Security On Folder Using PHp

Question

My Main Path of My Application is as follow

http://example.com/login.php

If User Login and type is seller than

http://example.com/login.php/seller/index.php

If User Login and type is caller than

http://example.com/login.php/caller/index.php

Problem :

If seller is logged in and if he/she changes url

http://example.com/login.php/seller/index.php

to

http://example.com/login.php/caller/index.php

So php allows to change Whole Module. So how can i prevent Seller to Enter in Caller Module. my application is in core php. no frameworks i used. and i have field in database named with type which have type like caller or seller or admin and my database structure is as followw Sorry i have hided Contact Credential. i hope it doesn't matter

On each module set a controller to check user type,After session start if it is a seller and tries caller redirect that user to seller again. — Atilla Arda Açıkgöz, Jan 08 '18 at 11:59
what do you mean by controller. my aplication is in core php. no framworks i used. — , Jan 08 '18 at 12:01
A controller can be anything to check the status, Even a simple if statement is a controller. Like this, if userType="seller" then redirect sellerpage. You need to type actual codes to redirect, etc. — Atilla Arda Açıkgöz, Jan 08 '18 at 12:04
Possible duplicate of [The definitive guide to form-based website authentication](https://stackoverflow.com/questions/549/the-definitive-guide-to-form-based-website-authentication) — Atilla Arda Açıkgöz, Jan 08 '18 at 12:05
Duplicate Question is not give me right answer. please remove Duplicate — , Jan 08 '18 at 12:12
If `psw` is their password, please look into encrypting users passwords with salts. http://plaintextoffenders.com/about/ — ʰᵈˑ, Jan 08 '18 at 12:28

score 2 · Accepted Answer · answered Jan 08 '18 at 12:22

This can be solved by simply validating that a user has the correct account type, or access rights as it were to view each module. As there is no code in your question, this answer is going to be generic, but should guide you to be able to implement a similar solution in your own application.

So, you have two routes:

Seller

http://example.com/login.php/seller/index.php

Caller

http://example.com/login.php/caller/index.php

As Daniel wrote in the above answer, you could store the account types in a session variable. As there is a field in the database which stores the account type of each user, you can fetch this and store it.

When the user logs in, you can fetch this information from the database, and store it in a session:

<?php

// Login page

//...code to login user

$accountType = $queryResultAccountType; // Fetch the user's role from the database,

$_SESSION['account_type'] = $accountType; // Store it in the session

Now, for each of your module pages, simply check to see if the user accessing the module has the correct account type:

Seller Route: index.php

<?php

if (!isset($_SESSION['account_type']) || $_SESSION['account_type'] != 'seller') {
    exit('No permission');
}

// load page here if they do have permission

Caller Route: index.php

<?php

if (!isset($_SESSION['account_type']) || $_SESSION['account_type'] != 'caller') {
    exit('No permission');
}

// load page here if they do have permission

This is a very broad and basic example, but hopefully you get the idea. You can adapt this to redirect them, show custom views and so on. I would highly recommend using a framework in future though, as a lot of this bare-bone functionality is already handled for you, in a much more robust way.

Daniel · Answer 2 · 2018-01-08T12:47:38.197

1

Store logged user 'role' in session upon login process

Example :

$_SESSION['role'] = 'caller'

In each module check user 'role'

If your clinet/index.php and seller/index.php is sharing same code, you can get exact URI from

$_SERVER['REQUEST_URI']

if (!preg_match('!(caller|seller)/index.php!',$_SERVER['REQUEST_URI'],$m))
{
        die("Wrong access");
}

$role = $m[1];

Hope this helps

edited Jan 08 '18 at 12:47

answered Jan 08 '18 at 12:02

Daniel

119
4

HOW CAN I CHECK ?? REQUEST_URI RETURNS ME FULL URL AND EVERY PAGE HAVE DIFFRENT NAME. BAD ANSWER :-( – Jan 08 '18 at 12:04
Usually url checked with regular expression. Good to know if you gonna be programmer Added quick example to answer. – Daniel Jan 08 '18 at 12:49

score 0 · Answer 3 · answered Jan 08 '18 at 11:59

0

You can add field type (seller or caller) in database of User Every login, you check type with seller or caller

answered Jan 08 '18 at 11:59

Joan Nguyen

322
1
5

Security On Folder Using PHp

3 Answers3