August 1, 2012 learn_php

Controlling User Access in PHP

Controlling user access in PHP

At a given point, your application will need to handle user access, and controlling each specific user to specific content. The most common example that we will encounter will be regular users and administrative users. Regular users should only see content that is relevant to them. An admin user in many cases will be able to view all users, sensitive information that if in the wrong hands, could cause damage to the website. There are many ways to have a simple website, that has a regular user panel, and an admin panel. From my previous post of Saving Records to database, let’s take the same table we created for users, and add a field called USERS_ROLE with datatype of ENUM, and values of admin, user.

Create Users Table

Now with this new field in the database, we can determine what type of user is actually accessing our website. I have found that the best way to determine the type of user is to add this same field to our sessions variable once we login. If you have yet to figure out how to log in a user, then take a look over to that tutorial here: PHP MySQL Login Form

Let’s do a some changes to our ‘validate_login.php’ file, adding a user session. That way, the user can browse throughout the website without being asked to be authenticated. The first thing we must do is start a session. After starting the session, we validate the user credentials. Once the credentials have been verified, we go ahead and create a sessions variable. This variable will contain unique information for that particular user, including the role that has been assinged to that user. So instead of echoing out that the login was successful, we write some logic for our needs. Let’s take a look:

validate_login.php

Notice that we redirect the user to the login page if the credentials don’t match. We have also added something to the end of the url. We just sent a variable error, that can be accessed via the get variable in PHP. This variable is to display to the user if something went wrong with the login process. To display the error to the user, simply ask if the variable is set, and if so, then display an error message, like this:

(withih login.php)

Those previous lines can be added anywhere in your code, and of course, you will put them in a reasonable place. Now, here comes the interesting part. Within the new members page, we would like to display content that is relative to a user. Let’s assume that we have the menus on seperate files, of which we will call ‘admin_menu.php’ and ‘users_menu.php’. To determine how which menu to display, we can simply use an if statement, or use a switch statement. For this example, I am going to use the switch statement. Our members page could look something like this:

As you can see, with a simple switch, you can handle what you would like to display for different types of users. You will be able to add new menus such as, ‘not_logged_user_menu’.

In summary, you can see how easy it is to handle user roles within a website without having to create so many different pages. Remember, for the sake of simplicity, I have not added any sanitation or filters for user inputs. That is solely your responsibility on how you want to handle security in your website.

Hope you enjoyed!

4 thoughts on “Controlling User Access in PHP

  1. Quite good tutorial for beginners, but unfortunetly has huge security hole. Consider this POST:

    $_POST[‘users_name’] = ‘fuu@bar.com’;
    $_POST[‘users_pass’] = “‘password’ OR 1 = 1 AND users_role = ‘admin’ LIMIT 1”;

    Your query would then became:

    “SELECT … FROM users WHERE users_email = fuu@bar.com AND users_pass = password OR 1 = 1 AND users_role = ‘admin’ LIMIT 1″

    The result would be first Admin-user from database -> full access to your site.

    How about $_POST[‘user_pass’] = “’cause I can’; DROP TABLE users;”

Leave a Reply

Your email address will not be published. Required fields are marked *

The qTranslate Editor has disabled itself because it hasn't been tested with your Wordpress version yet. This is done to prevent Wordpress from malfunctioning. You can reenable it by clicking here (may cause data loss! Use at own risk!). To remove this message permanently, please update qTranslate to the corresponding version.