Hi,
I need some help with my html/php, restricted access script.
The purpose with this script is to let users login to a members area; some with admin permission, some with newbe permission and some with advanced permissions. The permissions are pre-defined in the MySQL-DB with a use_level-field in the user-table.
The different user-groups should have access to the following content:
admin - permissions to everything (for now the same as advanced)
advanced - lecture 1 and lecture 2
newbe - only lecture 1
The problem with this script is that it does not redirect the different user groups to their repective index-pages, please help me to detect why!
<?php
include('config.php');
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd";>
<html xmlns="http://www.w3.org/1999/xhtml";>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<link href="<?php echo $design; ?>/style.css" rel="stylesheet" title="Style" />
<title>Connexion</title>
</head>
<body>
<div class="header">
<a href="<?php echo $url_home; ?>"><img src="<?php echo $design; ?>/images/logo.png" alt="Members Area" /></a>
</div>
<?php
//If the user is logged, we log him out
if(isset($_SESSION['username']))
{
//We log him out by deleting the username and userid sessions
unset($_SESSION['username'], $_SESSION['userid']);
?>
<div class="message">You have successfuly been loged out.<br />
<a href="<?php echo $url_home; ?>">Home</a></div>
<?php
}
else
{
$ousername = '';
//We check if the form has been sent
if(isset($_POST['username'], $_POST['password']))
{
//We remove slashes depending on the configuration
if(get_magic_quotes_gpc())
{
$ousername = stripslashes($_POST['username']);
$username = mysql_real_escape_string(stripslashes($_POST['username']));
$password = stripslashes($_POST['password']);
}
else
{
$username = mysql_real_escape_string($_POST['username']);
$password = $_POST['password'];
}
//We get the password of the user
$req = mysql_query('select password,id,usr_level from users where username="'.$username.'"');
$dn = mysql_fetch_array($req);
//Get user level of the user
$usr_level = $req['usr_level'];
//We compare the submited password and the real one, and we check if the user exists
if($dn['password']==$password and mysql_num_rows($req)>0)
{
//If the password is good, we dont show the form
$form = false;
//We save the user name in the session username and the user Id in the session userid
$_SESSION['username'] = $_POST['username'];
$_SESSION['userid'] = $dn['id'];
if($usr_level == 1)
{
?>
<div class="message">You have successfuly been logged in. You can now access the admin area.<br />
<a href="index2.php">Home</a></div>
<?php
}
if($usr_level == 10)
{
?>
<div class="message">You have successfuly been logged in. You can now access to the newbe area.<br />
<a href="index1.php">Home</a></div>
<?php
}
if($usr_level == 11)
{
?>
<div class="message">You have successfuly been logged in. You can now access the advanced area.<br />
<a href="index2.php">Home</a></div>
<?php
}
}
else
{
//Otherwise, we say the password is incorrect.
$form = true;
$message = 'The username or password is incorrect.';
}
}
else
{
$form = true;
}
if($form)
{
//We display a message if necessary
if(isset($message))
{
echo '<div class="message">'.$message.'</div>';
}
//We display the form
?>
<div class="content">
<form action="connexion.php" method="post">
Please type your IDs to log in:<br />
<div class="center">
<label for="username">Username</label><input type="text" name="username" id="username" value="<?php echo htmlentities($ousername, ENT_QUOTES, 'UTF-8'); ?>" /><br />
<label for="password">Password</label><input type="password" name="password" id="password" /><br />
<input type="submit" value="Log in" />
</div>
</form>
</div>
<?php
}
}
?>
<div class="foot"><a href="<?php echo $url_home; ?>">Go Home</a></div>
</body>
</html>
