/sec.png\" title=\"Enseignant(e)\"/></a>";
} elseif ($row10['permissions'] == 2) {
print "<a href=\"Prof_1.php\"><img src=\"./Icons/sec.png\" title=\"Enseignant(e)\"/></a>";
} else {
print "<img src=\"./Icons/sec_o.png\" title=\"Enseignant(e)\"/>";
}


ok so instead of have 10 lines of codes can i

$row10['permissions'] == 5&2&3   ???

and can i do if not permissions ==5 redirect to loggin..
thanks

What is the best way to force a user to input numeric value into a form, with the following condition:
Either the number is an integer (positive or negative or zero), or non integer but limited to the one digit behind the dot (e.g. 1.2 is valid, but 1.21 is not)?
I know I can test it in the server side, but I prefer it to be on the form side.

Can it be in the HTML level?

Hi. I'm making a file-sharing website but how do I stop users from uploading certain extensions?
Here is my script so far:

<?php session_start(); $file_name = $HTTP_POST_FILES['ufile']['name'];$random_digit=rand(0000,9999);$new_file_name=$random_digit.$file_name;$path= "upload/".$new_file_name;if($ufile !=none){if(copy($HTTP_POST_FILES['ufile']['tmp_name'], $path)){echo "Successful<BR/>";}else{echo "Error";}}?>()

Hi All,

Im new to this forum but think its going to be a regular location for me for quite a while.

Im very very new to php and the guy that was doing code for me is not responding to emails, so i thought id have a go myself...lol
at the moment im going through the trial and error phase while learning.

I have edited some of the code he has put on the site to create a new look.
the original page: http://www.ridersguide.co.uk/county_accommodation.php?county=4;
the one im trying:http://www.ridersguide.co.uk/county_accommodation2.php?county=4;

The new bit is to add a preview of the text for the page.

echo $row[ad_text];
the code above brings up all the text but i only want to show the first 4 or 5 lines. Is this possible in php?

Any help appreciated

Neil

Hi, I have been searching everywhere to try to figure out how to restrict the number of chararacters shown when I do a while loop of data. The one I want to restrict is Property_Short_Description here -

<?php
echo "2.gif vspace=5 border=0><br />";
echo $row['Property_Short_Description'];}
?>

Thanks so much

I am trying to find a workaround for people using bookmarks and executing them simultaneously forcing a script to run thousands of times in just a second. Is there a way I can implement a token or a short bit of javascript that would force the user to use the link vs bookmarked URL pages?

Sorry if I am being vague here but its really causing me issues having people doing this on my site.