I am starting in this world of programming, I am doing a small project, the problem I have is when I copy the URL it allows me to access the administrator panel, just by copying the URL, how can I control it. This is the way I handle the login, maybe not the best way.
<?php
session_start();
include('conexion.php');
$usu = $_POST["txtusuario"];
$pass = $_POST["txtpassword"];
$rol = $_POST["rol"];
$queryusuario = mysqli_query($con,"SELECT * FROM login WHERE usuario ='$usu' and pass = '$pass' and rol = '$rol'");
$nr = mysqli_num_rows($queryusuario);
if ($nr == 1 )
{
if($rol=="Usuario")
{
header("Location: pag_user.php");
}
if($rol=="Operador")
{
header("Location: pag_user.php");
}
else if ($rol=="Admin")
{
header("Location: pag_admin.php");
}
else if ($rol=="Dir")
{
header("Location: pag_admin.php");
}
else if ($rol=="Infor")
{
header("Location: pag_admin.php");
}
else if ($rol=="Dev")
{
header("Location: pag_admin.php");
}
}
else
{
echo '<script type="text/javascript">alert("Usuario o contrasena incorrectos");</script>';
echo '<script> window.location="index.php"; </script>';
}
?>
To avoid this error, you should first generate a form for the correct validation of the user. (You do not clarify and you are using a Form).
At the time of validating the Data, when you redirect the page Create the $_SESSION
On the page where you validate if it is Admin, User, etc you must put the following
Here you can see the official documentation