i am working on admin section which has a login page with login id and pasword form.
in my admin section i have many pages say like login.php, st_admin.php, tmg_admin.php etc.
if i have to access the st_admin.php page then i can access it just typing the link
without entering login user and password.
i want to restrict the access of all pages through admin panel only. No one should able to access any of the page by typing the url directly. how is it possible??
The login.php code :
<?php require_once('conn/conn.php'); ?>
<?php
// *** Validate request to login to this site.
session_unset();
session_start();
$loginFormAction = $_SERVER['PHP_SELF'];
if (isset($accesscheck)){
$GLOBALS['PreUrl']=$accesscheck;
session_register('PreUrl');
}
if (isset($_POST['staffid'])) {
$loginUsername=$_POST['staffid'];
$password=md5($_POST['password']);
$MM_fldUserAuthorization = "accessid";
$MM_redirectLoginSuccess = "staff/st_admin.php";
$MM_redirectLoginFailed = "login.php?error=1";
$MM_redirecttoReferrer = false;
mysql_select_db($database_conn, $conn);
$LoginRS__query=sprintf("SELECT staffid, password, teamcode, accessid FROM tbl_staff WHERE staffid='%s' AND password='%s'",
get_magic_quotes_gpc() ? $loginUsername : addslashes($loginUsername), get_magic_quotes_gpc() ? $password : addslashes($password));
$LoginRS = mysql_query($LoginRS__query, $conn) or die(mysql_error());
$loginFoundUser = mysql_num_rows($LoginRS);
if ($loginFoundUser) {
$loginStrGroup = mysql_result($LoginRS,0,'accessid');
//declare two session variables and assign them
$GLOBALS['MM_Username'] = $loginUsername;
$GLOBALS['MM_UserGroup'] = $loginStrGroup;
//register the session variables
session_register("MM_Username");
session_register("MM_UserGroup");
if (isset($_SESSION['PrevUrl']) && false) {
$MM_redirectLoginSuccess = $_SESSION['PrevUrl'];
}
switch ($loginStrGroup) {
case $MM_fldUserAuthorization='2':
$_SESSION['staffid']=$loginUsername;
header("Location: tutor/tr_admin.php");
break;
case $MM_fldUserAuthorization='3':
$_SESSION['staffid'] = $loginUsername;
header("Location: manager/mg_calendar.php");
break;
default:
$_SESSION['staffid'] = $loginUsername;
header("Location: " . $MM_redirectLoginSuccess );
}
} else {
header("Location: ". $MM_redirectLoginFailed );
}
}
?>
the st_admin.php code is :
<?php
session_start();
$MM_authorizedUsers = "";
$MM_donotCheckaccess = "true";
// *** Restrict Access To Page: Grant or deny access to this page
function isAuthorized($strUsers, $strGroups, $UserName, $UserGroup) {
// For security, start by assuming the visitor is NOT authorized.
$isValid = False;
// When a visitor has logged into this site, the Session variable MM_Username set equal to their username.
// Therefore, we know that a user is NOT logged in if that Session variable is blank.
if (!empty($UserName)) {
// Besides being logged in, you may restrict access to only certain users based on an ID established when they login.
// Parse the strings into arrays.
$arrUsers = Explode(",", $strUsers);
$arrGroups = Explode(",", $strGroups);
if (in_array($UserName, $arrUsers)) {
$isValid = true;
}
// Or, you may restrict access to only certain users based on their username.
if (in_array($UserGroup, $arrGroups)) {
$isValid = true;
}
if (($strUsers == "") && true) {
$isValid = true;
}
}
return $isValid;
}
?>
I am really appreciated for any advices.