GePraxa GePraxa - 2 months ago 14
PHP Question

My system does not restrict login if admin

I have the following code to check the login:

class User extends Password {
private $_db;
function __construct($db) {
parent::__construct();
$this->_db = $db;
}
private function get_user_hash($user) {
try {
$stmt = $this->_db->prepare('SELECT admin_id, user, pass FROM boss WHERE user = :user AND type = "admin"');
$stmt->execute(array('user' => $user));

return $stmt->fetch();

} catch(PDOException $e) {
echo '<p class="bg-danger">'.$e->getMessage().'</p>';
}
}
public function login($user,$password) {
$row = $this->get_user_hash($user);
if($this->password_verify($password,$row['pass']) == 1) {
$_SESSION['loggedin'] = true;
$_SESSION['user'] = $row['user'];
return true;
}
}
public function logout() {
session_destroy();
}
public function is_logged_in() {
if(isset($_SESSION['loggedin']) && $_SESSION['loggedin'] == true) {
return true;
}
}
}
$user = new User($db);


everything works properly, the problem is that I have two directories "admin" and "user" within each are "the same files" with the only difference that in each folder is a different query within settings:

admin:
SELECT admin_id, user, pass FROM Boss WHERE user = :user AND type = "admin"


user:
SELECT admin_id, user, pass FROM users WHERE user =:user AND type = "user"


when change /admin to /user my verification code (above) should distinguish whether or not an admin. since it does not, it passes the session and continued access as checking think so.

On each page "private" I put the following:

if ($user-> is_logged_in()) {header ('Location: user-area.php');}


What should I do?

If you need more code to find the solution just do it know.

I think the problem is in the function function "is_logged_in" because it would have to modify the configuration file admin to check otherwise if admin for example (not like doing something):

public function is_logged_in_admin() {
if(isset($_SESSION['loggedin']) && $_SESSION['loggedin'] == true && $row['type'] == "admin") {
return true;
}
}


and then check:
if($user->is_logged_in_admin()){header('Location: index.php?ruta=panel');}


It would be nice, or what would be the right way?

Answer

UPDATE: Your making it harder then it has to be, All you need to do is copy your oringal users class and make the following changes

<?php
include('password.php');
class Admin extends Password{
    private $_db;
    function __construct($db){
        parent::__construct();
        $this->_db = $db;
    }
    private function get_user_hash($username){
        try {
            $stmt = $this->_db->prepare('SELECT password, username, adminID FROM admin WHERE username = :username AND active="Yes" ');
            //copy user table, name admin, change memberID to adminID
            $stmt->execute(array('username' => $username));
            return $stmt->fetch();
        } catch(PDOException $e) {
            echo '<p class="bg-danger">'.$e->getMessage().'</p>';
        }
    }
    public function login($username,$password){
        $row = $this->get_user_hash($username);
        if($this->password_verify($password,$row['password']) == 1){
            $_SESSION['loggedin'] = true;
            $_SESSION['username'] = $row['username'];
            $_SESSION['adminID'] = $row['adminID']; //change to adminID
            return true;
        }
    }
    public function logout(){
        session_destroy();
    }
    public function is_logged_in(){
        if(isset($_SESSION['loggedin']) && $_SESSION['loggedin'] == true){
            return true;
        }
    }
}
?>

Then create a totally separate login/logout page for admins only. If you need to check for admin, its simply isset($_SESSION['adminID']), if you need to check for a user its isset($_SESSION['memberID']), if you need to see if they are logged in regardless of admin or member its isset($_SESSION['loggedin'])

This way 99% of your code can be converted to the admin side, simply by changing the table based on what ID is in the session.

 $table = 'user';

 if(isset($_SESSION['memberID'])){
     $table = 'admin';
 }

As an added benefit of having separate logins, you could easily make a login as user function for admins that doesn't use the password. If you use the same session data for both that is impossible.