[Sayid Ahmed]

Hello,

It's been years since I've done any simple PHP so forgive me for forgetting. I'm trying to create a function page called 'security.php' which restricts access to pages if no user is logged in.

I've added the following code at the begginning of all pages i want restricted:

require_once('security.php'); // restrict access to logged users

And for security.php I attempted the following code but it doesn't work. I tried to make it fetch information from the rows corresponding to the username logged in, if the amount of information = 0 then there must be no user logged in and the pageviewer is redirected to the login page. It gives me an error as you'll notice it's sending out headers too early. I also get the feeling I've over complicated it:

<?php
require_once('global.php'); // session start
require_once('conn.php'); // db connection

$username = $_SESSION['username'];
$username = mysql_real_escape_string($username);
$match = mysql_query("SELECT Username FROM tblusers WHERE username = '$username'")or die(mysql_error());
$row = mysql_fetch_array($match); 
$security = count($row);

if ($security == 0 ) {
header("Location: login.php");
}else{
}
?> 

Is there a simpler way of restricting access?

Thank you

This post has been edited by Sayid Ahmed: 09 September 2010 - 10:19 AM

[KuroTsuto]

I haven't taken too in-depth of a look at your code, yet, but right off hand, one thing that you should note is that MySQL column names are case-sensitive by default, so this

$match = mysql_query("SELECT Username FROM tblusers WHERE username = '$username'")or die(mysql_error());

may well be returning empty sets as you are attempting to SELECT the Username column from a table where the username column = whatever. Not quite sure if that's your problem, but it's worth a shot .

EDIT:

On another thought, there is indeed a simpler way. Simply check to see if $_Session['username'] is set on your restricted pages, and if not, boot them back to login. The only time you should need to interact with the database is when a user logs in. After that, the session data should be set, so you should be able to simply check if the session data exists, yeah?

Cheers, and Good Luck!
~KuroTsuto

This post has been edited by KuroTsuto: 09 September 2010 - 10:38 AM

[Sayid Ahmed]

KuroTsuto, on 09 September 2010 - 05:35 PM, said:

On another thought, there is indeed a simpler way. Simply check to see if $_Session['username'] is set on your restricted pages, and if not, boot them back to login. The only time you should need to interact with the database is when a user logs in. After that, the session data should be set, so you should be able to simply check if the session data exists, yeah?

Cheers, and Good Luck!
~KuroTsuto

Yes that's exactly what I need, it's just I forgot how to check if the session data exists or not. I thought I'd take a more long-winded method but it doesn't work.

[RPGonzo]

instead of doing the fetch_array just execute the query than run $security = mysql_num_rows($match);

as far as simpler, you could always just set a session variable in the session array on login to say that the user is logged in

// in the login code
$_SESSION['is_logged_in'] = true;

// than check it later
if ($_SESSION['is_logged_in'] != true) {
   // they are not valid remove them
}

// they are good keep computing

[Sayid Ahmed]

OK I've made security.php the following:

<?php
require_once('global.php'); // session start
if ($_SESSION['is_logged_in'] != true) {
header("Location: login.php");
}
?> 

But my login page gives me after i log in "Warning: Cannot modify header information - headers already sent....."

EDIT: oh i realised i had placed a requirement for security.php on the login function page. sorted it out and now it works

This post has been edited by Sayid Ahmed: 09 September 2010 - 10:57 AM

[KuroTsuto]

Sayid Ahmed, on 09 September 2010 - 09:52 AM, said:

EDIT: oh i realised i had placed a requirement for security.php on the login function page. sorted it out and now it works

Solid, my man! Glad to hear it
~KuroTsuto