Databases
StackOverflow2013
Postsdbo
POMy restricted PHP page isn't restricting access bases on if a user is logged in
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POMy restricted PHP page isn't restricting access bases on if a user is logged in
    text
    copied!<p>With the help of this site I have a log in script that now works. The problem is the page I am trying to restrict is not restricting access, When I go to the page without logging in it still gives me access to the page. I am quite new to PHP so your help and comments are greatly appreciated.</p> <p>The code for the page is</p> <pre><code>&lt;?php require_once('../Connections/PropSuite.php'); ?&gt; &lt;?php error_reporting(E_ALL &amp; ~E_NOTICE); ini_set('display_errors', TRUE); ini_set('display_startup_errors', TRUE); function isLoggedIn() { if(isset($_SESSION['valid']) &amp;&amp; $_SESSION['valid']) return true; return false; } session_start(); //if the user has not logged in if(!isLoggedIn()) { header('Location: http://localhost/PropSuite/index.php'); die(); } ?&gt; </code></pre> <p>And the code for the log in script is.</p> <pre><code>&lt;?php function validateUser() { session_regenerate_id (); //this is a security measure $_SESSION['valid'] = 1; $_SESSION['userid'] = $userid; } ?&gt; &lt;?php ob_start(); // Start output buffering error_reporting(E_ALL &amp; ~E_NOTICE); ini_set('display_errors', TRUE); ini_set('display_startup_errors', TRUE); session_start(); //must call session_start before using any $_SESSION variables $username = isset($_POST['username'])?$_POST['username']:''; $password = isset($_POST['password'])?$_POST['password']:''; //connect to the database here $hostname_PropSuite = "localhost"; $database_PropSuite = "propsuite"; $username_PropSuite = "root"; $password_PropSuite = "root"; $PropSuite = mysql_pconnect($hostname_PropSuite, $username_PropSuite, $password_PropSuite) or trigger_error(mysql_error(),E_USER_ERROR); mysql_select_db($database_PropSuite, $PropSuite); $username = mysql_real_escape_string($username); $query = "SELECT password, salt FROM admin_users WHERE username = '$username';"; $result = mysql_query($query) or die(mysql_error()); if(mysql_num_rows($result) &lt; 1) //no such user exists { header('Location: http://localhost/PropSuite/index.php?login=fail'); die(); } $userData = mysql_fetch_array($result, MYSQL_ASSOC); $hash = hash('sha256', $userData['salt'] . hash('sha256', $password) ); if($hash != $userData['password']) //incorrect password { header('Location: http://localhost/PropSuite/index.php?login=fail'); die(); } else { validateUser(); //sets the session data for this user } //redirect to another page or display "login success" message header('Location: http://localhost/PropSuite/main'); die() //redirect to another page or display "login success" message ?&gt; </code></pre> <p>Again, Thank you in advance for your help and for the mods, I apologise if I am posting similar questions.</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload