|
PHP - Page Based Access Control Code Restructuring
Below is the screenshots and script for user page level access i have used it for one of my old projects. Code is working as it was intended. But it needs to be improvised. Users table
pages table , which has all the pages and links
Access level table. which has user id from users table and page id from pages table (for which user has access)
Once the user is created, admin gives access to the user on page basis, the permissions.php page looks like this The modules
Menus inside the modules
Pages in each menu
Here is my code for permission.php
<div id="demo2-html">
<ul id="demo2" class="mnav">
<li><a href="#">Sales</a>
<ul>
<li><a href="#">Lead</a>
<ul>
<table class="table table-bordered table-striped table-hover">
<?php
$s1 = mysqli_query($con, "SELECT pages.page_id as pid, pages.code, pages.page,
pages.href, access_level.aid, access_level.page_id as pgid,
access_level.user_id
FROM pages
LEFT JOIN access_level ON (pages.page_id=access_level.page_id
AND access_level.user_id=".$user."
) WHERE pages.code='led'") or die(mysqli_error($con));
while($s2 = mysqli_fetch_array($s1)) { ?>
<tr><li><td><?php echo $s2['page']; ?> </td><td><input type="checkbox" name="sn[]" value="<?php echo $s2['pid']; ?>" <?php if($s2['pgid'] === $s2['pid']) echo 'checked="checked"';?> />
<input type="hidden" value="<?php echo $s2['pid']; ?>" name="page_id[<?php echo $s2['pgid']; ?>]">
</td></li></tr>
<?php } ?>
</table>
</ul>
</li>
<li><a href="#">Customer</a>
<ul>
<table class="table table-bordered table-striped table-hover">
<?php
$s1 = mysqli_query($con, "SELECT pages.page_id as pid, pages.code, pages.page,
pages.href, access_level.aid, access_level.page_id as pgid,
access_level.user_id
FROM pages
LEFT JOIN access_level ON (pages.page_id=access_level.page_id
AND access_level.user_id=".$user."
) WHERE pages.code='cst'") or die(mysqli_error($con));
while($s2 = mysqli_fetch_array($s1)) { ?>
<tr><li><td><?php echo $s2['page']; ?> </td><td><input type="checkbox" name="sn[]" value="<?php echo $s2['pid']; ?>" <?php if($s2['pgid'] === $s2['pid']) echo 'checked="checked"';?> />
<input type="hidden" value="<?php echo $s2['pid']; ?>" name="page_id[<?php echo $s2['pgid']; ?>]">
</td></li></tr>
<?php } ?>
</table>
</ul>
</li>
//code goes for all the other modules
</ul>
</li>
</ul>
</div>
<input type="hidden" name="user" value="<?php echo $user; ?>" />
<div class="row" align="center">
<input type="submit" name="submit" class="btn btn-success" value="Save" />
</form>
// form Submission
if(isset($_POST['submit']))
{
$user = $_POST['user'];
$sql = "DELETE FROM access_level WHERE user_id = ".$user."";
$query = mysqli_query($con, $sql) or die (mysqli_error($con));
foreach($_POST['sn'] as $sn)
{
$sql = "insert into access_level (page_id, user_id) values (".$sn.", ".$user.")";
$query = mysqli_query($con, $sql) or die (mysqli_error($con));
}
if($query)
{
header("location:users.php?access=1");
}
}
So against each user i am storing all the page ids here. When i edit any of the users, it deletes all the records and again insers new records. Which i feel is not a proper way to do. And in codewise also, i am redirecting the user to no_access.php (as below) page if the user do not have access.
