I can't see why you simply dont do this
if ($LoginSuccessful)
{
$location = "";
}else{
$location = "../index.php";
}
header("location=$location");
If i don't have the solution, perhaps I am misunderstanding the problem
Bastien
From: "Vinny Lape" <vinny@xxxxxxxxxxxxxxxxxx>
To: <php-db@xxxxxxxxxxxxx>
Subject: RE: User authentication and redirect
Date: Fri, 15 Jul 2005 09:01:52 -0400
I think I need to explain my question better.
I have a db and the table contains 4 fields uid(pk) username password
location
I can authenticate the user / pass properly. The problem I am having is
getting the information from field location and defining it as $location so
I can do the following: (when I make $redirectLoginSuccess = "example.php"
all works fine)
<snip>
$redirectLoginSuccess = "$location";
$redirectLoginFailed = "../index.php";
</snip>
<snip>
}
header("Location: " . $redirectLoginSuccess );
}
else {
header("Location: ". $redirectLoginFailed );
</snip>
Here is where I query the db
<snip>
$LoginRS__query=sprintf("SELECT username, password FROM webauth WHERE
username='%s' AND password='%s'",
get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername),
get_magic_quotes_gpc() ? $password : addslashes($password));
$LoginRS = mysql_query($LoginRS__query, $mysql) or die(mysql_error());
</snip>
On the landing page im using this for security:
<?php
session_start();
$MM_authorizedUsers = "";
$MM_donotCheckaccess = "true";
// *** Restrict Access To Page: Grant or deny access to this page
function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) {
// For security, start by assuming the visitor is NOT authorized.
$isValid = False;
// When a visitor has logged into this site, the Session variable
MM_Username set equal to their username.
// Therefore, we know that a user is NOT logged in if that Session
variable is blank.
if (!empty($UserName)) {
// Besides being logged in, you may restrict access to only certain
users based on an ID established when they login.
// Parse the strings into arrays.
$arrUsers = Explode(",", $strUsers);
$arrGroups = Explode(",", $strGroups);
if (in_array($UserName, $arrUsers)) {
$isValid = true;
}
// Or, you may restrict access to only certain users based on their
username.
if (in_array($UserGroup, $arrGroups)) {
$isValid = true;
}
if (($strUsers == "") && true) {
$isValid = true;
}
}
return $isValid;
}
$MM_restrictGoTo = "../index.php";
if (!((isset($_SESSION['MM_Username'])) &&
(isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'],
$_SESSION['MM_UserGroup'])))) {
$MM_qsChar = "?";
$MM_referrer = $_SERVER['PHP_SELF'];
if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&";
if (isset($QUERY_STRING) && strlen($QUERY_STRING) > 0)
$MM_referrer .= "?" . $QUERY_STRING;
$MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" .
urlencode($MM_referrer);
header("Location: ". $MM_restrictGoTo);
exit;
}
?>
-----Original Message-----
From: Ahmed Saad [mailto:myanywhere@xxxxxxxxx]
Sent: Thursday, July 14, 2005 8:34 AM
To: Vinny Lape
Cc: php-db@xxxxxxxxxxxxx
Subject: Re: User authentication and redirect
hi Vinny,
On 7/13/05, Vinny Lape <vinny@xxxxxxxxxxxxxxxxxx> wrote:
> If user validates then look at db entry location then redirect to
> mydomain.com/"location"/index.php
i don't think it's a good idea. what if the user bookmarked or took
down a notice with the URL to your "secured" page
(mydomain.com/location/index.php)? then he would just type the url
heading directly for the bypassing your login page! i think u might
want to put the user authorization code in your index php or even
better put it in a file and require() that file at the top of of any
page u want to protect. you can either use sessions or plain HTTP
authentication (which is not a very good idea).
-ahmed
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
