I've been searching for hours on SO and other sites about PHP sessions by roles. The information is very good, extensive and well documented but that is my problem, too extensive and too heavy.
I want to achieve the shortest and most succinct code possible, since I don't need more.
I start session in a login.php that validates the fields: username and password, which are stored in a MySQL DB.
If it is correct I can see the home.php and other pages (so far everything is perfect).
Now it turns out that I have a "private.php" page that only certain users can access.
For that I have in my table a third field called "access" with the only values "yes" and "no":
How can I validate on login that third field? If the value is "yes" I have permission to "private.php", otherwise I can't login.
This is what I have:
LOGIN.PHP
<body>
<form action="validation.php" method="POST">
<fieldset>
<p><label for="email">Usuario</label></p>
<p><input type="text" name="login" id="email" required></p>
<p><label for="password">Contraseña</label></p>
<p><input type="password" name="password" id="password" required></p>
<br><br>
<p><input type="submit" name="Enviar" value="Ingresar"></p>
</fieldset>
</form>
</body>VALIDATION.PHP
<body>
<?php
try {
$base=new PDO("mysql:host=localhost; dbname=PRUEBAS", "root", "");
$base->setAttribute (PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql="SELECT * FROM USUARIOS_PASS WHERE USUARIOS= :login AND PASSWORD= :password";
$resultado=$base->prepare($sql);
$login=htmlentities (addslashes($_POST["login"]));
$password=htmlentities (addslashes($_POST["password"]));
$resultado->bindValue(":login", $login);
$resultado->bindValue(":password", $password);
$resultado->execute();
$numero_registro=$resultado->rowCount();
if($numero_registro!=0) {
session_start ();
$_SESSION["usuario"]=$_POST["login"];
if (isset($_POST['url']) && strlen($_POST['url'])) {
// redirecciona a la url
header("location:".$_POST['url']);
}
// redirecciona al index x defecto
header("location:home.php");
} else {
echo "<script>
alert('Usuario o Contraseña incorrectos, por favor intente nuevamente.');
window.location= 'login.php'
</script>";
}
} catch (\Exception $e) {
die ("Error: " . $e->getMessage());
}
?>
</body>And this is how I validate the session in the header of the page "home.php" (and others).
<?php
session_start();
if (!isset($_SESSION["usuario"])){
header("Location:login.php");
}
?>summarizing
I apologize, the question is a bit long. I need to prevent access to a "private.php" page. For example, should I validate the "access" field of my table in my validation.php or in the header of that page I want to restrict?
EDIT
I was asking about it and I can achieve it if I store the login in boolean form, leaving the access field in INT form with values 1 and 2. Value 2 for admins and value 1 for all others.
This question on the original SO site is very similar but I can't quite implement it in my code.
Try to use the user ID of the table and with PHP you ask MySQL if that user has yes or no, you set it equal to "yes" and if it is not the same, redirect to index.php or wherever you want As soon as it reaches home I edit the answer adding example code, in the same way if you have some experience in PHP you should understand what I'm saying, I hope it helps you, then I'll give you the example again :)
edit:
I think it would be like this, I'm on my mobile now... Sorry if there's any mistake, but I think it would be like this.