[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 229
  • Last Modified:

Restrict items displayed in database

Hello,

This should be a pretty straightforward Q, but I am not sure how to attack it.  I have a standard login screen, which takes users through to information stored in a database.  The database is global, and contains info for several customers.

I need to restrict access so that when a user logs on, only the information relating to their customer number is displayed in the database.  Obviously I need a 3rd variable on the logon, and I have created username, password, and customer no fields.  Should I match these to username password and access level in the dreamweaver login user wizard?

If so, how do I link access level to display the corresponding cust number on the db?  Each cust might have 50-100 records, and I only want to display the cust numbers that match the cust number variable at logon.

I am guessing that the SQL would be something like SELECT * FROM mytable WHERE custno = 'access_level_variable'

Am I on the right track?  What is the easiest way (using Dreamweaver) to achieve this?

Thanks

0
south_paw
Asked:
south_paw
  • 16
  • 12
1 Solution
 
south_pawAuthor Commented:
I should also mention I have a page which users arrive at after a sucsessful logon which lets them search by items numbers etc, they don't actually arrive at the db table.

Therefore, maybe this search query needs to take the variable from the logon page.

Cheers.
0
 
Jason C. LevineNo oneCommented:
Hi south_paw,

You are on the right track already.  Whenever you do a user validation (using the built-in or otherwise), there is a recordset created that searches the user table.  It is simple to go through the built-in code and add one more column to that SQL query (the custno) and alter the rest of your code so that the custno limits the records returned by the second recordset.

You didn't specify which scripting language is being used so I won't post code right now.  If you want, post the code from your pages and we can show you where to alter it.
0
 
south_pawAuthor Commented:
jason1178,

I've posted my login code below, I'm using PHP.  After login, the user is directed to a page where they can search the DB.  I am wondering if I should just add a text field to the login form (not access level) which accepts and passes the cust no parameter to the search page.  Then, when the user enters a search, the SQL would be something like:

SELECT serial, item, descrip, ordate, qtyord, qtyshp,
FROM info
WHERE item = 'itemField' OR serial = 'serialField' AND custno = 'custnoField'  

(Cust no field is passed from the login screen).  Is this possible, can I pass the parameter across 2 pages?

The more I think about it, I would rather leave the access level field free, as I am actually planning on having an Administrator profile, and the more I read, I would probably need to use the access profile for this rather than restricting database content.

Your thoughts?



<?php
// *** Validate request to login to this site.
session_start();

$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($accesscheck)) {
  $GLOBALS['PrevUrl'] = $accesscheck;
  session_register('PrevUrl');
}

if (isset($_POST['username'])) {
  $loginUsername=$_POST['username'];
  $password=$_POST['password'];
  $MM_fldUserAuthorization = "custno";
  $MM_redirectLoginSuccess = "selectview.php";
  $MM_redirectLoginFailed = "loginfailed.php";
  $MM_redirecttoReferrer = false;
  mysql_select_db($database_ami_mysql, $ami_mysql);
        
  $LoginRS__query=sprintf("SELECT username, password, custno FROM detail WHERE username='%s' AND password='%s'",
  get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername), get_magic_quotes_gpc() ? $password : addslashes($password));
   
  $LoginRS = mysql_query($LoginRS__query, $ami_mysql) or die(mysql_error());
  $loginFoundUser = mysql_num_rows($LoginRS);
  if ($loginFoundUser) {
   
    $loginStrGroup  = mysql_result($LoginRS,0,'custno');
   
    //declare two session variables and assign them
    $GLOBALS['MM_Username'] = $loginUsername;
    $GLOBALS['MM_UserGroup'] = $loginStrGroup;           

    //register the session variables
    session_register("MM_Username");
    session_register("MM_UserGroup");

    if (isset($_SESSION['PrevUrl']) && false) {
      $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];      
    }
    header("Location: " . $MM_redirectLoginSuccess );
  }
  else {
    header("Location: ". $MM_redirectLoginFailed );
  }
}
?>


<form ACTION="<?php echo $loginFormAction; ?>" method="POST" name="login">
                      <label></label>
<label><span class="style3">
        <span class="style7 style2">  </span></span></label>
        <div align="justify">
          <table width="229">
          <tr>
            <td width="66"><span class="style2">Username</span></td>
            <td width="90"><input name="username" type="text" size="15" maxlength="15"></td>
            <td width="57">&nbsp;</td>
          </tr>
          <tr>
            <td><span class="style2">Password</span></td>
            <td><input name="password" type="password" size="15" maxlength="15"></td>
            <td><input name="" type="submit" value="Submit"></td>
          </tr>
          <tr>
            <td>&nbsp;</td>
            <td>&nbsp;</td>
            <td>&nbsp;</td>
          </tr>
        </table>
              </div>
      <p align="justify">
  <label></label>
</p>
</form></pre></td>
0
Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
Jason C. LevineNo oneCommented:
south_paw,

