469,319 Members | 2,420 Online
Bytes | Developer Community
New Post

Home Posts Topics Members FAQ

Post your question to a community of 469,319 developers. It's quick & easy.

Login system with php

Hello every body,

i have to do a news system wich use php/mysql.

i need 3 accounts:
* a 'reader' who doesn't need to log in to read the news
* a 'writer' who can write news in a pending news table
* a 'moderator' which validate a pending news, and make it a regular news,
viewable from the site (by the 'reader')

This is a small web site, so i can't use SSL; and i use php sessions.

Right now, i deal with account from a mysql users point of view, which
means, that a 'reader' can access all the admin part of the site, but will
ger errors when trying to read/write by sql query.

I was wondering if somedody could give me a trick to deny access to the
admin pages. Rigth now, i though about these:
* by decoding mydql rights? (how)
* by doing only-to-test query? (bad i think, especially for write right)

any idea greatly apreciated, thx :)

--
TheDD
Jul 17 '05 #1
10 2667
I don't excatly know what u mean but why won't u njust have some table
like this:
CREATE TABLE Users(
id int( 100 ) NOT NULL AUTO_INCREMENT ,
name varchar(200) NOT NULL default '',
pass text NOT NULL default '',
user_type varchar( 1 ) NOT NULL default '',
UNIQUE (name),
PRIMARY KEY ( id )
) TYPE=MyISAM;

and then u say somethink like:

$user_type = $sql_info[user_type];
if($user_type == 2)
{
//display admin stuff
} elseif($user_type ==1)
{
//display writer stuff
} elseif($user_type ==0)
//display read stuff
}

i dunno but maybe this helps u

On Sat, 11 Oct 2003 15:00:22 +0200, TheDD <pa***@email.com> wrote:
Hello every body,

i have to do a news system wich use php/mysql.

i need 3 accounts:
* a 'reader' who doesn't need to log in to read the news
* a 'writer' who can write news in a pending news table
* a 'moderator' which validate a pending news, and make it a regular news,
viewable from the site (by the 'reader')

This is a small web site, so i can't use SSL; and i use php sessions.

Right now, i deal with account from a mysql users point of view, which
means, that a 'reader' can access all the admin part of the site, but will
ger errors when trying to read/write by sql query.

I was wondering if somedody could give me a trick to deny access to the
admin pages. Rigth now, i though about these:
* by decoding mydql rights? (how)
* by doing only-to-test query? (bad i think, especially for write right)

any idea greatly apreciated, thx :)


Jul 17 '05 #2
On Sat, 11 Oct 2003 15:09:11 +0200, warstar wrote:
I don't excatly know what u mean but why won't u njust have some table
like this:
CREATE TABLE Users(
id int( 100 ) NOT NULL AUTO_INCREMENT ,
name varchar(200) NOT NULL default '',
pass text NOT NULL default '',
user_type varchar( 1 ) NOT NULL default '',
UNIQUE (name),
PRIMARY KEY ( id )
) TYPE=MyISAM; and then u say somethink like: $user_type = $sql_info[user_type];
if($user_type == 2)
{
//display admin stuff
} elseif($user_type ==1)
{
//display writer stuff
} elseif($user_type ==0)
//display read stuff
} i dunno but maybe this helps u


well, several thing:
1/ the problem is that with that kind of table, the rights are logicals,
and the restrictions are hard coded in php, wich is not really great for
the evolution of the web site :/
2/ it's a detail but i don't need personalized account, one account of each
type is enough

thx anyway for your proposition. If i don't find better i might use it :)

--
TheDD
Jul 17 '05 #3
i think u got to have somthink like rights u can also make some think
like this:
CREATE TABLE Users(
id int (10) NOT NULL AUTO_INCREMENT ,
name varchar(200) NOT NULL default '',
pass text NOT NULL default '',
group varchar( 1 ) NOT NULL default '',
UNIQUE (name),
PRIMARY KEY ( id )
) TYPE=MyISAM;

CREATE TABLE Group(
id int( 10) NOT NULL AUTO_INCREMENT ,
news_read int(1) default '0',
news_write int(1) default '0',
news_admin int(1) default '0',
PRIMARY KEY ( id )
) TYPE=MyISAM;

this is best way i think is possible this way u ncan have multiple
account's later on as your site addvances now u just make 3 account.
u can add more right to the group table so later u can say i have a
user part and i want some right's in htere and u add fields like
userarea_read ect.

On Sat, 11 Oct 2003 15:17:48 +0200, TheDD <pa***@email.com> wrote:
On Sat, 11 Oct 2003 15:09:11 +0200, warstar wrote:
I don't excatly know what u mean but why won't u njust have some table
like this:
CREATE TABLE Users(
id int( 100 ) NOT NULL AUTO_INCREMENT ,
name varchar(200) NOT NULL default '',
pass text NOT NULL default '',
user_type varchar( 1 ) NOT NULL default '',
UNIQUE (name),
PRIMARY KEY ( id )
) TYPE=MyISAM;

and then u say somethink like:

$user_type = $sql_info[user_type];
if($user_type == 2)
{
//display admin stuff
} elseif($user_type ==1)
{
//display writer stuff
} elseif($user_type ==0)
//display read stuff
}

i dunno but maybe this helps u


well, several thing:
1/ the problem is that with that kind of table, the rights are logicals,
and the restrictions are hard coded in php, wich is not really great for
the evolution of the web site :/
2/ it's a detail but i don't need personalized account, one account of each
type is enough

thx anyway for your proposition. If i don't find better i might use it :)


Jul 17 '05 #4
If you are still stuck, let me know
"TheDD" <pa***@email.com> wrote in message
news:11****************************@40tude.net...
Hello every body,

i have to do a news system wich use php/mysql.

i need 3 accounts:
* a 'reader' who doesn't need to log in to read the news
* a 'writer' who can write news in a pending news table
* a 'moderator' which validate a pending news, and make it a regular news,
viewable from the site (by the 'reader')

This is a small web site, so i can't use SSL; and i use php sessions.

Right now, i deal with account from a mysql users point of view, which
means, that a 'reader' can access all the admin part of the site, but will
ger errors when trying to read/write by sql query.

I was wondering if somedody could give me a trick to deny access to the
admin pages. Rigth now, i though about these:
* by decoding mydql rights? (how)
* by doing only-to-test query? (bad i think, especially for write right)

any idea greatly apreciated, thx :)

--
TheDD

Jul 17 '05 #5
On Sat, 11 Oct 2003 22:14:54 GMT, Tesla wrote:
If you are still stuck, let me know


well i am, i would like to avoid a table to store the rights like warstar
propose.

--
TheDD
Jul 17 '05 #6
"TheDD" <pa***@email.com> wrote in message
news:11****************************@40tude.net...
Hello every body,

i have to do a news system wich use php/mysql.

i need 3 accounts:
* a 'reader' who doesn't need to log in to read the news
* a 'writer' who can write news in a pending news table
* a 'moderator' which validate a pending news, and make it a regular news,
viewable from the site (by the 'reader')

This is a small web site, so i can't use SSL; and i use php sessions.

Right now, i deal with account from a mysql users point of view, which
means, that a 'reader' can access all the admin part of the site, but will
ger errors when trying to read/write by sql query.

I was wondering if somedody could give me a trick to deny access to the
admin pages. Rigth now, i though about these:
* by decoding mydql rights? (how)
* by doing only-to-test query? (bad i think, especially for write right)


No trick needed, you answer your own question...

1) a 'reader' doesn't login (doesn't have username/password) - gets
standard site pages
2) a 'writer' will need to login to add/upload news - gets
writer access site pages
3) a 'moderator' will need to login to review/post news - gets
admin access site pages

so in code (sortof)

<?PHP
if not logged in then display standard site
else if logged in with writer user/password then display writer pages
else if logged in with admin user/password then display admin pages
?>

The writer and admin pages would probably be similar with the admin having
extra stuff that the writer would not see. Keeping the users in the db is
fine as long as you either separate them into two different tables or have a
field that indicates that the user has writer or admin rights. The reader
will not have any entries in the db - no need to check until login attempt.

Jul 17 '05 #7
u got to store it some where text file or some other think i dunno how
to do it a other way

On Sun, 12 Oct 2003 02:37:38 +0200, TheDD <pa***@email.com> wrote:
On Sat, 11 Oct 2003 22:14:54 GMT, Tesla wrote:
If you are still stuck, let me know


well i am, i would like to avoid a table to store the rights like warstar
propose.


Jul 17 '05 #8
On Sun, 12 Oct 2003 12:37:42 +0200, warstar wrote:
On Sun, 12 Oct 2003 02:37:38 +0200, TheDD <pa***@email.com> wrote:
On Sat, 11 Oct 2003 22:14:54 GMT, Tesla wrote:
If you are still stuck, let me know
well i am, i would like to avoid a table to store the rights like warstar
propose.
u got to store it some where text file or some other think i dunno how
to do it a other way


well i was thinking to decode mysql rights (the one shown with 'show grants
for user') and to use that, but it doesn't seem to be possible.

Anyway, another table is really not what i aim, so i think i'm gonna use
hard coded php "if (account) then else"...

Anothe reason for not using a rights table is that it needs another query,
which slow down the page processing...

Thx for your help :)

--
TheDD
Jul 17 '05 #9
it is possible to block the insert stuff yeah but to user the same
rules in the php code don't think that's possible :)

On Sun, 12 Oct 2003 15:59:16 +0200, TheDD <pa***@email.com> wrote:
On Sun, 12 Oct 2003 12:37:42 +0200, warstar wrote:
On Sun, 12 Oct 2003 02:37:38 +0200, TheDD <pa***@email.com> wrote:
On Sat, 11 Oct 2003 22:14:54 GMT, Tesla wrote: If you are still stuck, let me know well i am, i would like to avoid a table to store the rights like warstar
propose.

u got to store it some where text file or some other think i dunno how
to do it a other way


well i was thinking to decode mysql rights (the one shown with 'show grants
for user') and to use that, but it doesn't seem to be possible.

Anyway, another table is really not what i aim, so i think i'm gonna use
hard coded php "if (account) then else"...

Anothe reason for not using a rights table is that it needs another query,
which slow down the page processing...

Thx for your help :)


Jul 17 '05 #10
On Sun, 12 Oct 2003 15:59:16 +0200, TheDD <pa***@email.com> pixelated:
On Sun, 12 Oct 2003 12:37:42 +0200, warstar wrote: Anothe reason for not using a rights table is that it needs another query,
which slow down the page processing...

Thx for your help :)


How about putting admin files in another directory and using
a .htaccess file to password protect it? Only the moderator
with the password gets to use those pages. That's how I put
client data up on my site to show them first drafts, etc.

Jul 17 '05 #11

This discussion thread is closed

Replies have been disabled for this discussion.

Similar topics

4 posts views Thread by XP | last post: by
4 posts views Thread by nicholas | last post: by
1 post views Thread by Jakob Lithner | last post: by
1 post views Thread by CARIGAR | last post: by
reply views Thread by zhoujie | last post: by
reply views Thread by suresh191 | last post: by
reply views Thread by mdpf | last post: by
reply views Thread by listenups61195 | last post: by
By using this site, you agree to our Privacy Policy and Terms of Use.