PHP - session multi user and admin privileges

Question

Can anyone help me?

Im still newbie in using most of the php stuff here. I kinda having a problem with creating multi users using session.

What I want to do is this. An account exclusive only of admin and an account only for normal users.

Admin privileges will be able to access pages for admins only while normal users who logs in, will be able to access pages meant for users only.

So far Ive created a single user login credentials. Which is for admins only. Im really confused how do I add non-admin in order to access pages only for them.

Can anyone help me with this code?

This is the home page

<?php

//Initialize Session
session_start();

error_reporting(E_ALL ^ E_NOTICE);

//$name = $_SESSION['username'];
if(isset($_SESSION['username']))
    {
        header('Location: index_admin.php');
    }
?>

This is the admin page

<?php
// Inialize session
session_start();

// Check, if username session is NOT set then this page will jump to login page
if (!isset($_SESSION['username']))
    {
        header('Location: index.php');
    }
?>

This is the login form

<form action="login.php" method="post">

                            <input type="text" name="uname"     placeholder="USERNAME . . . "  autofocus/>
                            <br/>
                            <input type="password" name="pword"     placeholder="PASSWORD . . . " />
                            <br/>
                            <center><input type="submit" name="submit"     value="LOGIN" /><button type="reset" value="Reset" />RESET</button></center>

</form>

This is the login.php

<?php
session_start();

include("config.php");

$login = mysql_query("SELECT * FROM users WHERE (username = '" .     mysql_real_escape_string($_POST['uname']) . "') and (password = '" .     mysql_real_escape_string($_POST['pword']) . "')");
// Check username and password match
if (mysql_num_rows($login) == 1)
    {
        // Set username session variable
        $_SESSION['username'] = $_POST['uname'];

        // Jump to secured page
        header('Location: index_admin.php');
    }
else 
    {

        // Jump to login page

        header('Location: index.php');

    }
    ?>

This is the database

user_tbl


id = 1


username = admin


password = 12345

Thanks in advance for the assitance.

Answer 1

It seems from your question that you'll use the same login page for both administrative users and non-administrative users. That's the case for which I'll offer an answer.

In the process of validating a particular user's name and password, you need to determine what privilege level that user has been granted. You might have a column called "privilege" in your user table.

usr_tbl needs to look something like this:

 id    username     password    privilege
  1      admin      W$^%^$%^%^%  admin
  2      reggel     DJDT&646364  user
  3      ollie      DTHDHFGEERT  user

Upon login, you'l read the usr_table and pull that user's value out of the column and store it as a session variable something like this:

 $_SESSION['privilege'] = $privilege; /* from user table */

Then you can do logic like this to decide what your user should see, and what she should be able to do.

 if ( 'admin' == $_SESSION['privilege'] ) {
    // Jump to secured page
    header('Location: index_admin.php');
 }
 else {

    // Jump to login page
    header('Location: index.php');
}

In later page views, if your session logic is functioning correctly, the $_SESSION['privilege'] variable should continue to be available.

p.s. mysql_ APIs for security code? Really?