If you are using the built-in, instead of mucking about with form variables to pass custno, just add it to the session variable.  Re-do the built-in and let the usergroup go to an actual userlevel column in your table.  Once the code rewrites, go back to code view and make the following changes:

 $LoginRS = mysql_query($LoginRS__query, $ami_mysql) or die(mysql_error());
// 1st CHANGE BELOW
$row_LoginRS = mysql_fetch_assoc($LoginRS);
$customernum = $row_LoginRS['custno'];
// END 1st CHANGE

  $loginFoundUser = mysql_num_rows($LoginRS);
  if ($loginFoundUser) {
   
    $loginStrGroup  = mysql_result($LoginRS,0,'userlevel');
   
    //declare two session variables and assign them
    $GLOBALS['MM_Username'] = $loginUsername;
    $GLOBALS['MM_UserGroup'] = $loginStrGroup;
    //2nd CHANGE BELOW
    $GLOBALS['sess_custno'] = $customernum;
    //END 2nd CHANGE

    //register the session variables
    session_register("MM_Username");
    session_register("MM_UserGroup");
    //FINAL CHANGE
    session_register("sess_custno");

Now the customer number is available for that user throughout the logged in session by calling $_SESSION['sess_custno'].  You can also use it with the recordset wizard to filter the rest of the data,

0
 
south_pawAuthor Commented:
Thanks Jason,

I have made the above changes and have restriced access to the selectview page (the page a user is redirected to upon successful login).  I used the built-in Restrict access to page app, and restrict based on username, password and access level (custno selected as the level).  

I can login fine, but cannot access page selectview.php.  It redirects to the page I chose as a login failed page during the "restrict access to page wizard"

Here's the code it inserted into my page, any ideas?

<?php
session_start();
$MM_authorizedUsers = "custno";
$MM_donotCheckaccess = "false";

// *** Restrict Access To Page: Grant or deny access to this page
function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) {
  // For security, start by assuming the visitor is NOT authorized.
  $isValid = False;

  // When a visitor has logged into this site, the Session variable MM_Username set equal to their username.
  // Therefore, we know that a user is NOT logged in if that Session variable is blank.
  if (!empty($UserName)) {
    // Besides being logged in, you may restrict access to only certain users based on an ID established when they login.
    // Parse the strings into arrays.
    $arrUsers = Explode(",", $strUsers);
    $arrGroups = Explode(",", $strGroups);
    if (in_array($UserName, $arrUsers)) {
      $isValid = true;
    }
    // Or, you may restrict access to only certain users based on their username.
    if (in_array($UserGroup, $arrGroups)) {
      $isValid = true;
    }
    if (($strUsers == "") && false) {
      $isValid = true;
    }
  }
  return $isValid;
}

$MM_restrictGoTo = "loginfailed.php";
if (!((isset($_SESSION['MM_Username'])) && (isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup'])))) {  
  $MM_qsChar = "?";
  $MM_referrer = $_SERVER['PHP_SELF'];
  if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&";
  if (isset($QUERY_STRING) && strlen($QUERY_STRING) > 0)
  $MM_referrer .= "?" . $QUERY_STRING;
  $MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" . urlencode($MM_referrer);
  header("Location: ". $MM_restrictGoTo);
  exit;
}
?>
0
 
Jason C. LevineNo oneCommented:
From the code above, it looks like you didn't set up everything correctly in the wizard.  I would also not use custno as an access level restriction.  Either make a new column and set true user levels there or just validate by username and password only.

The wizard to restrict by user level is not the most intuitive thing in DW.  You have to define which userlevels are present in your system (hit the Define button) AND select them after you define them for everything to work.  Furthermore, I think (I don't use the built in, so I would have to build a new app to test it) that DW expects the user levels to be text and if the column in your table is integer, it can cause some issues with validation.

0
 
south_pawAuthor Commented:
OK, lets not worry about the access level, I can sort that out later.  The main thing is only displaying the right info to each customer based on custno.  As well as the search function, there is a "display all" tab, which a user can select if they want to view all orders in the db.  Taking the custno from the login, I used the followin SQL:

SELECT * FROM info WHERE custno = 'colname' ORDER BY id ASC

And the value of colname is: $_SESSION['custno'].

Custno is set up as the access level variable per above post, but after login, it is still not restricting the items displayed, i.e. it is displaying all customer data, and not restricing it to just the number entered at login.

This is the main prob that I need to fix.

