Session Management for Page Access

Codes here !

Moderators: egami, macek, gesf

Post Reply
SalientAnimal
New php-forum User
New php-forum User
Posts: 1
Joined: Wed Jan 09, 2019 11:22 pm

Wed Jan 09, 2019 11:49 pm

Hi All,

:help: :help: :help: :help: :help:

I have developed a small site which has a login and registration system.
Some general information about the site:
Some pages are visible only to registered members.
Some pages with access control are limited to users with high privileges.

The issue I am having is with one of my pages that has privileged access. The normal privilege check works as expected, but I need to add another check to this specific page based on the status of another table. The status of the second table can be either 0, 1, 2... 9.

As a user with access rights of 2+ you are able to view the page. However, I need this to then also check another status table. If your status in the other status table is 0, you must be able to view the page, however if your status is 1, you need to get a message to say that you have already submitted your information and no longer have access to this page. I hope my explanation is no too confusing.

Here is what I currently have:

Code: Select all

<?php
/* Displays user information and some useful messages */
ini_set('display_errors',1); error_reporting(E_ALL | E_STRICT);

session_start();

/* FIRST CRITERIA CHECK - CHECK IF THE USER IS LOGGED IN OR NOT */
if ($_SESSION['logged_in'] != 1 ) {
  $_SESSION['message'] = "Please Login / Register to view the Bulk Lug Content!";
  header("location: error.php");    
}

/* SECOND CRITERIA CHECK - IF FIRST SESSION CHECK IS VALID, DO A SECOND CHECK TO ENSURE THE ACCOUNT HAS BEEN ACTIVATED, AND ONLY ALLOW ACCESS TO ACTIVATED ACCOUNTS */
else
if ($_SESSION['active'] < 1 ) {
  $_SESSION['message'] = "Your account has not yet been activated!";
  header("location: error.php"); 
}
/* THIRD CRITERIA CHECK - CHECK THE USER PRIVILEGE / ACCESS LEVEL, AND ONLY ALLOW ACCESS TO TO USERS WITH A ACCESS LEVEL OF 2+  */
else
if ( $_SESSION['active'] < 2 ) {
  $_SESSION['message'] = "You do not have sufficient privileges to view this page!";
  header("location: error.php");   
}

/* FORTH CRITERIA CHECK - NEED TO VALIDATE THAT USER HAS NOT ALREADY COMPLETED THE SURVEY, IF THEY HAVE COMPLETED THE SURVEY, ACCESS MUST BE DENIED. THIS IS DETERMINED BY THE SURVEY STATUS TABLE AND WILL NOT FORM PART OF THE SESSION INFO.  */

/* FIFTH CRITERIA CHECK - IF ALL ACCESS CRITERIA HAVE BEEN MET, ALLOW THE USER TO VIEW THE PAGE.  */
else {
    // Makes it easier to read
    $fname = $_SESSION['fname'];
    $lname = $_SESSION['lname'];
    $email = $_SESSION['email'];
    $active = $_SESSION['active'];
    $rand = rand(00001, 5000);    
}
?>
I need help adding the forth criteria, as my attempts have failed. This is basically what I have tried in the forth criteria, but when I add it, the page fails to load and I just get a white screen:

Code: Select all

$result = $conn->query("SELECT * FROM survey_status WHERE email='$email' AND status = 1 ");

else
if ( $result->num_rows > 0 ){ // CHECKING THAT THE USER HAS NOT YET COMPLETED THE SURVEY
    $_SESSION['message'] = "We are sorry, but you have already completed this survey and you no longer have access to this page!";
   header("location: lugerror.php");
I would appreciate your help. Thanking you in advance

User avatar
hyper
php-forum Fan User
php-forum Fan User
Posts: 829
Joined: Mon Feb 22, 2016 5:52 pm

Thu Jan 10, 2019 8:17 am

You've made a good effort, so don't take this the wrong way:

You have a mis-match of brackets { }.

Your if - elses are messy and the elses are not needed since the script re-directs on failure

You should exit the script if you are changing the header

Code: Select all

if ($_SESSION['logged_in'] != 1 ) {
  $_SESSION['message'] = "Please Login / Register to view the Bulk Lug Content!";
  header("location: error.php"); 
  exit;
}

Code: Select all

if (incorrect){
  exit ;
}
and not

Code: Select all

if (incorrect){
  exit;
} else {
  if (incorrect){
    exit;
  } else {
    if (incorrect){
    .......
 
This:

Code: Select all

$result = $conn->query("SELECT * FROM survey_status WHERE email='$email' AND status = 1 ");

else
if ( $result->num_rows > 0 ){ // CHECKING THAT THE USER HAS NOT YET COMPLETED THE SURVEY
    $_SESSION['message'] = "We are sorry, but you have already completed this survey and you no longer have access to this page!";
   header("location: lugerror.php");
Doesn't look good, you should not be executing a query directly where user input is concerned

The else following the query is wrong as the else should execute directly after an if block

Post Reply