yauwana ravindra
Reputation: 19
Need to refresh the page manually
I'm using kind of an old PHP version which is 5.4.I have covered some HTML contents in PHP if condition not to show only for employee user type. The problem is when I login as an admin I will see the admin content. Then after logout, I log in as an employee I still can see the admin content in the page which should not be the case.
That page is like this:
Header.php + content.php + footer.php
Header.php
<?php
session_start();
//print_r($_SESSION); for debugging purpose
if(!isset($_SESSION['uname'])){
header("Location:index.php");
}
$baseurl = "http://localhost/yauwana-fyp-hrm/trunk/";
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>Rising Logistics</title>
<link href="css/bootstrap.min.css" rel="stylesheet">
<link href="css/styles.css" rel="stylesheet">
<!-- HTML5 shim and Respond.js for IE8 support of HTML5 elements and media queries -->
<!-- WARNING: Respond.js doesn't work if you view the page via file:// -->
<!--[if lt IE 9]>
<script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"> </script>
<script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"> </script>
<![endif]-->
<link href="css/bootstrap.min.css" rel="stylesheet">
<link href="css/styles.css" rel="stylesheet">
<!-- suggession text box -->
<script type="text/javascript"
src="js/jquery.min.js"></script>
<script type="text/javascript"
src="js/jquery-ui.min.js"></script>
<link rel="stylesheet" type="text/css"
href="css/jquery-ui.css" />
</head>
<body>
<header>
<div class="container padded-top">
<div class="row">
<div class="col-md-6">
<div class="logo">
<a href="#" title="Rising Logistics">
<img src="<?php echo $baseurl; ?>images/logo.jpg" class="img-responsive"/>
</a>
</div>
</div>
<div class="col-md-6">
<div class="dropdown pull-right admin-area">
<button class="btn btn-default dropdown-toggle" type="button" id="login-menu" data-toggle="dropdown" aria-haspopup="true" aria-expanded="true">
<span class="glyphicon glyphicon-user" aria-hidden="true"></span>
Welcome <strong><?php echo $_SESSION['uname']; ?></strong>
<span class="caret"></span>
</button>
<ul class="dropdown-menu" aria-labelledby="login-menu">
<li><a href="#">About</a></li>
<li><a href="includes/logout.php">Log Out</a></li>
</ul>
</div>
</div>
</div>
</div>
<div class="container">
<div class="row">
<div class="col-md-12 col-lg-12 col-xs-12 col-sm-12 col-ms-12">
<div class="navbar navbar-default top-navbar" role="navigation">
<div class="navbar-header">
<button type="button" class="navbar-toggle" data-toggle="collapse" data-target=".navbar-collapse">
<span class="sr-only">Toggle navigation</span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
<span class="icon-bar"></span>
</button>
</div>
<div class="collapse navbar-collapse">
<ul class="nav navbar-nav">
<li class="active"><a href="./" class="dropdown-toggle" data-toggle="dropdown">Recruitement</a>
<ul class="dropdown-menu multi-level">
<li><a href="template1.php?tab=home">Vacancies</a></li>
<li><a href="template1.php?tab=vacancies">Listed Candidates</a></li>
<li><a href="template1.php?tab=add_vac">Add Candiate</a></li>
</ul>
</li>
<li><a href="./" class="dropdown-toggle" data-toggle="dropdown">Performance</a>
<ul class="dropdown-menu multi-level">
<li><a href="template1.php?tab=kpi_list">KPI List</a></li>
<li><a href="template1.php?tab=add_kpi">Add KPI</a></li>
<li><a href="template1.php?tab=add_reviews">Add Reviews</a></li>
<li><a href="template1.php?tab=reviews">Reviews</a></li>
</ul>
</li>
<li><a href="./" class="dropdown-toggle" data-toggle="dropdown">Leave</a>
<ul class="dropdown-menu multi-level">
<li><a href="template1.php?tab=add_leave">Add Leave</a></li>
<li><a href="template1.php?tab=leave_entitlement">Leave Entitlement</a></li>
<li><a href="template1.php?tab=leave_summary">Leave Summary </a></li>
</ul>
</li>
<li><a href="./" class="dropdown-toggle" data-toggle="dropdown">PIM</a>
<ul class="dropdown-menu multi-level">
<?php if($_SESSION['ut'] != "Employee"){?>
<li><a href="template1.php?tab=employee_list">Employee List</a></li>
<?php } ?>
<li><a href="template1.php?tab=add_employee">Add Employee</a></li>
<li><a href="template1.php?tab=reports">Reports</a></li>
</ul>
</li>
<li><a href="./" class="dropdown-toggle" data-toggle="dropdown">Admin</a>
<ul class="dropdown-menu multi-level">
<li><a href="template1.php?tab=termionation_reason">Termination Reason</a></li>
<li><a href="template1.php?tab=job_titles">Job Titles</a></li>
<li><a href="template1.php?tab=user_create">Add Users</a></li>
<li><a href="template1.php?tab=user_list">User List</a></li>
</ul>
</li>
<li><a href="./">Help</a></li>
</ul>
</div>
<!--/.nav-collapse -->
</div>
</div>
</div>
</div>
</header>
<div class="clearfix"></div>
Content.php
<!-- delete ajax function begin -->
<script type="text/javascript">
function showUser(p)
{
//alert (p);
//if (str=="")
//{
// document.getElementById("txtHint").innerHTML="";
// return;
// }
if (window.XMLHttpRequest)
{// code for IE7+, Firefox, Chrome, Opera, Safari
xmlhttp=new XMLHttpRequest();
}
else
{// code for IE6, IE5
xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");
}
xmlhttp.onreadystatechange=function()
{
if (xmlhttp.readyState==4 && xmlhttp.status==200)
{
//delete table row
var tr = document.getElementById(p).parentNode.parentNode;
tr.parentNode.removeChild(tr);
location.reload();
}
}
var full = "?s="+p;
xmlhttp.open("GET","menu/KPI list/kpi_delete.php"+full,true);
xmlhttp.send();
}
</script>
<!-- delete ajax function end -->
<div class="body-div container padded-bottom">
<?php
$database->getConnection();
/*
Place code to connect to your DB here.