Ta.
0
 
Jason C. LevineNo oneCommented:
If you made my changes as I posted them, then the above is wrong:

//FINAL CHANGE
    session_register("sess_custno");

So the value of colname should be $_SESSION['sess_custno']
0
 
south_pawAuthor Commented:
When I hit view all, nothing is displayed, i.e. the session variable custno is not being passed to the query.
0
 
south_pawAuthor Commented:
Jason,

Yep made that mod too, but the table is still empty (deleted the cookies, refershed etc).  Is it because custno was set up as the access level on the login screen?  

Getting closer, I can just feel it!
0
 
south_pawAuthor Commented:
Here's the script from the view all page:

<?php
$maxRows_rsStatus = 500;
$pageNum_rsStatus = 0;
if (isset($_GET['pageNum_rsStatus'])) {
  $pageNum_rsStatus = $_GET['pageNum_rsStatus'];
}
$startRow_rsStatus = $pageNum_rsStatus * $maxRows_rsStatus;

$colname_rsStatus = "-1";
if (isset($_SESSION['sess_custno'])) {
  $colname_rsStatus = (get_magic_quotes_gpc()) ? $_SESSION['sess_custno'] : addslashes($_SESSION['sess_custno']);
}
mysql_select_db($database_ami_mysql, $ami_mysql);
$query_rsStatus = sprintf("SELECT * FROM info WHERE custno = '%s' ORDER BY id ASC", $colname_rsStatus);
$query_limit_rsStatus = sprintf("%s LIMIT %d, %d", $query_rsStatus, $startRow_rsStatus, $maxRows_rsStatus);
$rsStatus = mysql_query($query_limit_rsStatus, $ami_mysql) or die(mysql_error());
$row_rsStatus = mysql_fetch_assoc($rsStatus);

if (isset($_GET['totalRows_rsStatus'])) {
  $totalRows_rsStatus = $_GET['totalRows_rsStatus'];
} else {
  $all_rsStatus = mysql_query($query_rsStatus);
  $totalRows_rsStatus = mysql_num_rows($all_rsStatus);
}
$totalPages_rsStatus = ceil($totalRows_rsStatus/$maxRows_rsStatus)-1;
?>
0
 
Jason C. LevineNo oneCommented:
This is on a page that is protected and has the session initialized?
0
 
Jason C. LevineNo oneCommented:
>>  Is it because custno was set up as the access level on the login screen?  

Possibly, but I doubt it.  

Add this to the View All Page at the very top:

<?php
session_start();
?>

0
 
south_pawAuthor Commented:
Jason,

That didn't work either.  I'll attempt to give you more detail:  the select view page that the user arrives on after login has fields to search by either order or item, and has a separate tab to view all items.  I've removed all the protection on this page, as that was preventing the page from opening.

When the tab for view all is selected, nothing shows up in the dynamic table.  I could put a text field on this page and have users enter their customer no then submit the number as a form variable, but I want this to be matched to a profile and be verified during login (otherwise any customer number could be entered).

When I test the SQL (restrict by cust no) during the recordset wizard, it works.  Therefore, my only conclusion is that it is not being passed from the login screen somehow...  
0
 
Jason C. LevineNo oneCommented:
Did you change the login script to not use access levels to validate and/or protect the landing page?

I can get this to work on my end using a very simple user table and the built-in behaviors (username and password only), so I am not sure why it is failing for you.  Because we have placed the customer number in the session, you do need to initialize the session on each page in order for PHP to pull it out.  The way to test if it is being passed from page to page correctly is to add an echo statement on the landing page and the view all page:

<?php echo $_SESSION['sess_custno']; ?>

If you can't see that value on the landing page, then something is goofy on the login page.  If you can see that value on the landing page, the goofiness is on the landing page or the view all page.

Repost the current PHP from the following pages:

1) Login page

2) Success page

3) View all page

It is possible that we got our wires crossed on one of the instructions.  There is no reason to ask your users to enter the customer number, you should be able to pull it out of a database with no issues.
0
 
south_pawAuthor Commented:
Jason,

I tried an echo statement on the landing page, no info was displayed.  Your help is greatly appreciated with this one.

