Hi, I have made a log in script that checks the database for username and password. I have everything working for the users (they must be logged in to access member.php). Now I have admin.php redirecting to a different page, but how do i keep users OUT of that page? Because I think the way this code is now, is if a USER logs in and somehow copies and pastes the admin page...they can access it.
here is my log in script:
<?php
session_start();
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>Shots by Shell User Log In</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<link rel='stylesheet' type='text/css' href='css/style.css' />
<script type="text/javascript" src="jquery.js"></script>
<script type="text/javascript" src="validate.js"></script>
<script type='text/javascript' src='js/example.js'></script>
<script type="text/javascript">
$(document).ready(function(){
jQuery.validator.addMethod("phoneUS", function(phone_number, element) {
phone_number = phone_number.replace(/\s+/g, "");
return this.optional(element) || phone_number.length > 9 &&
phone_number.match(/^(1-?)?(\([2-9]\d{2}\)|[2-9]\d{2})-?[2-9]\d{2}-?\d{4}$/);
}, "Please specify a valid phone number");
$("#form").validate();
});
</script>
</head>
<body>
<body>
<div id="page-wrap">
<div class="login-block">
<h3>Shots by Shell User Login</h3>
<form action="" method="POST" id="form">
<table>
<tr><td style="font-size:15; color:grey;">Username: </label></td>
<td><input type="text" name="username" id="username" class="required" value="<?php echo $_POST['username'];?>"></td></tr>
<tr><td style="font-size:15; color:grey;">Password: </label></td>
<td><input type="password" name="password" id="password" class="required" value="<?php echo $_POST['password'];?>"></td></tr>
<tr><td> <input type="submit" name="submit" id="Submit" value="Login"></td></tr>
</table>
</form>
<?php
$salt = "@x2p";
$username = $_POST['username'];
$password = crypt($_POST['password'], $salt);
if (isset($_POST['submit']))
{
if (!empty($_POST['username'])&&($_POST['password']))
{
$connect = mysql_connect("localhost","xxxxx","xxxxx") or die ("Unable to connect at this time. Please try again later.");
mysql_select_db("login2", $connect) or die ("Unable to connect to the photo database at this time. Please try again later.");
$query = mysql_query("SELECT * FROM users WHERE username='$username'");
$numrows = mysql_num_rows($query);
if ($numrows!=0)
{
while ($row = mysql_fetch_assoc($query))
{
$dbusername=$row['username'];
$dbpassword=$row['password'];
$dbfirstname=$row['firstname'];
}
if ($username==$dbusername&&$password==$dbpassword)
{
if ($dbusername == "admin")
{
//THIS WORKS BUT HOW WOULD I KEEP ANY OTHER USER OUT. BECAUSE IF THEY GOT A HOLD OF THIS ADDRESS AND COPIED INTO THEIR BROWSER THEY HAVE ACCESS
header('Location: http://mysite.com/admin.php?id='.$_SESSION['firstname']=$dbfirstname);
}
else
header('Location: http://mysite.com/member.php?id='.$_SESSION['firstname']=$dbfirstname);
}
else
?><html><font color="red"><?php die("Incorrect password.");?><html></font>
<?php
}
else
?><html><font color="red"><?php die("Username does not exist.");?><html></font></html>
<?php
}
else
?><html><font color="red"><?php die("Please enter your email address and password.");?><html></font></html>
<?php
}
?>
</div>
</div>
</body>
</html>
here is admin.php:
<?php
session_start();
if ($_SESSION['firstname'])
{
echo "Welcome, ".$_SESSION['firstname']."!";?><br>
<?php
echo "<a href='logout.php'>Log Out</a>";
}
else
die("You must log in to view this page. <a href='index.php'>Click here</a> to log in.");
?>
I believe i need to add some other kind of check in the admin.php page, but I am not all that great with php and spent a long time on all of this. A little help would be greatly appreciated!
Thanks!