Need help and advice on a restricted section for a website i have designed

You may find this useful, especially about setting up a test environment. Using a Content Management System would provide you with restricted areas, user logons and a lot of other stuff right out of the box. There are many open source (free) systems available. You'll probably save a lot of time by doing that rather than building your own. If you ask which one is best, you will probably get a lot of answers from those who are fans of one system or the other. I don't use it myself but WordPress is one of the more popular systems and relatively easy to use.

If you are already too far into this project to go that way, then you may be able to find some code that will provide most of what you need for the login part.

With respect to setting up a system on a server, it is mostly a matter of uploading the programs / scripts to the server directory (usually the www or htdocs directory). If you are using MySQL, then you would have to set up the database (probably using PHPMyAdmin: a utility that is available most everywhere) and you would probably have some config info that would be different on the server (vs your test env).

None of this is overly difficult but for someone new there will probably be a lot of things that are relatively new to you so it may take some time and it will need some research and reading of documentation. Building it yourself rather than using a CMS ups the ante.

I suggest using something like Wordpress, Joomla or Drupal (Blog/CMS as mentioned by chris).

If you have a 'client', you need to be sure that your work is up to the task and secure.

If you are determined to do it yourself, you have a number of options, the two most popular being:

session-based login and http authentication

The first is probably the usual way most of us go about it, but the second is v.v. simple. However, it is ugly and I don't know of a way to 'prettify' it and there's also no way I know of to logout unless you close the tab.

Thank you for the replies so far, I am have now set up an environment and now am interested in finding out how to code this task in php and mysql as using CMS etc are not an option

Hi chris_j_haines,

If you want to code this yourself, for the very basics you need 3 things.

1) A database to hold your user data in. This could be as simple as a single authorised username and password, or you could have multiple users.

2) An HTML form that accepts a username and password and checks it against the authorised details stored in the database. If a match is found, a $_SESSION variable is set. Read about sessions.

3) Every restricted page should open the session and check if your session variable is set, if not it redirects the user back to the login page.

You would also need to look into various types of security, including form validation, escaping data for the database, prevention from SQL injection, the list is endless. It all depends how paranoid you are.

Hope this helps.
Zagga

Thanks for that Zagga, I have got fairly good idea of about how sessions work and i have built a site where you could register. what I do need is a site where there are different access levels for the different users:

1) An overall administrator who :- they will need to be able to add users, upload files to the shared area and change the password for the admin and users.

2) Users will be provided with a username and password and they will only be able to download files not upload.

This can be achieved by setting a user level session variable (again stored in the database). Before the 'add user' button is displayed on a page, check if the user level is high enough. As a precaution, do a second check on the user level before any 'add user' code is run.

Zagga can you suggest any websites which can demonstrate the coding? Also one thing I am worried about is that when I give this to my client how do they set it up on their webserver? I have never uploaded php/mysl to a live webserver?

Hi again.

To move your website is very simple. You just FTP your php files to their new home, remembering to keep the same directory structure (images in images folder etc).
To move the database, if you have PHPmyadmin on the new host you can just export the database structure and import it in its new home (remembering to create a new database user etc). If no PHPmyadmin (or similar) is available, you can create a php page to create the database table for you but this is a bit more complicated. Yay for PHPmyadmin :)

As far as the code for the sessions goes:
On the login page, once a user has successfully logged in, you create the session variables with $_SESSION["UserLevel"] = $user_level (with $user_level having already been collected from the database).

Place this code at the very top of all restricted pages (including the login page).

session_start();
if (!isset($_SESSION['UserLevel'])){
     header("location:login.php");
     exit();
}

This will check that a session variable has been set.

Anywhere in any page that you need to check a user level (2 or above in this case), use if (isset($_SESSION['UserLevel'] && $_SESSION['UserLevel'] >= 2)){ Do stuff } If you want specific help with your actual code let me know and I'll go into more detail.

Hi Zagga
If you could go into details of the code that would be appreciated as it is a long time since I have used PHP...

Hi again Chris,

When you say you are creating a "restricted access" area of your site, do you mean there are going to be whole pages that only certain people can access, or are there going to be certain features on a regular page that should be restricted?
What have you got already?

It may be worth taking this to PM's so we can discuss your actual site rather than just the general concept.

Hi Zagga I have sent you a PM with details of the brief