César aracena wrote:
> I like very much the idea of using a "short" way. Actually, I did and
> here's how:
>
> // After I queried the DB for a username & password match:
> if (mysql_num_rows($result) > 0)
> {
> $row = mysql_fetch_array($result);
> if ($row[authlevel] == '1')
> {
> $valid_user = $username;
> session_register("valid_admin");
> }
> else if ($row[authlevel] == '0')
> {
> $valid_user = $username;
> session_register("valid_user");
> }
> }
>
> but still doesn't work. I'm still getting the "posted" values back (when
> pointed to phpinfo.php) including the sessionID variable, but the
> Session doesn't show like registered. That is, when I called the
> following Script, nothing happens:
>
Cesar,
For the admin users, you set $valid_user but then register valid_admin.
It's a typo.
$valid_user = $username;
session_register("valid_admin");
should be
$valid_admin = $username;
session_register("valid_admin");
Another time, I would have made auth_level in the database a character
field set to
'user', 'admin', 'readonly' or whatever and then just pass it straight
through i.e.
if (mysql_num_rows($result) > 0)
{
$row = mysql_fetch_array($result);
$user_type = $row[auth_level];
session_register('auth_level');
}
or even, just let auth_level default to '' if no match found i.e.
$row = mysql_fetch_array($result);
$user_type = $row[auth_level];
session_register('auth_level');
For the record, I don't like using sessions to pass around access
control information, I would force http authentication on every page i.e.
.. check user/password as per above but using
$PHP_AUTH_USER and $PHP_AUTH_PW
... and then add the following to force an authentication if they
haven't authenticated themselves:
if ($auth_level == '')
{
$REALM = 'My Application';
header("WWW-Authenticate: Basic Realm=\"$REALM\"");
header("HTTP/1.0 401 Unauthorised");
include("authenticate_failure_message.html");
exit;
}
Of course, you can wrap this all up in a function and do extra useful
things
like having a central user database and passing through
application/section/page
information to a single get_access function etc.,etc...
But it sounds like you're too far done your current track to be interested
in that sort
of approach. And, in any case, it might not match your style if you like
sessions.
Personally, I don't like using sessions for anything on the grounds that
they're trying
to retrofit "state" onto intrinsically state-less protocols and therefore
bound to be
clumsy/buggy/limiting.
Good Luck,
George
>
> [snip]
> if (session_is_registered("valid_admin"))
> {
> // do admin stuff
> }
> else if (session_is_registered("valid_user"))
> {
> // do users stuff
> }
> else
> {
> // prompt for login
> // this is still what's showing!!!???
> }
> [snip]
>
> César Aracena
> IS / MCSE+I
> Neuquén, NQN
> (0299) 156-356688
> (0299) 446-6621
> > -----Mensaje original-----
> > De: Miguel Cruz [mailto:[EMAIL PROTECTED]]
> > Enviado el: Viernes, 14 de Junio de 2002 03:11 a.m.
> > Para: César Aracena
> > CC: PHP General List
> > Asunto: Re: [PHP] Advanced User Authentication
> >
> > I think you're making it needlessly complicated. Why don't you just
> >
> > select * from * FROM auth WHERE authname = '$username' AND
> > authpass = password('$password')
> >
> > and not worry about "WHERE authlevel = 1"?
> >
> > Then, if that query is successful, you can just fetch the result row
> > and see what 'authlevel' is for that user, and act accordingly.
> >
> > miguel
> >
> > On Fri, 14 Jun 2002, César Aracena wrote:
> > > I?m trying to make a somehow ?advanced? user authentication system
> fro
> > > my own web site. What I?m using as a model example, is the
> > > authentication system explained by Luke Welling & Laura Thomson in
> their
> > > book ?PHP and MySQL Web Development?. In the book, they explain how
> to
> > > make apparently a perfect user authentication system, but only for
> one
> > > level users. I would like to change that somehow in order to make my
> > > scripts recognize whether the user is an Administrator or a Common
> User,
> > > identified by a ?authlevel? field in my DB (1 for Admin - 2 for
> Users).
> > >
> > > I?m making all my web sites, by using an ?include? schema, so the
> user
> > > is authenticated only in the Header (included in all the pages).
> > >
> > > What I have so far is:
> > >
> > > <?
> > >
> > > // this is where the original script begin
> > >
> > > session_start();
> > >
> > > if ($userid && $password)
> > > {
> > > $db_conn = mysql_connect("localhost", "user", "password");
> > > mysql_select_db("dbname", $db_conn);
> > > $query = "SELECT * FROM auth WHERE authname = '$username' AND
> > > authpass = password('$password') AND authlevel = 1";
> > > $result = mysql_query($query, $db_conn);
> > > if (mysql_num_rows($result) > 0)
> > > {
> > > $valid_user = $userid;
> > > session_register("valid_admin");
> > > }
> > >
> > > // this is what I tried to add
> > >
> > > else if (mysql_num_rows($result) >= 0)
> > > {
> > > $query1 = "SELECT * FROM auth WHERE authname =
> > > '$username' AND authpass = password('$password') AND authlevel = 0";
> > > $result1 = mysql_query($query1, $db_conn);
> > > if (musql_num_rows($result1) > 0)
> > > {
> > > $valid_user = $userid;
> > > session_register("valid_user");
> > > }
> > > }
> > > }
> > > ?>
> > >
> > > It works great when used in it?s original state, but does no good to
> > > what I?m trying to do here. Also, I?m willing to learn from this so
> I
> > > don?t want to rush and get it already done out there ;-)
> > >
> > > By the way, before you ask, I use MySQL and PHP 4 under a Apache
> > > emulator (PHPTriad) running under WinXP (and damn, it works good and
> > > smooth).
> > >
> > > Hope to get some knowledge from you guys and gals,
> > >
> > > Cesar Aracena <mailto:[EMAIL PROTECTED]>
> > > CE / MCSE+I
> > > Neuquen, Argentina
> > > +54.299.6356688
> > > +54.299.4466621
> > >
> > >
> > >
> >
> >
> > --
> > PHP General Mailing List (http://www.php.net/)
> > To unsubscribe, visit: http://www.php.net/unsub.php
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
