How to restrict some links to be click without valid login

vishalonne · August 25, 2012, 5:01pm

I already have the php code for login and varification done using mysql database.
I have some links which should not work if user click them without VALID LOGIN.
My index.html page contain menu -
Home Computer Science Informatics Practices Take Test (login required) Software Register Get Together(login required)
Structure of my web site
index.html---- Login Box and Register Page Link
Computer Science (Menu)
XI (Sub Menu)
Unsolved Question Papers (Link) login not required
Project Samples (Link) login not required
Solved Materials (Link) login required
Forum (Link) login required
XI I (Sub Menu)
Unsolved Question Papers (Link) login not required
Project Samples (Link) login not required
Solved Materials (Link) login required
Forum (Link) login required

Here is the code - login.php (login form)

<script type="text/javascript" src="sha512.js"></script>  // contain encryption code
<script type="text/javascript">
function formhash(form, password) {
   // Create a new element input, this will be out hashed password field.
   var p = document.createElement("input");
   // Add the new element to our form.

   p.name = "p";
   p.type = "hidden"
   p.value = hex_sha512(password.value);
   // Make sure the plaintext password doesn't get sent.
   password.value = "";
   // Finally submit the form.
   form.appendChild(p);
   form.submit();
}
</script>
<?php
if(isset($_GET['error'])) {
   echo 'Error Logging In!';
}
?>
</head>
<body><form action="process_login.php" method="post" name="login_form">
   Email: <input type="text" name="email" /><br />
   Password: <input type="password" name="password" id="password"/><br />
   <input type="button" value="Login" onclick="formhash(this.form, this.form.password);" />
</form>
</body>

process_login.php (checking validity)

<?php
define("HOST", "localhost"); // The host you want to connect to.
define("USER", "root"); // The database username.
define("PASSWORD", ""); // The database password.
define("DATABASE", "check1"); // The database name.

$mysqli = new mysqli(HOST, USER, PASSWORD, DATABASE);
echo "Process Login";
include 'functions.php';
sec_session_start(); // Our custom secure way of starting a php session.

if(isset($_POST['email'], $_POST['p'])) {
   $email = $_POST['email'];
   $password = $_POST['p']; // The hashed password.
   if(login($email, $password, $mysqli) == true) {
      // Login success
      echo 'Success: You have been logged in!';
   } else {
      // Login failed
      header('Location: ./login.php?error=1');
   }
} else {
   // The correct POST variables were not sent to this page.
   echo 'Invalid Request';
}
?>

You can see online demo here cbsecsnip

DarthGuido · August 25, 2012, 8:22pm

I guess you have two possibilities:

don’t show the links if the user isn’t logged in
show a ‘please login to see this page’ message if a non logged in user clicks the link

Cups · August 25, 2012, 8:37pm

Watch out here, you are leaving yourself open to some really unfathomable bugs.


   if(login($email, $password, $mysqli) == true) { 
      // Login success 
      echo 'Success: You have been logged in!'; 
   } else { 
      // Login failed 
      header('Location: ./login.php?error=1'); 
   }

viz:


$b = "any old crap";

if($b == true ) {
echo 'You are in son...';
}

the == test is not strong enough, use ===.

See PHP truth table.

Come back and ask if you are not sure.

HTH

vishalonne · August 25, 2012, 9:10pm

I like your second option since last 4 hrs I am rying to do that, but some how I’m not able to touch the finishing point. IF you permit then I can submit my try to you for guidance.

Thank you Guido

vishalonne · August 25, 2012, 9:44pm

Can you please guide me, I am able to manage half the way but now I am totally stuck and not finding way how to move. If you don’t mind then I can submit my code to you for your guidance

system · October 8, 2014, 2:50am