<?php
ob_start();
include("connect.php");
include("admin_auth.php");
$q1 = basename($_SERVER['REQUEST_URI'], '?' . $_SERVER['QUERY_STRING']);
$q2 = $_SERVER['REQUEST_URI'];
$var1 = "/".$q1;
$qa_path=explode('/', $q2);
$right_path = $qa_path[2].$var1;
$parsedUrl = parse_url($q2);
$curdir = dirname($_SERVER['REQUEST_URI'])."/";
$m4 = "select p.page_id, p.code, p.page, p.href, al.aid, al.page_id, al.user_id FROM pages p INNER JOIN access_level al ON p.page_id=al.page_id WHERE al.user_id=".$_SESSION['user_id']."";
$m5 = mysqli_query($con, $m4) or die (mysqli_error($con));
while($nk1 = mysqli_fetch_array($m5)) {
$href1[] = ($nk1['href']); }
if(in_array($right_path, $href1)) {
echo "<script type='text/javascript'> document.location = ".BASE_URL."/".$right_path."</script>";
}
else
{
echo "<script type='text/javascript'> document.location = '../no_access.php' </script>";
exit();
}
?>
I need help in improve and better/effective (structural) way to do this both in database and php script. Similar TutorialsIn my project. I wanted an option that was going to give me more control over what my users can and could not do. I fount a ACL Sample and well the guy that made this must have been drunk. Any way I been working with it and putting it together so that it will work. The problem is that when I view the users current permissions it doesn't seem to display then right. Blow is the code i have in a switch that I use to manage each users permissions. The $_GET['uid'] gets the users id from the URL in the admin section. Code: (php) [Select] case "manage": //$userACL = new ACL($_GET['uid']); $userACL = new ACL($_GET['uid']); echo '<h2>Managing '.$userACL->getUsername($_GET['uid']).'</h2>'; echo '... Some form to edit user info ...'; echo '<h5>Roles for user: (<a href="users.php?action=roles&uid='.$_GET['uid'].'">Manage Roles</a>)</h5>'; echo '<ul>'; $roles = $userACL->getUserRoles($_GET['uid']); foreach ($roles as $k => $v) { echo "<li>" . $userACL->getRoleNameFromID($v) . "</li>"; } echo '</ul>'; echo '<h6>Permissions for user: (<a href="users.php?action=perms&uid='.$_GET['uid'].'">Manage Permissions</a>)</h6>'; echo '<ul>'; //$uparms = $userACL->getAllPerms($_GET['uid']); //$uPerms = $userACL->getUserPerms($_GET['uid']); //$aPerms = $userACL->getAllPerms('full'); $aPerms = $userACL->perms; //foreach ($perms as $k => $v) foreach($aPerms as $k => $v) { //echo 'fdfdsfsd :'. $v['value']; //if ($v['value'] == false) { continue; } if($v['value']) { // if (!$v['value']) { continue; } echo "<li>" . $v['Name'] . ' : Allowed </li>'; //if ($v['inheritted']) { echo " (inheritted)"; } } else { echo "<li>" . $v['Name'] . ' : Deny </li>'; } echo "</li>"; } echo '</ul>'; break; If any one needs any extra info. Please let me know. Hi everyone, am developing an application that has two views 1 for administrator and 1 for staff. Administrator can perform all application tasks and Staff can ONLY perform certain task. I have implemented sessions quite alright and are working. Now the problem is that when I login as Staff and then I change the URL to point to an administrator's page the application is allowing that, How can I prevent that from happening. Staff MUST NOT see administrators pages. Here is my login code, logout code and code am using to protect webpages below. Here is my login code <?php //start the session session_start(); $username=$_POST['username']; $password=$_POST['password']; $encrypted=md5($password); // set connection to database $hostname="localhost"; // Host name $mysql_server_username="root"; // Mysql username $server_password=""; // Mysql password $db_name="db_inventory"; // Database name $table = "tbl_users"; // Table name // Connect to server and select database. mysql_connect("$hostname", "$mysql_server_username", "$server_password")or die("cannot connect to database server"); mysql_select_db("$db_name") or die ("Couldn't select the database."); $admin=("select * from $table where username='$username' AND password='$encrypted' AND type = 'admin'"); $staff=("select * from $table where username='$username' AND password='$encrypted' AND type = 'staff'"); //check that at least one row was returned $adminresult=mysql_query($admin); $admincount = mysql_num_rows($adminresult); $staffresult=mysql_query($staff); $staffcount = mysql_num_rows($staffresult); if($admincount> 0){ $_SESSION['valid_user'] = $username ; header( "Location: main_menu.php" ); } else if($staffcount> 0){ $_SESSION['valid_user'] = $username ; header( "Location: staff/main_menu.php" ); } else { ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>title> | Login</title> </head> <body bgcolor="#FFFFFF" background-repeat:no-repeat; background="images/images1.jpg"> <div align="center"> <table width="800" height="501" border="0" cellpadding="1" cellspacing="1"> <tr> <td height="100"> </td> </tr> <tr> <td height="350"> <div align="center"> <form method="post" action="login_process.php"> <h4 align="center"><font color="red">Incorrect Username / Password ! Please Try Again</font></h4> <img name="" src=images/padlock_closed.gif width="34" height="32" alt="" /><br /><br /> <table width="314" border="0" cellspacing="1" cellpadding="1"> <tr> <td>Username:</td> <td><label> <input type="text" name="username" /> </label></td> </tr> <tr> <td>Password:</td> <td><label> <input type="password" name="password" /> </label></td> </tr> <tr> <td colspan="2"> <p> <input type="submit" name ="submit" value="Login" /> <input type="reset" value="Reset" /> </p> </td> </tr> </table> </form> </div> </td> </tr> <tr> <td height="100"> </td> </tr> </table> </div> </body> </html> <?php } ?> Here is my logout code <?php //start the session session_start(); //check to make sure the session variable is registered if(isset($_SESSION['valid_user'])){ //session variable is registered, the user is ready to logout session_unset(); session_destroy(); //the session variable isn't registered, the user shouldn't even be on this page header( "Location: index.php" ); } else { //check to see if the session variable is not registered if(!isset($_SESSION['valid_user'])){ //redirect to login page header( "Location: index.php" ); } } ?> Here is code I am using to protect pages <?php //start the session session_start(); //check to make sure the session variable is registered if(!isset($_SESSION['valid_user'])){ //redirect to login page header( "Location: index.php" ); } ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" /> <title> | Main Menu</title> <link rel="stylesheet" type="text/css" href="css.css" /> </head> <body> <div id="tabsF"> <ul> <!-- CSS Tabs --> <li id="current"><a href="main_menu.php"><span>MAIN MENU</span></a></li> <li><a href="stockmaster.php"><span>STOCK MASTER</span></a></li> <li><a href="controlpanel.php"><span>CONTROL PANEL</span></a></li> <li><a href="logout.php"><span>LOGOUT</span></a></li> </ul> </div> </body> </html> Thank you. This topic has been moved to Miscellaneous. http://www.phpfreaks.com/forums/index.php?topic=333523.0 Control problem based on two forms Hello everyone, I have a problem with the control of my two forms principle it is good for the first form, but if I wanted to control my 2nd form, blocking ca Here's the script: Code: [Select] <html> <head> <script type="text/javascript" > function formValidation1(oEvent) { oEvent = oEvent || window.event; var txtField = oEvent.target || oEvent.srcElement; var txt_nom_pereck1=true; var msg=" "; if(document.getElementById("txt_nom_pere").value.length < 3 ){ txt_nom_pereck1=false; msg = msg + "Your name should be minimun 3 char length";} if(document.getElementById("txt_prenom_pere").value.length < 3 ){ txt_nom_pereck1=false; msg = msg + "Your name should be minimun 3 char length";} if(txt_nom_pereck1){document.getElementById("submit_etape4").style.display='block'; } else{document.getElementById("submit_etape4").style.display='none'; } } window.onload = function () { var submit_etape4 = document.getElementById("submit_etape4"); var txt_nom_pere = document.getElementById("txt_nom_pere"); var txt_prenom_pere = document.getElementById("txt_prenom_pere"); var txt_courriel_pere = document.getElementById("txt_courriel_pere"); var txt_courriel_pere_conf = document.getElementById("txt_courriel_pere_conf"); var txt_nom_pereck1=false; document.getElementById("submit_etape4").style.display='none'; txt_nom_pere.onkeyup = formValidation1; txt_prenom_pere.onkeyup = formValidation1; } //************Partie 2 : ******///////////////////////////// /* function formValidation2(oEvent) { oEvent = oEvent || window.event; var txtField = oEvent.target || oEvent.srcElement; var txt_nom_pereck2=true; var msg=" "; if(document.getElementById("txt_courriel_pere").value.length < 3 ){ txt_nom_pereck2=false; msg = msg + "Your name should be minimun 3 char length";} if(document.getElementById("txt_courriel_pere_conf").value.length < 3 ){ txt_nom_pereck2=false; msg = msg + "Your name should be minimun 3 char length";} if(txt_nom_pereck2){document.getElementById("submit_etape5").style.display='block'; } else{document.getElementById("submit_etape5").style.display='none'; } } window.onload = function () { var submit_etape5 = document.getElementById("submit_etape5"); var txt_courriel_pere = document.getElementById("txt_courriel_pere"); var txt_courriel_pere_conf = document.getElementById("txt_courriel_pere_conf"); var txt_nom_pereck2=false; document.getElementById("submit_etape5").style.display='none'; txt_nom_pere.onkeyup = formValidation2; txt_prenom_pere.onkeyup = formValidation2; } Je voulais activer cette partie pour comtrole le Form 2 Le probleme existe au niveau des nom des fonctions I wanted this part to enable the Comtrol Form 2 The problem exists at the level of function names */ </script> </head> <body > <form method=" post" action="form-success.php"> <table> <tr> <td>First Name</td> <td><input type="text" id="txt_nom_pere" name="FirstName"></td> </tr> <tr> <td>First Name</td> <td><input type="text" id="txt_prenom_pere" name="FirstName"></td> </tr> </table> <input type="button" id="submit_etape4" value="Sign Up!!" style="display:none;" /> </form> <form method=" post" action="form-success.php"> <table> <tr> <td>First Name</td> <td><input type="text" id="txt_courriel_pere" name="FirstName"></td> </tr> <tr> <td>First Name</td> <td><input type="text" id="txt_courriel_pere_conf" name="FirstName"></td> </tr> </table> <input type="button" id="submit_etape5" value="Sign Up!!" style="display:none;" /> </form> </body> </html> Hi, so far I have managed to set up a somewhat basic login website with a mysql database backend. Once they have logged on they go to a "main menu" page. What I need to define is that user A sees button A but only that button, etc. (Then of course that same rule would have to apply if they tried to directly go to the page, but I am guessing I can do that in the same way that I currently do to force a login). If anyone has any tutorials or sample code I would much appreciate it. Thanks, Hi all . I have a button now when i click the button an mypages is valid can i make that button in the page invisible in postback with php?? I know you can in C# by saying button1.Visible = false; Thanks for input... i have created an object in one page. it has a submit button which upon clicking opens a new page. is it possible to access that created object and its data members in that second page? here is the code for creating the object in the first page. $viewcart = new Cart(); $viewcart->GetProductCart($user); As we know , A post_max_size used to limit the size of posted data via POST method while the upload_max_filesize used to limit the size of file to be uploaded
I assume. post_max_size = 8m upload_max_filesize = 2m
When i limit the user to only upload 100kb file, i say <pre>
if (!empty($_FILES["myfile"]["tmp_name"]) && ($_FILES["myfile"]["size"] > 100000)) { </pre>
This message occur even when the file is greater than 8 m
The problem come when the file is greater than 10m the warning message for post content is on the page is
Warning: POST Content-Length of 9767236 bytes exceeds the limit of 8388608 bytes in Unknown on line 0
What i want? I want to create my own warning as an error
ie <pre>
if (post_max_size > 18388608)) { </pre>
NB: some developers says we have to adjust the post_max_size i.e 200M what if user upload the file with 210M, the warning message will come back again
Warning: POST Content-Length of 9767236 bytes exceeds the limit of 8388608 bytes in Unknown on line 0
In short i want to give a normal user a meaningful warning
Hi, I've done some serious google'ing... I'm all googled out and it doesn't appear there is a solution to this the way I'm attempting it and it's probably more a case of my early ventures into development that I'm missing something that may or may not be a better and if not more obvious way to do this... Here's the principle, Customer Logs into webpage - greeted by profile page (all cushty so far) - Can choose to move to view 'audio files' which relate to the products they have purchased (this is where it gets silly...) The idea is that both the profile page and the audio page are controlled by a $_SESSION within PHP scripting so the pages are dynamic. I want to include all of the audio files for every product on the 'audio.php' page BUT I only want the ones that they have purchased to be visible... All the setup is fine because the following works fine: Code: [Select] if($info['halftimerock'] == 1) { echo "<p>Half Time Rock</p>";} Which essentially checks the db, finds a 1 in the appropriate product and displays the name of the product in a list, if no products then nothing in the list etc. What I want to do is control the visibility of some <div>'s using the same kind of idea, so: Code: [Select] if($info['halftimerock'] == 1) { CODE TO DISPLAY DIV IN HERE } I have a 'toggleelement' JS function available which works for mouse clicks but obviously php and js don't exactly go well together so that is probably not the way to go, I'm already running a lot of PHP at the top of the page before the HTML to stop session header errors. A couple of web searches have suggested I insert a <script> tag into the echo command but I can't get that to work and I guess it's a really messy way of trying to do things! So here's the question, any ideas about how to toggle <div> visibility within php or is that purely something for js to handle?... Is there a better/cleaner way of doing it all, perhaps redirecting users to different pages based on their entries in the DB (which could all be handled with headers but I'll end up with a million different pages and combinations eventually? I could always create a .htaccess/.htpasswd file system and handle the folders with audio content in manually so that all files are visible but only a valid username and password will be able to access the file but that's going to get annoying for people having to put in user/pass for every file and also for me updating the users for each individual file every time some1 buys something... Any ideas? Anybody done anything similar? Cheers I have a weird kind of problem. I uploaded all upload-directories through FTP which have 777 permissions and owner name 'abc' This means I can access all of them through the codes. But while creating files inside those full permitted directories, the compiler complains for access denied. Meanwhile, a different directory is created with same name whose owner is 'apache' itself and the previous directory is lost. Then I cannot change the permissions of that directory through FTP. I don't if it is apache server's problem itself or not. Or is it a way to define user while creating/editing/deleting files and directories through php code itself? To access MySql tables from PHP, I use the PHP code and the function below. If I make these changes, would this code work for SQL Server 2008? mysql_fetch_array to mssql_fetch_array mysql_connect to mssql_connect mysql_select_db to mssql_select_db mysql_query to mssql_query PHP code -------------------------------------------------------------------------------- $sql = "SELECT mast_id FROM district_mast WHERE mast_district = '".$dist_num."'"; $result = func_table_access($sql); $rows = mysql_fetch_array($result); Function -------------------------------------------------------------------------------- FUNCTION func_table_access($sql) { $db = "aplustutoru"; $host = "localhost"; $user = "root"; $pass = ""; IF (!($conn=mysql_connect($host, $user, $pass))) { PRINTF("error connecting to DB by user = $user and pwd=$pass"); EXIT; } $db3 = MYSQL_SELECT_DB($db,$conn) or die("Unable to connect to local database"); IF ($sql <> "justopendb") { $result = MYSQL_QUERY($sql) OR DIE ("Can not run query because ". MYSQL_ERROR()); RETURN $result; } } This topic has been moved to HTML Help. http://www.phpfreaks.com/forums/index.php?topic=323045.0 I am sitting behind a firewall which blocks the http access to all popular free email providers like hotmail.com gmail.com .... The blocking is done by filtering out the domain names. So I am searching for a way to access the mailbox by a third domain e.g. mydomain123.com (which is under my control). I could imagine that there is a PHP code which can be setup on mydomain123.com which accesses the final hotmail.com mailbox by using POP3 fetches and SMTP sends. Is there such an PHP intermediate code? Peter I want to make it so public users cant access the index of/ page, how do I do that? Thanks This has been an ongoing issue from the start. When I try to login I enter the username and password and click login, then get taken back to the login page to reenter the same details and the second time I click login I get logged in. Now if I then log out and close window and wait a few seconds, restart again and try to log in, I get in first time. I believe this could be a session issue but I thought unsetting the unset($_SESSION['admin']); would cause the session to be lost and have to start again. I just can not get my head around what is causing it. Can anyone tell me what I might be doing wrong ? I have a redirect to originating page, so if I was to view a previous page within the admin area I have to log in and then once loggeed in it will redirect to the page I was on before. Here are my scripts.
<?php
session_set_cookie_params(0, '/', '.****.com'); session_start(); error_reporting(-1);
define('site_title', 'Admin ');
define('pageTitle', 'Admin ');
$_SESSION['loginRedirect'] = "adminCreateCampaign.php";
include("functions-for-email.php");
$checkAdminStatus = checkAdminStatus($mysqli);
if(!isset($_SESSION['admin']) || $checkAdminStatus == "NOACCESS") {
$_SESSION['error'] = 'You must be logged in to view that page. (el.S1)';
//$_SESSION['loginRedirect'] = "showStats.php";
//echo("You must be logged in to view that page. (el.S1)<br>"); exit;
@mysqli_close($mysqli);
header('Location: ' . adminFullWebAddress . '/index.php'); exit;
} else {
if($_SESSION['admin']['account_type'] != 'admin') {
$_SESSION['error'] = 'You do not have the priviledges to view that page. (el.S2)';
@mysqli_close($mysqli);
header('Location: ' . adminFullWebAddress . '/index.php'); exit;
}
}
?>
<!DOCTYPE>
<html>
<head>
<link href="adminstyle.css" rel="stylesheet" type="text/css" />
<title><?php echo(site_title); ?></title>
</head>
<body>
<div id="container">
<div class="containerInner">
<div id="leftInner100">
<?php // start of leftInner ?>
<?php menu(); ?>
<h1 class="middleTitle">Admin </h1>
<?php
if(isset($thisError)) { echo '<div class="errorDiv">',$thisError,'</div>'; unset($thisError); }
if(isset($thisSuccess)) { echo '<div class="successDiv">',$thisSuccess,'</div>'; unset($thisSuccess); }
?>
<br><br>
</div><?php // end of leftInner ?>
</div><?php // end of containerInner ?>
<div class="clearfix"></div>
</div><?php // container ?>
</body>
</html>
<?php @mysqli_close($mysqli); ?>
<?php
session_set_cookie_params(0, '/', '.****.com'); session_start(); error_reporting(-1);
include("functions.php");
$checkAdminStatus = checkAdminStatus($mysqli);
//$_SESSION['loginRedirect'] = adminFullWebAddress . "/index.php";
$fromlink4 = isset($_SERVER['REMOTE_ADDR']) ? (gethostbyaddr($_SERVER['REMOTE_ADDR'])) : "empty";
$ipAddress = $_SERVER['REMOTE_ADDR'];
if(isset($_POST['email'])) { $email = $_POST['email']; $email = strip_tags($email); } else { $email = ""; }
if(isset($_POST['pass'])) { $password = $_POST['pass']; $pass = $_POST['pass']; } else { $pass = ""; }
if(isset($_POST['login']) && trim($_POST['login']) == 'Login') {
$checkEmail = db_query($mysqli, "SELECT `adminid` FROM `admins` WHERE `email` = '" . $mysqli->real_escape_string($email) . "' LIMIT 1");
$checkBanned = db_query($mysqli, "SELECT `adminid` FROM `admins` WHERE `email` = '" . $mysqli->real_escape_string($email) . "' AND `suspended` = 'Yes' LIMIT 1");
$failedLoginCounter = 0;
if(!$email) {
$thisError = 'Please enter your e-mail address.';
} else if(! $checkEmail->num_rows) {
$thisError = 'Either the email address, password or both were not entered correctly.';
} else if(!$password) {
$thisError = 'Please enter your password.';
} else if($checkBanned->num_rows) {
$thisError = 'Your account has been suspended by Admin.';
} else {
$password = md5($password);
$checkAccount = db_query($mysqli, "SELECT * FROM `admins` WHERE `email` = '" . $mysqli->real_escape_string($email) . "' AND `password` = '" . $mysqli->real_escape_string($password) . "' LIMIT 1");
if($checkAccount->num_rows) {
$saveChanges = db_query($mysqli, "UPDATE `admins` SET `lastlogindatetime` = '" . $mysqli->real_escape_string(datetimenow) . "', `lastAccessSinceLogin` = '" . $mysqli->real_escape_string(datetimenow) . "', `lastloginip` = '" . $mysqli->real_escape_string($ipAddress) . "', `failedLoginCounter` = 0 WHERE `email` = '" . $mysqli->real_escape_string($email) . "' LIMIT 1");
// set lastlogindatetime
$_SESSION['admin'] = $checkAccount->fetch_assoc();
$loginRedirect = isset($_SESSION['loginRedirect']) ? $_SESSION['loginRedirect'] : "";
$_SESSION['success'] = 'You are now logged in. (ok.L2) ' . $loginRedirect;
header('Location: ' . adminFullWebAddress . '/' . $loginRedirect); exit;
} else {
$thisError = 'Your e-mail address and/or password is incorrect.<br>If you still face issues, you can <a href="startresetpw.php">reset your password</a>';
