how to restrict access to admin pages

[vinpkl]

hi

i am working on admin section which has a login page with login id and pasword form.

In my admin section i have many pages say like manage_products.php, description.php, control_panel.php etc.

if the user have to access the manage_products.php page then he can access it just typing like the link below

http://localhost/vineet/admin/manage_products.php

without entering login user and pasword.

i want to restrict the access of this page through admin panel only. The user should be able to access page only if he is logged in.

vineet

[icestormz]

Well this is done by setting up sessions, in the pages you want protected put this line of code in the starting of the file make sure it before any html coding or else you will come up with a header error.

Code: [Select]

<?php
session_start();
if(!session_is_registered(myusername)){
header("Location: failed.php");
}
?>
Now to register this session place this in your login page where they would enter their username and password remember my code might not be the best because i do not have access to your files and code, so if this dose not work read up on php sessions.

Code: [Select]

<?php
if($count==1){
session_register("myusername");
session_register("mypassword");
header("location:admin.php");
}
else {
echo "Wrong Username or Password";
}

ob_end_flush();
?>

[vinpkl]

hi

thanks for the reply. i would like to clear something

In this code which i would insert in add_banner.php

Code: [Select]

if(!session_is_registered(user_name))
{
header("Location:index.php");
}

What is user_name.
actually its in the admin_table where user_name is entered.
If its in admin_table then how will this check with admin table when we have not given its reference in add_banner.php

This is my config file that is included in all pages

Code: [Select]

$conn=mysql_connect("localhost","root","") or die(mysql_error());
mysql_select_db("gadgets",$conn);

session_start();

This is code inserted in admin login page

Code: [Select]

if($count==1){
session_register("user_name");
session_register("password");
header("location:control_panel.php");
}
else {
echo "Wrong Username or Password";
}

ob_end_flush();

This code doesnot allow me to redirect me to contro_panel.php after logging in with corect user id and password.
If i remove this code then it redirects me.

I m doing something wrong

vineet

[icestormz]

Here is how i have my files setup

index.php ( contains the login form )

Code: [Select]

<table width="980" border="0" align="center" cellpadding="0" cellspacing="0">
  <tr>
    <td id="header"></td>
  </tr>

</table>
<table width="980" border="0" align="center" cellpadding="0" cellspacing="0">
  <tr>
    <td id="bar" style="padding-left:10px;">&nbsp;</td>

  </tr>
</table>
<table width="300" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
<tr>
<form name="form1" method="post" action="login.php">
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#000000">
<tr>
<td colspan="3"><strong>Member Login </strong></td>
</tr>
<tr>
<td width="78">Username</td>
<td width="6">:</td>
<td width="294"><input name="myusername" type="text" id="myusername"></td>
</tr>
<tr>
<td>Password</td>
<td>:</td>
<td><input name="mypassword" type="password" id="mypassword"></td>
</tr>
<tr>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td><input type="submit" name="Submit" value="Login"></td>
</tr>
</table>
</td>
</form>
</tr>
</table>
<table width="980" border="0" align="center" cellpadding="0" cellspacing="0" bgcolor="#000000">
  <tr>
    <td height="34" align="center"><a href="policy.html">Warning</a> | <a href="ourescort.html">See our Girls</a> | <a href="contact.html">Phone</a> | <a href="rates.html">Rates </a></td>

  </tr>
  <tr>
    <td height="66" align="center" class="f3">&copy;All Rights Reserved </td>
  </tr>
</table>
login.php ( contains the session and mysql code )

Code: [Select]

<?php
$host="localhost"; // Host name
$username="root"; // Mysql username
$password=""; // Mysql password
$db_name="model"; // Database name
$tbl_name="members"; // Table name 

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// Define $myusername and $mypassword
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");
header("location:admin.php");
}
else {
echo "Wrong Username or Password";
}

ob_end_flush();
?>
And which Ever page i want to protect with a session i just put this code on line 1 before any html basically what this code dose is checks to see if the session is registered or not and if not it send them back to index.php( where the login form is).

Code: [Select]

<?php
session_start();
if(!session_is_registered(myusername)){
header("Location: index.php");
}
?>
And If needed here is my mysql code

Code: [Select]

--
-- Table structure for table `members`
--

CREATE TABLE `members` (
  `id` int(4) NOT NULL auto_increment,
  `username` varchar(65) NOT NULL default '',
  `password` varchar(65) NOT NULL default '',
  PRIMARY KEY  (`id`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=2 ;

--
-- Dumping data for table `members`
--

INSERT INTO `members` (`id`, `username`, `password`) VALUES
(1, 'admin', 'model');