User Access control
For user access control purposes we created the session userid in the sign up and log in process files. We do not want someone to be able to access the member.php page if they are not a member or the success.php page if they have not signed up.
MySQL PHP Tutorial 1: MySQL User accounts
MySQL PHP Tutorial 2: PHP login Session
MySQL PHP Tutorial 3: PHP Form Validation
MySQL PHP Tutorial 4: PHP User Access Control
signup_process.php
$_SESSION['userid'] = "0";
header('Location: success.php');
login_process.php
$row = mysql_fetch_assoc($data);
$_SESSION['userid'] = $row['userid'];
//PHP code
header('Location: member.php');
We create two separate PHP files and include them at the top of the member and success PHP files. We include them using the PHP function require_once(). The PHP file for the success.php page is called auth_success.php. The PHP file for the member.php page is called auth_member.php.
member.php
<?php
require_once('auth_member.php');
?>
success.php
<?php
require_once('auth_success.php');
?>
auth_success.php
In the auth_success.php file we start the session first and then we create the if construct. If the session userid has not been created, is empty, or does not equal 0, terminate the script to deny access. Notice the not equal to 0, if the user id is equal 0, the user is a newly signed up user that has not logged in yet. So the user is able to access the success page upon a successful sign up. If the user has already signed up they will not be able to access this page because their user id is not 0. Since they already signed up the user would be redirected to the member.php page and their userid will change to their user id given to them. Notice how we used the PHP trim() function, this removes white spaces and other predefined characters.
<?php
//Start session
session_start();
//Check whether the session variable userid has been created, not equal to 0, or is empty
if(!isset($_SESSION['userid']) || (trim($_SESSION['userid']) != '0') ||(trim($_SESSION['userid']) == '') ) {
header("location: access-denied.php");
exit();
}
?>
auth_member.php
In the auth_member.php file we start the session first and then we create the if construct. If the session userid has not been created, is empty, or equals 0, terminate the script to deny access. Remember, in the signup process we set the userid to 0 before the user logs in. When the user logs in, the userid will change to their userid given to them, so it will not be equal 0. Remember in the MySQL table we set the userid to auto increment, so it always changes.
<?php
//Start the session
session_start();
//Check whether the session variable userid has been created, equals 0, or empty
if(!isset($_SESSION['userid']) || (trim($_SESSION['userid']) == '0') || (trim($_SESSION['userid']) == '') ) {
header("location: access-denied.php");
exit();
}
?>
Congratulations, you now understand how user access control works. That sums up the PHP MySQL user account tutorial, if you have any questions feel free to ask.
2 Comments
Anonymous
Really awesome blog. The way you break things down is really impressive. Thanks so much!
Icone
Nice tutorial above. I recommend to include the email verification source code just for a reference for newbies.