$saveChanges = db_query($mysqli, "UPDATE `admins` SET `failedLoginCounter` = `failedLoginCounter` + 1, `lastloginfailedip` = '" . $mysqli->real_escape_string($ipAddress) . "', `lastlogindatetimeFailed` = '" . $mysqli->real_escape_string(datetimenow) . "' WHERE `email` = '" . $mysqli->real_escape_string($email) . "' LIMIT 1"); // set lastlogindatetimeFailed
}
}
}
if(!isset($_SESSION['admin'])) {
define('site_title', 'Login');
define('pageTitle', 'Login');
} else {
define('site_title', 'Home');
define('pageTitle', 'Home');
}
?>
<!DOCTYPE>
<html>
<head>
<link href="adminstyle.css" rel="stylesheet" type="text/css" />
<title><?php echo(site_title); ?></title>
</head>
<body>
<div id="container">
<div class="containerInner">
<div id="leftInner100">
<?php // start of leftInner ?>
<div id="mainphoto"><?php //specialMessage($mysqli); mainPageImage(""); ?></div>
<div class="clear"></div><?php
if(isset($_SESSION['admin'])) {
menu();
}
if(isset($thisError)) { echo '<div class="errorDiv">',$thisError,'</div>'; }
if(isset($thisSuccess)) { echo '<div class="successDiv">',$thisSuccess,'</div>'; }
unset($thisError); unset($thisSuccess);
if(!isset($_SESSION['admin'])) { ?>
<div style="width: 100%; margin: 0em auto; text-align: center;">
<form method="POST" action="index.php" style="width: 15em; text-align: center;">
<div class="field"> E-mail Address </div>
<div class="value"> <input type="text" name="email" value="<?php if(isset($_POST['email'])) { echo $email; } ?>" style="width: 12.5em;" title="email"> </div>
<div class="field"> Password<br><span style="font-size: 0.8em;"><?php
if (isset($_POST['pass'])) { echo('<strong style="color: red;">'); } ?>(Please note: your password may be CaSe SeNSitIvE)<?php if (isset($_POST['pass'])) { echo('</strong>'); } ?></span>
</div>
<div class="value"> <input type="password" name="pass" value="" style="width: 12.5em;" title="pass"> </div>
<div><br><input type="submit" name="login" value="Login"> <input type="reset" value="Clear"><br></div>
</form><br>
<div class="clearFloat"></div>
</div>
<?php
} else { ?>logged in<?php } ?>
<br><br>
</div><?php // end of leftInner ?>
</div><?php // end of containerInner ?>
<div class="clearfix"></div>
</div><?php // container ?>
</body>
</html>
<?php
@mysqli_close($mysqli); ?>
functions.php
<?php
define('showOutput', 0);
include("/home/****/db_login_functions.php");
define('db_table_name', 'clientList');
define('mailHost', 'mail.****.com');
define('mailUsername', 'noreply@****.com');
define('mailPW', '****');
define('bounce', 'bounce@****.com');
define('fullDomain', 'https://www.admin.****.com');
define('adminFullWebAddress', 'https://www.admin.****.com');
define('adminEmail', 'admin@****.com');
define('fromEmail', 'noreply@****.com');
define('fromName', 'DO NOT REPLY');
define('REMOTEADDR', isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : '');
define('PHPSELF', $_SERVER['PHP_SELF']);
define('HTTPREFERER', isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : "not set");
define('unsub', 'https://www.****.com/unsub.php'); define('securityhash', 'abc'); // NEVER change this securityhash.
date_default_timezone_set('Europe/London');
define('datetimenow', date("Y-m-d H:i:s"));
/* check if user is allowed to access a certain page or not. */
function checkAdminStatus($mysqli) { $yesNo = "";
if(isset($_GET['action']) && $_GET['action'] == 'logout') {
unset($_SESSION['admin']);
$_SESSION['success'] = 'You have successfully logged out. (lo.1)';
header('Location: index.php'); exit;
}
if(isset($_SESSION['admin']) ) {
// need to add in code to check if logged in for more than 1 hour, if so log out on next refresh of page.
if ($_SESSION['admin']['lastAccessSinceLogin'] < date( 'Y-m-d H:i:s', strtotime("-5 minutes") )) { unset($_SESSION['admin']);
$_SESSION['error'] = 'You were logged out due to no activity, please login again to view that page. (lo.2)';
header('Location: index.php'); exit;
}
$checkBanned = db_query($mysqli, "SELECT `adminid` FROM `admins` WHERE `email` = '" . $mysqli->real_escape_string($_SESSION['admin']['email']) . "' AND `suspended` = 'Yes' LIMIT 1");
if($checkBanned->num_rows) { $yesNo = "NOACCESS"; //$_SESSION['error'] = 'You must be logged in to view that page.';
} else { $yesNo = "ACCESS"; // if logged in, update `users`.`lastAccessSinceLogin` with current datetime.
$updateLastAccessSinceLogin = db_query($mysqli, "UPDATE `admins` SET `lastAccessSinceLogin` = '" . $mysqli->real_escape_string(datetimenow) . "', `lastloginip` = '" . $mysqli->real_escape_string(REMOTEADDR) . "', `failedLoginCounter` = 0 WHERE `email` = '" . $mysqli->real_escape_string($_SESSION['admin']['email']) . "' LIMIT 1");
$_SESSION['admin']['lastAccessSinceLogin'] = datetimenow;
}
}
return $yesNo;
}
function menu() {
echo('<a href="index.php?action=logout">Log Out</a> ');
echo('
<a href="adminCreateCampaign.php">Create Campaign</a><br><br><br>');
}
?>
.htaccess (within the admin folder)
Header set Access-Control-Allow-Origin "*"
RewriteEngine On
RewriteCond %{HTTPS} off
# First rewrite to HTTPS:
# Don't put www. here. If it is already there it will be included, if not
# the subsequent rule will catch it.
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# Now, rewrite any request to the wrong domain to use www.
# [NC] is a case-insensitive match
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
### DON'T DELETE!! Below entry is MUST for your PHP sites like wordpress,joomla and etc to work properly.
suPHP_ConfigPath /home/****/php.ini
.htaccess (within the root folder)
Header set Access-Control-Allow-Origin "*"
RewriteEngine On
RewriteCond %{HTTPS} off
# First rewrite to HTTPS:
# Don't put www. here. If it is already there it will be included, if not
# the subsequent rule will catch it.
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
# Now, rewrite any request to the wrong domain to use www.
# [NC] is a case-insensitive match
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule .* https://www.%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
### DON'T DELETE!! Below entry is MUST for your PHP sites like wordpress,joomla and etc to work properly.
suPHP_ConfigPath /home/****/php.ini
the php.ini file allow_url_fopen = on allow_irl_include = on date.timezone = Europe/London safe_mode = off upload_max_filesize = 20M post_max_size = 20M upload_tmp_dir = "/home/****/tmp" session.save_path = "/home/****/sessions" session.use_only_cookies = on error_reporting = E_ALL log_errors = On display_errors = Off track_errors = On error_log = "/home/****/errors.log" sendmail_from = "server@****.com"
i am creating a responsive website.
I'll give you an example.
I am retriving 100 items from mysql database using php. I am only showing 20 items per page using simple pagination with arrows. I keep this format on desktop and tablets. However, I would like to show less items when I am viewing the page on a smartphone. So instead of 20 items per page, it'll show 5 items per page along with the pagination arrows.
I was wondering if this is possible with PHP or would I have to use javascript?
I have a site, and there is an image with a link to another page, how can I make it so this is the only way to get to that page is by clicking on that image, and not by typing www.mywebsite.com/page.php into the address bar in a browser? Hi guys so i want to make page acces to certain ranks. So im thinking for something like this
rank1 -> home.php, admins.php So the ranks are in a database with the page names. So now when someone logs in they will get a certain rank. So now i need to make a function that will check if the rank has access to this page. $curPageName = substr($_SERVER["SCRIPT_NAME"],strrpos($_SERVER["SCRIPT_NAME"],"/")+1); This will detect the current page that the logged in person is at now. But now how do i check if the $_SESSION['rank']; (rank1) has the access to get in page admins.php, and obviously to make $_SESSION['rank'];(rank2) redirect from the page admins.php Could someone point me in the right direction? Do i select the ranks and page names from database then put it into a array? Thanks. I have an MS Access Database that resides on the server that I will be hosting the pages I'm building. In my MS Access Database I have a query called "CheckedInEquipment" that I would like to have constantly display on a PHP page. It needs to be 'fluid', so the data is always up to date on the web page. (This is all in a sandbox XAMPP environment). Has anyone done this, can you lead me to examples or push me in the right direction? Carl |
|||||||