Here's the login page:

<?php require_once('Connections/ami_mysql.php'); ?>
<?php
// *** Validate request to login to this site.
session_start();

$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($accesscheck)) {
  $GLOBALS['PrevUrl'] = $accesscheck;
  session_register('PrevUrl');
}

if (isset($_POST['username'])) {
  $loginUsername=$_POST['username'];
  $password=$_POST['password'];
  $MM_fldUserAuthorization = "";
  $MM_redirectLoginSuccess = "selectview.php";
  $MM_redirectLoginFailed = "loginfailed.php";
  $MM_redirecttoReferrer = false;
  mysql_select_db($database_ami_mysql, $ami_mysql);
 
  $LoginRS__query=sprintf("SELECT username, password FROM detail WHERE username='%s' AND password='%s'",
    get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername), get_magic_quotes_gpc() ? $password : addslashes($password));
   
  $LoginRS = mysql_query($LoginRS__query, $ami_mysql) or die(mysql_error());
  $row_LoginRS = mysql_fetch_assoc($LoginRS);
$customernum = $row_LoginRS['custno'];
  $loginFoundUser = mysql_num_rows($LoginRS);
  if ($loginFoundUser) {
     $loginStrGroup = "";
   
    //declare two session variables and assign them
    $GLOBALS['MM_Username'] = $loginUsername;
    $GLOBALS['MM_UserGroup'] = $loginStrGroup;         
       $GLOBALS['sess_custno'] = $customernum;
 

    //register the session variables
    session_register("MM_Username");
    session_register("MM_UserGroup");
      session_register("sess_custno");


    if (isset($_SESSION['PrevUrl']) && false) {
      $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];      
    }
    header("Location: " . $MM_redirectLoginSuccess );
  }
  else {
    header("Location: ". $MM_redirectLoginFailed );
  }
}
?>
<?php require_once('Connections/ami_mysql.php'); ?>
<?php
// *** Validate request to login to this site.
session_start();

$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($accesscheck)) {
  $GLOBALS['PrevUrl'] = $accesscheck;
  session_register('PrevUrl');
}

if (isset($_POST['username'])) {
  $loginUsername=$_POST['username'];
  $password=$_POST['password'];
  $MM_fldUserAuthorization = "";
  $MM_redirectLoginSuccess = "selectview.php";
  $MM_redirectLoginFailed = "loginfailed.php";
  $MM_redirecttoReferrer = false;
  mysql_select_db($database_ami_mysql, $ami_mysql);
 
  $LoginRS__query=sprintf("SELECT username, password FROM detail WHERE username='%s' AND password='%s'",
    get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername), get_magic_quotes_gpc() ? $password : addslashes($password));
   
  $LoginRS = mysql_query($LoginRS__query, $ami_mysql) or die(mysql_error());
  $row_LoginRS = mysql_fetch_assoc($LoginRS);
$customernum = $row_LoginRS['custno'];
  $loginFoundUser = mysql_num_rows($LoginRS);
  if ($loginFoundUser) {
     $loginStrGroup = "";
   
    //declare two session variables and assign them
    $GLOBALS['MM_Username'] = $loginUsername;
    $GLOBALS['MM_UserGroup'] = $loginStrGroup;         
       $GLOBALS['sess_custno'] = $customernum;
 

    //register the session variables
    session_register("MM_Username");
    session_register("MM_UserGroup");
      session_register("sess_custno");


    if (isset($_SESSION['PrevUrl']) && false) {
      $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];      
    }
    header("Location: " . $MM_redirectLoginSuccess );
  }
  else {
    header("Location: ". $MM_redirectLoginFailed );
  }
}
?>


Here's the landing page:

<?php
session_start();
?>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"
"http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>

}
-->
</style>
<link href="css/styles.css" rel="stylesheet" type="text/css">
<style type="text/css">
<!--
.style1 {font-family: Arial, Helvetica, sans-serif}
-->
</style>
</head>

<body>
<table width="220" border="0" cellspacing="0" cellpadding="0">
  <tr>
    <td width="220" align="left" valign="top"><table border="0" cellspacing="0" cellpadding="0">
     
        <td colspan="2"><img src="images/B_basCourbe.gif" width=15 height=39 alt=""></td>
      </tr>
   
            <td align="left" valign="top"><object classid="clsid:D27CDB6E-AE6D-11cf-96B8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=6,0,29,0" width="196" height="198">
              <param name="movie" value="swf/menu.swf">
              <param name="quality" value="high">
              <embed src="swf/menu.swf" quality="high" pluginspage="http://www.macromedia.com/go/getflashplayer" type="application/x-shockwave-flash" width="196" height="198"></embed>
            </object></td>
            </tr>
         
