I'm new to PHP. I have created a system where the users include user and admin. I login as a user in the system and the URL is localhost/View/user.php.
When I change the URL from localhost/View/user.php to localhost/Admin/admin.php, the user automatically has an admin interface.
My question is - how can I stop the user from being able to change the URL to /admin.php and accessing the admin interface?
I have the proper solution. suppose your admin's users id is 'admin' and your other users have other user id. Then use $_SESSION('login_user') to login. In your amdin page you want to protect from user you sholud put a condition that
$result = mysql_query("select username from adminlogin where username = '".$_SESSION['login_user']."'");
$result_value = mysql_fetch_array($result);
echo $result_value['username'];
if($result_value['username']!="admin")
{
header("Location: index.php");
}
Now it will check for user id = admin then it allow to access other wise it redirect the page to index.php that is our login page. If you can not understand then you can replay. Thanku
Here are some examples:
http://php.net/manual/en/features.http-auth.php
But just know that this is not something you should use for a real website, unless you know all the security issues and how to solve them.
But for learning something about php and playing around this could be a place to start :)
Well you can't force a user to not modify the url in his browser.
What I think you are looking for is some kind of user roles. So when you already have a login system I assume you store the username and password somewhere (mostly a database). What you can do now is to add an additional field "roles" and write in "user", "admin" or something to differentiate users. At your admin-page you could than check if the user has the role "admin", if not you can redirect the user to some other page (e.g. index) or just print out "Access denied"
(There are also a lot of tutorials about login systems and user roles for php out there. I would recommend to take a look at that also)
A simple answer is that you should store the fact that the user has logged in via $_SESSION (such as $_SESSION['user_id'] = [something from the database]) and that can be tested later (such as isset($_SESSION['user_id']) followed up by looking that user up again in the database to make sure they do actually have admin rights. If they don't you can simply redirect them back to the login page via header('Location: http://whereever.com/login.php') or what-not. This isn't foolproof security, but it's a start.
If the session isn't automatically initialized (unlikely but possible depending on server configurations), you can start it at the beginning of each of your scripts with session_start().
To be more specific. Let's say that you have a script called user.php that takes in user login information. In that you might have something that looks like this...
<?php session_start(); $login = (isset($_POST['login'])) ? trim($_POST['login']) : ''; $pass = (isset($_POST['pass'])) ? $_POST['pass'] : ''; if ($login !== '') { $user = [db->lookup_somehow(where=>login is $login)] if ([the hash of $pass is the same as the hash of the pass in $user]) { $_SESSION['user_id'] = $user['user_id']; header('Location: http://wherever.com/admin.php'); } else { // say "invalid login" } } else { // handle missing input } ?>
And admin.php might look like... <?php session_start(); $user_id = (isset($_SESSION['user_id'])) ? $_SESSION['user_id'] : null; $user = null; if ($user_id) { $user = [look up user from database based on their id]; if (!$user[has credentials to be an admin]) $user = null; } if (!$user) { header('Location: http://wherever.com/user.php'); } // else do admin stuff ?>
Simple add flag for user and check weather the flag is set or not if not than through user to error page. Example for admin $flag_admin=1; and store this in session and check if flag is set than allow him to access admin screen else show error page.
One possible solution to the problem is to check for admin permissions when the user navigates to the admin.php. If the user has adequate permissions, then the admin interface is visible. If the user does not have admin permissions, then they should be redirected back to user.php.
However, the better option would be to have a single login page - login.php. After logging in, the user permissions are checked, and the admin interface is made visible if applicable.