The Admin Login Script - PHP

When a user uses the project management application, they have to log in to be given access to the application. This access will be granted if the user is in the database. The code for this verification process is something like this:

<?php

include "dbcon.php";

include "functions.php";

//initialise variables

$err="";

$errmsg=false;

//is form submitted?

if(isset($_POST['submit'])){

//check that the form values are not empty, if so, set errormsg value

if(empty($_POST['uname'])){

$errmsg="The username field is empty, please enter a username<br>";

$err=true;

}

if(empty($_POST['upass'])){

$err=true;

$errmsg .="The password field is empty, please enter password<br>";

}

//check that the username is in correct format

if(!checkformat($_POST['uname'])){

$err=true;

$errmsg .="The username that you entered has a incorrect format.<br>";

}

//if there is no errors above, then clean the form values before using in query.

if(!$err){

$cleanuname = mysql_escape_string($_POST['uname']);

$cleanupass = mysql_escape_string($_POST['upass']);

$checkuser = "SELECT * from users WHERE uname = '".$cleanuname."' AND upass = '".$cleanupass."'";

$checkuser_res = mysql_query($checkuser);

$checkuser_num = mysql_num_rows($checkuser_res);

if($checkuser_num > 0){

//if user exists and passes authentication

//setup session variables and redirect to index page

$row = mysql_fetch_assoc($checkuser_res);

$_SESSION['name'] = $row['name']." ".$row['sname'];

$_SESSION['uid'] = $row['uid'];

$_SESSION['level'] = $row['level'];

//redirect

header("location:main.php");

}else{

//if values do not match set errmsg

$err=true;

$errmsg .="The username or password you entered does not match.<br> MYSQL ERROR ".mysql_error();

}//else

}//end $err check

} //end form submit check

?>

This is verification stage one. The important part in this code is the one listed below:

if($checkuser_num > 0){

//if user exists and passes authentication

//setup session variables and redirect to index page

$row = mysql_fetch_assoc($checkuser_res);

$_SESSION['name'] = $row['name']." ".$row['sname'];

$_SESSION['uid'] = $row['uid'];

$_SESSION['level'] = $row['level'];

//redirect

header("location:main.php");

Take a closer look at where the authentication process successfully verifies the user. It is at this point that the user's details are transferred into session variables, i.e:

$_SESSION['level'] = $row['level'];

These are the login variables that the secondary admin login script uses to determine if a user has the right to access the admin section:

<?php

ob_start();

session_start();

if(isset($_SESSION['level'])){

$level = $_SESSION['level'];

//if the access level is admin, then grant access to user

if($level == "admin"){

header("location:index.php");

As you can see from the above code snippet, the user access level information is stored in the $_SESSION['level'], which is then transferred to a local variable called "$level."

$level = $_SESSION['level'];

The value of the local variable is then compared against a string called "admin":

if($level == "admin"){

If the value that is contained in the $level variable is admin, then the user is granted access to the admin section. Otherwise the user is redirected to the main login page:

}else{//level does not contain admin, redirect user to login page

header("location:../login.php");

}

If the session variable is not set, it means that this user is trying to access the page without going through any of the login checks that are required. The script simply redirects them to the main login page:

}else{

//send user to login

header("location:../login.php");

}//end session check

ob_end_flush();

?>

The ob_end_flush() function is then used to "flush" out any unsent headers to avoid the "headers already sent" error message.