                </tr>
            </table>
            <form action="ordnum.php" method="get" name="form1">
  <table width="419" align="left">
  <tr>
    <td width="155"><div align="left"><span class="style1">Enter Order number: </span></div></td>
    <td width="151">
      <div align="left">
        <input name="orderfield" type="text" id="orderfield">
      </div></td>
    <td width="63"><div align="left"></div></td>
  </tr>
  <tr>
    <td><div align="left"><span class="style1"><strong>And/Or</strong>  Part Number:</span></div></td>
    <td>
      <div align="left">
        <input type="matfield" name="matfield">
      </div></td>
    <td><div align="left"></div></td>
  </tr>
  <tr>
    <td height="41"><div align="left">
    </div></td>
    <td>
      <div align="left">
        <input type="submit" name="Submit" value="Submit">  
            </div></td>
    <td><div align="left"></div></td>
  </tr>
</table>
            <div align="center"></div>
            </form>
                    
                            
            <form action="status.php" name="form2" target="_blank">
             
              <div align="center">              </div>
            </form>
            <form action="ecom.php" name="form3" target="_blank">
             
              <div align="center">              </div>
            </form>
                  <form name="form5" method="post" action="ecom.php">
  <input type="submit" name="Submit" value="Administrator">
</form>
<form name="form6" method="post" action="status.php">
<input type="submit" name="Submit" value="View All">
</form><?php echo $_SESSION['sess_custno']; ?>
          </td>

    </table></td>
  </tr>
</table>
</body>
</html>


Here's the view all page:

<?php
session_start();
?>
<?php require_once('Connections/ami_mysql.php'); ?><?php
$maxRows_rsStatus = 500;
$pageNum_rsStatus = 0;
if (isset($_GET['pageNum_rsStatus'])) {
  $pageNum_rsStatus = $_GET['pageNum_rsStatus'];
}
$startRow_rsStatus = $pageNum_rsStatus * $maxRows_rsStatus;

$colname_rsStatus = "-1";
if (isset($_SESSION['sess_custno'])) {
  $colname_rsStatus = (get_magic_quotes_gpc()) ? $_SESSION['sess_custno'] : addslashes($_SESSION['sess_custno']);
}
mysql_select_db($database_ami_mysql, $ami_mysql);
$query_rsStatus = sprintf("SELECT * FROM info WHERE custno = '%s' ORDER BY id ASC", $colname_rsStatus);
$query_limit_rsStatus = sprintf("%s LIMIT %d, %d", $query_rsStatus, $startRow_rsStatus, $maxRows_rsStatus);
$rsStatus = mysql_query($query_limit_rsStatus, $ami_mysql) or die(mysql_error());
$row_rsStatus = mysql_fetch_assoc($rsStatus);

if (isset($_GET['totalRows_rsStatus'])) {
  $totalRows_rsStatus = $_GET['totalRows_rsStatus'];
} else {
  $all_rsStatus = mysql_query($query_rsStatus);
  $totalRows_rsStatus = mysql_num_rows($all_rsStatus);
}
$totalPages_rsStatus = ceil($totalRows_rsStatus/$maxRows_rsStatus)-1;
?>
0
 
Jason C. LevineNo oneCommented:
Bingo.

From login.php

$LoginRS__query=sprintf("SELECT username, password FROM detail WHERE username='%s'

custno is not being selected.
0
 
south_pawAuthor Commented:
Jason,

Still not working.  I tried selecting it as:

$LoginRS__query=sprintf("SELECT username, password, custno FROM detail WHERE username='%s' AND password='%s' AND custno='%s'",
    get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername), get_magic_quotes_gpc() ? $password : addslashes($password), get_magic_quotes_gpc() ? $customernum : addslashes($customernum));

But this doesn't work (probably becuase the declaration for $customernum is after the above).  I tried declaring $customernum earlier, as in $customernum=$_POST['custno']; but this didn't help   :(

 
   
0
 
Jason C. LevineNo oneCommented:
Start over.  

Redo all the login behaviors and do not validate by user levels this time (the above is still expecting userlevel).  After you redo the code, make sure you go back and add in the custno for selection.  Your login.php should look something like this:

<?php require_once('Connections/ami_mysql.php'); ?>
<?php
// *** Validate request to login to this site.
if (!isset($_SESSION)) {
  session_start();
}

$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($_GET['accesscheck'])) {
  $_SESSION['PrevUrl'] = $_GET['accesscheck'];
}

if (isset($_POST['username'])) {
  $loginUsername=$_POST['username'];
  $password=$_POST['password'];
  $MM_fldUserAuthorization = "";
  $MM_redirectLoginSuccess = "selectview.php";
  $MM_redirectLoginFailed = "loginfailed";
  $MM_redirecttoReferrer = false;
  mysql_select_db($database_Jason, $Jason);
 
  $LoginRS__query=sprintf("SELECT username, password, custno FROM detail WHERE username='%s' AND password='%s'",
    get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername), get_magic_quotes_gpc() ? $password : addslashes($password));
   
  $LoginRS = mysql_query($LoginRS__query, $ami_mysql) or die(mysql_error());
  $row_LoginRS = mysql_fetch_assoc($LoginRS);
  $customernum = $row_LoginRS['value'];
  $loginFoundUser = mysql_num_rows($LoginRS);
  if ($loginFoundUser) {
     $loginStrGroup = "";
   
    //declare two session variables and assign them
    $_SESSION['MM_Username'] = $loginUsername;
    $_SESSION['MM_UserGroup'] = $loginStrGroup;       
    $_SESSION['sess_custno'] = $customernum;    

    if (isset($_SESSION['PrevUrl']) && false) {
      $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];      
    }
    header("Location: " . $MM_redirectLoginSuccess );
  }
  else {
    header("Location: ". $MM_redirectLoginFailed );
  }
}
?>

In selectview.php, redo the protection for username and password only.  Then echo $_SESSION['sess_custno'].

Here is a working installation of the above:  http://jasonsinternet.net/untitled.php

Use the following combos to log in and see the days of the week in return (username, password):

1,1
2,1
3,2
4,2
5,3
6,3
7,4

//But this doesn't work (probably becuase the declaration for $customernum is after the above)

The declaration for $customernum has to be after the $SQL query is executed or it won't work.

//I tried declaring $customernum earlier, as in $customernum=$_POST['custno']; but this didn't help

That would work if custno is a form field.  $_POST and $_GET handle form variables.  Maybe I should have asked this a little earlier, but how much experience do you have with hand-coding PHP?
0
 
Jason C. LevineNo oneCommented:
Whoops, forgot to post the code from my landing page so you can see why it is working:

<?php require_once('Connections/Jason.php'); ?><?php
if (!isset($_SESSION)) {
  session_start();
}
$MM_authorizedUsers = "";
$MM_donotCheckaccess = "true";

// *** Restrict Access To Page: Grant or deny access to this page
function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) {
  // For security, start by assuming the visitor is NOT authorized.
  $isValid = False;

  // When a visitor has logged into this site, the Session variable MM_Username set equal to their username.
  // Therefore, we know that a user is NOT logged in if that Session variable is blank.
  if (!empty($UserName)) {
    // Besides being logged in, you may restrict access to only certain users based on an ID established when they login.
    // Parse the strings into arrays.
    $arrUsers = Explode(",", $strUsers);
    $arrGroups = Explode(",", $strGroups);
    if (in_array($UserName, $arrUsers)) {
      $isValid = true;
    }
    // Or, you may restrict access to only certain users based on their username.
    if (in_array($UserGroup, $arrGroups)) {
      $isValid = true;
    }
    if (($strUsers == "") && true) {
      $isValid = true;
    }
  }
  return $isValid;
}

$MM_restrictGoTo = "untitled3.php";
if (!((isset($_SESSION['MM_Username'])) && (isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup'])))) {  
  $MM_qsChar = "?";
  $MM_referrer = $_SERVER['PHP_SELF'];
  if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&";
  if (isset($QUERY_STRING) && strlen($QUERY_STRING) > 0)
  $MM_referrer .= "?" . $QUERY_STRING;
  $MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" . urlencode($MM_referrer);
  header("Location: ". $MM_restrictGoTo);
  exit;
}
?>
<?php
$colname_Recordset1 = "-1";
if (isset($_SESSION['cust_sess'])) {
  $colname_Recordset1 = (get_magic_quotes_gpc()) ? $_SESSION['cust_sess'] : addslashes($_SESSION['cust_sess']);
}
mysql_select_db($database_Jason, $Jason);
$query_Recordset1 = sprintf("SELECT * FROM lookuplists WHERE `value` = '%s'", $colname_Recordset1);
$Recordset1 = mysql_query($query_Recordset1, $Jason) or die(mysql_error());
$row_Recordset1 = mysql_fetch_assoc($Recordset1);
$totalRows_Recordset1 = mysql_num_rows($Recordset1);
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
</head>

<body>
<p>Access not denied</p>
<p>Test of session echo: <?php echo $_SESSION['cust_sess']; ?></p>
<p>Test of lookup from table by session echo:</p>
<p><?php echo $row_Recordset1['newprime']; ?> <?php echo $row_Recordset1['linking']; ?>  <?php echo $row_Recordset1['value']; ?></p>
</body>
</html>
<?php
mysql_free_result($Recordset1);
?>

FYI: untitled3.php is the failure page.
0
 
south_pawAuthor Commented:
Jason,

I think I am going mad.  I know a little PHP, basically I had three the text areas (username, password, custno, that's why I had the post setup) but have removed custno as I now see what you mean by just matching the value in the table for that username.

