How can you limit the access of unregistered users while giving registered users full access?

Question

I'm trying to create a webpage with users and information that can only be accessed by registered users. Is it possible to limit the files an unregistered user can see? If so, how? I already have a MySQL database with a connection in index.php. Here's what I have so far:

<head></head>
<body>
    <h3>Signup Here:</h3>
        <form method="post" action="userindex.php">

                Please enter user name: <input type="text" name="username" value="" /><br />
                 Please enter password: <input type="password" name="password" value="" />
                <br />
                <input type="submit" value="Submit"/>



        </form>
</body>

<?php
include ("dbroutines.php");

if (isset($_POST['username'])) {


    if ($_POST['username']>'' && $_POST['password']>'' ) {
        $q="insert into users (Name, Password ) values ('".$_POST['username']."', '".$_POST['password']."')";
        echo 'query='.$q;
        $conn=db_connect();
        $result=$conn->query($q);
        echo '<br />xxx'.$conn->error."xxx";
        unset($_POST['username']);
        unset($_POST['password']);
    } else {
        echo 'Please enter both username AND password!';
    }

}

$q="select Name, Password from users";
$conn=db_connect();
$result=$conn->query($q);
echo 'xxx'.$conn->error."xxx";
if ($result){




           echo '<hr />';
            for ($count=0; $row=$result->fetch_row(); ++$count ) {
                echo $count." Name=".$row[0]." password=".$row[1].'<br />';

            }
          echo '<b style="color:red;">there are '.$count.' users in your database!'.'</b><hr />';
}

From this, can you specify what kind of user gets access to certain files like the userindex.php?

Answer 1

I think verifying user is not the fool proof solution . You have to keep a token in the Session to remember that this user is registered user. You have to create a common php page , called Security.php where you will put the following code , because a smart user can directly type the URL and reach to your confidential pages. You need to include this page at the top of each php page you want to secure.

         if (!isset($_SESSION['AuthId'])) {
         header('Location:Login.php');
         exit;
         }

Answer 2

Yes. Query your database for someone with the given username and password using a query that would look something like this:

select * from users where Name = 'john.doe' and Password = 'hunter2' limit 1

If it yields any rows, the user exists, and you should let them in. If there are no rows, then that com­bin­a­tion of username and password is invalid and you should not let them in.

That's the basics, but if you're actually going to put this into production, you'll want to make a few more changes:

• Escape the data you're putting in the query appropriately or use prepared queries. As is, your code is vulnerable to an SQL injection attack. Say, for example, I tried to create an account with an apostrophe in the username or password. Your code would break. This could be leveraged for malicious means, too, so you really should patch that up.

  The simplest way to patch it up would be to escape everything before you put it into the query, using, say, mysql_real_escape_string. That'll probably work, but even better (since the whole mysql_ family of functions is deprecated) would be to use prepared queries and PDO, as I've shown below.

• Hash and salt your passwords so a database compromise (which could happen rather easily if the above vulnerability is left unpatched) will not reveal all the passwords.

Your code might then look like this:

// You'd probably want to put these in a separate configuration file.
$db = new PDO('mysql:dbname=test', 'my_mysql_user', 'hunter2');

// Make any errors throw an exception.
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

$query = $db->prepare('select * from users where Name = :name limit 1');
$query->bindValue(":name", $_POST['username'], PDO::PARAM_STR);
$row = $query->fetch(PDO::FETCH_ASSOC);

if($row === FALSE) {
    // User not in the database; don't let them in.
}

$calculatedHash = hash("sha512", $row['PasswordSalt'] . $_POST['password']);
if($calculatedHash === $row['PasswordHash']) {
    // Password's right. Let them in.
}else{
    // Password's wrong. Keep them out.
}

Further improvements would be to use, say, bcrypt rather than salted SHA-512.

Answer 3

You can put the one extra field in the loggin table name 'Role'.

Each login time. Check if it is Master user,then It can access the more access.

If it is extra user then limited access.

You got my point? Or any Query?