Add access level to this php code

Asked

Viewed 51 times

0

<?PHP
include('config.php');
# Validar os dados do usuário

function anti_sql_injection($string)
    {
        include('config.php');
        $string = stripslashes($string);
        $string = strip_tags($string);
        $string = mysqli_real_escape_string($conexao,$string);
        return $string;
    }

$sql = mysqli_query($conexao,"select * from sec_iden where login_sec='".anti_sql_injection($_POST['login_sec'])."' and senha_sec='".anti_sql_injection($_POST['senha_sec'])."' limit 1") or die("Erro");
$linhas = mysqli_num_rows($sql);
if($linhas == '')
    {
        ?>
        <div class="msg2 padding20">Usuário não encontrado ou usuário e senha inválidos.</div>
        <?PHP
    }
else
    {
        while($dados=mysqli_fetch_assoc($sql))
            {
                session_start();
                $_SESSION['login_sec_sessao'] = $dados['login_sec'];
                header("Location: conteudo.php");
            }
    }
?>

well I wanted that when the field I created in db called ( Adm was = 1 ) it would redirect to administrative.php and when it was = 0 for content.php but I’m not able to do that, an if would solve that and where I would put that if ?

php mysql

  • Some of the links: https://answall.com/questions/50839/70 , https://answall.com/questions/3864/70 and https://answall.com/questions/256111/70

  • I’ve commented on 3 or 4 posts here on this "anti Injection". You get the hint, start the code function, because there are forums that share functions of this type, but only serve to be embarrassed. Search right here on the site how to avoid SQL injection that has the right solutions.

  • @Bacco I’ve pulled out bro, vlw .

1 answer

1


Yes, in that case a if would suffice.

Would look like this:

<?PHP
include('config.php');
# Validar os dados do usuário

function anti_sql_injection($string)
    {
        include('config.php');
        $string = stripslashes($string);
        $string = strip_tags($string);
        $string = mysqli_real_escape_string($conexao,$string);
        return $string;
    }

$sql = mysqli_query($conexao,"select * from sec_iden where login_sec='".anti_sql_injection($_POST['login_sec'])."' and senha_sec='".anti_sql_injection($_POST['senha_sec'])."' limit 1") or die("Erro");
$linhas = mysqli_num_rows($sql);
if($linhas == '')
    {
        ?>
        <div class="msg2 padding20">Usuário não encontrado ou usuário e senha inválidos.</div>
        <?PHP
    }
else
    {
        while($dados=mysqli_fetch_assoc($sql))
            {
                session_start();
                $_SESSION['login_sec_sessao'] = $dados['login_sec'];
                if($dados['adm'] == '1') header("Location: administrativo.php"); 
                else header("Location: conteudo.php");
            }
    }
?>

Note that this example is valid only in case of two login situations as you passed, ie if it is administrator or not.

OBS: That way you’re not doing access control, you’re just redirecting the user to a particular page.

  • mt thanks @Orge Matheus, would you advise another way to do that? I was wondering where to put this if, vlw by the help !

  • In case you have more access levels, you would do the if according to permission, example: if($dados['editor'] == '1') echo 'permissões para editor' ;. In this case you are just redirecting the user to the page. What if the user who is not administrator play in the browser administrativo.php ? I hope you are doing the treatments on the pages too. : D

  • verdd I’m gonna do these treatments, vlw bro.

  • Dispose! If you have more questions you can ask. If we need to open a chat for debate.

  • opa vlw, how can I open a chat ctg? I have one more problem I managed to do a treatment, but even the user having permission 1 he enters the treatment and back to index.php

  • Let’s go continue this discussion in chat.

Show 1 more comment

Browser other questions tagged php mysql

You are not signed in. Login or sign up in order to post.