Problem is, my landing page won't open, rather it redirects to the failed page.  The code is below.  I am sorry this is taking sooo long.  

Landing page:

<?php require_once('Connections/ami_mysql.php'); ?>
<?php
session_start();
$MM_authorizedUsers = "";
$MM_donotCheckaccess = "true";

// *** Restrict Access To Page: Grant or deny access to this page
function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) {
  // For security, start by assuming the visitor is NOT authorized.
  $isValid = False;

  // When a visitor has logged into this site, the Session variable MM_Username set equal to their username.
  // Therefore, we know that a user is NOT logged in if that Session variable is blank.
  if (!empty($UserName)) {
    // Besides being logged in, you may restrict access to only certain users based on an ID established when they login.
    // Parse the strings into arrays.
    $arrUsers = Explode(",", $strUsers);
    $arrGroups = Explode(",", $strGroups);
    if (in_array($UserName, $arrUsers)) {
      $isValid = true;
    }
    // Or, you may restrict access to only certain users based on their username.
    if (in_array($UserGroup, $arrGroups)) {
      $isValid = true;
    }
    if (($strUsers == "") && true) {
      $isValid = true;
    }
  }
  return $isValid;
}

$MM_restrictGoTo = "path.php";  //redirecting to this page.
if (!((isset($_SESSION['MM_Username'])) && (isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup'])))) {  
  $MM_qsChar = "?";
  $MM_referrer = $_SERVER['PHP_SELF'];
  if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&";
  if (isset($QUERY_STRING) && strlen($QUERY_STRING) > 0)
  $MM_referrer .= "?" . $QUERY_STRING;
  $MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" . urlencode($MM_referrer);
  header("Location: ". $MM_restrictGoTo);
  exit;
}
?>
<?php
session_start();
?>

-------------------------------------------------
Login page:

<?php require_once('Connections/ami_mysql.php'); ?>
<?php
// *** Validate request to login to this site.
if (!isset($_SESSION)) {
  session_start();
}

$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($_GET['accesscheck'])) {
  $_SESSION['PrevUrl'] = $_GET['accesscheck'];
}

if (isset($_POST['username'])) {
  $loginUsername=$_POST['username'];
  $password=$_POST['password'];
  $MM_fldUserAuthorization = "";
  $MM_redirectLoginSuccess = "selectview.php";
  $MM_redirectLoginFailed = "loginfailed";
  $MM_redirecttoReferrer = false;
  mysql_select_db($database_Jason, $Jason);
 
  $LoginRS__query=sprintf("SELECT username, password, custno FROM detail WHERE username='%s' AND password='%s'",
    get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername), get_magic_quotes_gpc() ? $password : addslashes($password));
   
  $LoginRS = mysql_query($LoginRS__query, $ami_mysql) or die(mysql_error());
  $row_LoginRS = mysql_fetch_assoc($LoginRS);
  $customernum = $row_LoginRS['value'];
  $loginFoundUser = mysql_num_rows($LoginRS);
  if ($loginFoundUser) {
     $loginStrGroup = "";
   
    //declare two session variables and assign them
    $_SESSION['MM_Username'] = $loginUsername;
    $_SESSION['MM_UserGroup'] = $loginStrGroup;      
    $_SESSION['sess_custno'] = $customernum;    

    if (isset($_SESSION['PrevUrl']) && false) {
      $MM_redirectLoginSuccess = $_SESSION['PrevUrl'];    
    }
    header("Location: " . $MM_redirectLoginSuccess );
  }
  else {
    header("Location: ". $MM_redirectLoginFailed );
  }
}
?>
0
 
south_pawAuthor Commented:
(Disregard the db setting in the login page, I changed these to mine)
0
 
Jason C. LevineNo oneCommented:
Okay, I think I know.  Sessions may not be enabled on your server.

Here is the test.  Create a new php page and paste this code in it.  Post it to the server and browse to it.  If you do not see "Whee...I am a session variable" on the screen, then your ISP is preventing sessions from working.  I'm going out to breakfast now, be back in an hour or so.

<?php
// *** Validate request to login to this site.
if (!isset($_SESSION)) {
  session_start();
}

$testing = "Whee...I am a session variable";

$_SESSION['mySession'] = $testing;

?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
</head>

<body>
<?php echo $_SESSION['mySession']; ?>
</body>
</html>
0
 
south_pawAuthor Commented:
Jason,

I fixed the landing page prob by creating a new landing page sv1.php the code is below.

It is still not receiving the session variable, when it runs, the output is:

Access not denied

Test of session echo:

Test of lookup from table by session echo:

---------------------------------------

<?php require_once('Connections/ami_mysql.php'); ?><?php
if (!isset($_SESSION)) {
  session_start();
}
$MM_authorizedUsers = "";
$MM_donotCheckaccess = "true";

// *** Restrict Access To Page: Grant or deny access to this page
function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) {
  // For security, start by assuming the visitor is NOT authorized.
  $isValid = False;

  // When a visitor has logged into this site, the Session variable MM_Username set equal to their username.
  // Therefore, we know that a user is NOT logged in if that Session variable is blank.
  if (!empty($UserName)) {
    // Besides being logged in, you may restrict access to only certain users based on an ID established when they login.
    // Parse the strings into arrays.
    $arrUsers = Explode(",", $strUsers);
    $arrGroups = Explode(",", $strGroups);
    if (in_array($UserName, $arrUsers)) {
      $isValid = true;
    }
    // Or, you may restrict access to only certain users based on their username.
    if (in_array($UserGroup, $arrGroups)) {
      $isValid = true;
    }
    if (($strUsers == "") && true) {
      $isValid = true;
    }
  }
  return $isValid;
}

$MM_restrictGoTo = "path.php";
if (!((isset($_SESSION['MM_Username'])) && (isAuthorized("",$MM_authorizedUsers, $_SESSION['MM_Username'], $_SESSION['MM_UserGroup'])))) {  
  $MM_qsChar = "?";
  $MM_referrer = $_SERVER['PHP_SELF'];
  if (strpos($MM_restrictGoTo, "?")) $MM_qsChar = "&";
  if (isset($QUERY_STRING) && strlen($QUERY_STRING) > 0)
  $MM_referrer .= "?" . $QUERY_STRING;
  $MM_restrictGoTo = $MM_restrictGoTo. $MM_qsChar . "accesscheck=" . urlencode($MM_referrer);
  header("Location: ". $MM_restrictGoTo);
  exit;
}
?>
<?php require_once('Connections/ami_mysql.php'); ?><?php
$maxRows_rsStatus = 500;
$pageNum_rsStatus = 0;
if (isset($_GET['pageNum_rsStatus'])) {
  $pageNum_rsStatus = $_GET['pageNum_rsStatus'];
}
$startRow_rsStatus = $pageNum_rsStatus * $maxRows_rsStatus;

$colname_rsStatus = "-1";
if (isset($_SESSION['sess_custno'])) {
  $colname_rsStatus = (get_magic_quotes_gpc()) ? $_SESSION['sess_custno'] : addslashes($_SESSION['sess_custno']);
}
mysql_select_db($database_ami_mysql, $ami_mysql);
$query_rsStatus = sprintf("SELECT ponum, sono, item, descrip, ordate, rqdate, shipdate, qtyord, qtyshp, invno, shipvia, bol FROM poinfo WHERE custno = '%s' ORDER BY id ASC", $colname_rsStatus);
$query_limit_rsStatus = sprintf("%s LIMIT %d, %d", $query_rsStatus, $startRow_rsStatus, $maxRows_rsStatus);
$rsStatus = mysql_query($query_limit_rsStatus, $ami_mysql) or die(mysql_error());
$row_rsStatus = mysql_fetch_assoc($rsStatus);

if (isset($_GET['totalRows_rsStatus'])) {
  $totalRows_rsStatus = $_GET['totalRows_rsStatus'];
} else {
  $all_rsStatus = mysql_query($query_rsStatus);
  $totalRows_rsStatus = mysql_num_rows($all_rsStatus);
}
$totalPages_rsStatus = ceil($totalRows_rsStatus/$maxRows_rsStatus)-1;
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
</head>

<body>
<p>Access not denied</p>
<p>Test of session echo: <?php echo $_SESSION['cust_sess']; ?></p>
<p>Test of lookup from table by session echo:</p>
<p><?php echo $row_Recordset1['newprime']; ?> <?php echo $row_Recordset1['linking']; ?>  <?php echo $row_Recordset1['value']; ?></p>
</body>
</html>
<?php
mysql_free_result($Recordset1);
?>
0
 
south_pawAuthor Commented:
The above sv1.php was amended here: <p>Access not denied</p>
<p>Test of session echo: <?php echo $_SESSION['sess_custno']; ?></p>

Just a thought, under bindings, there is the recordset and a form, but no session variables.  Would this indicate anything?

0
 
south_pawAuthor Commented:
YEAH!  I forgot to chane your col name 'value' on the login page!!

Value passing now!!!!!!

0
 
south_pawAuthor Commented:
BTW, you are a PHP legend.  Thanks for all your help.
0
 
Jason C. LevineNo oneCommented:
You're welcome, I'm glad it is working now.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 16
  • 12
Tackle projects and never again get stuck behind a technical roadblock.
Join Now