*/
//include('config.php'); // include your code to connect to DB.
$tbl_name="kpi"; //your table name
// How many adjacent pages should be shown on each side?
$adjacents = 1;
/*
First get total number of rows in data table.
If you have a WHERE clause in your query, make sure you mirror it here.
*/
$emp_id=$_SESSION['emp_id'];
if($_SESSION['ut'] == "Employee")
{
$query = "SELECT COUNT(*) as num FROM $tbl_name WHERE emp_id = $emp_id ";
}
else{
$query = "SELECT COUNT(*) as num FROM $tbl_name";
}
$total_pages = mysql_fetch_array(mysql_query($query));
$total_pages = $total_pages['num'];
/* Setup vars for query. */
$targetpage = "template1.php?tab=kpi_list"; //your file name (the name of this file)
$limit = 1;
//how many items to show per page
if(isset($_GET['page'])){
$page = $_GET['page'];
$start = ($page - 1) * $limit; //first item to display on this page
}else{
$start = 0;
$page=0; //if no page var is given, set start to 0
}
/* Get data. */
$sql = "SELECT * FROM $tbl_name order by kpi_no desc LIMIT $start, $limit ";
$result = mysql_query($sql);
/* Setup page vars for display. */
if ($page == 0) $page = 1; //if no page var is given, default to 1.
$prev = $page - 1; //previous page is page - 1
$next = $page + 1; //next page is page + 1
$lastpage = ceil($total_pages/$limit); //lastpage is = total pages / items per page, rounded up.
$lpm1 = $lastpage - 1; //last page minus 1
/*
Now we apply our rules and draw the pagination object.
We're actually saving the code to a variable in case we want to draw it more than once.
*/
$pagination = "";
if($lastpage > 1)
{
$pagination .= "<div class=\"pagination-new\">";
//previous button
if ($page > 1)
$pagination.= "<a href=\"$targetpage&page=$prev\">« previous</a>";
else
$pagination.= "<span class=\"disabled\">« previous</span>";
//pages
if ($lastpage < 7 + ($adjacents * 2)) //not enough pages to bother breaking it up
{
for ($counter = 1; $counter <= $lastpage; $counter++)
{
if ($counter == $page)
$pagination.= "<span class=\"current\">$counter</span>";
else
$pagination.= "<a href=\"$targetpage&page=$counter\">$counter</a>";
}
}
elseif($lastpage > 5 + ($adjacents * 2)) //enough pages to hide some
{
//close to beginning; only hide later pages
if($page < 1 + ($adjacents * 2))
{
for ($counter = 1; $counter < 4 + ($adjacents * 2); $counter++)
{
if ($counter == $page)
$pagination.= "<span class=\"current\">$counter</span>";
else
$pagination.= "<a href=\"$targetpage&page=$counter\">$counter</a>";
}
$pagination.= "...";
$pagination.= "<a href=\"$targetpage?page=$lpm1\">$lpm1</a>";
$pagination.= "<a href=\"$targetpage?page=$lastpage\">$lastpage</a>";
}
//in middle; hide some front and some back
elseif($lastpage - ($adjacents * 2) > $page && $page > ($adjacents * 2))
{
$pagination.= "<a href=\"$targetpage&page=1\">1</a>";
$pagination.= "<a href=\"$targetpage&page=2\">2</a>";
$pagination.= "...";
for ($counter = $page - $adjacents; $counter <= $page + $adjacents; $counter++)
{
if ($counter == $page)
$pagination.= "<span class=\"current\">$counter</span>";
else
$pagination.= "<a href=\"$targetpage&page=$counter\">$counter</a>";
}
$pagination.= "...";
$pagination.= "<a href=\"$targetpage&page=$lpm1\">$lpm1</a>";
$pagination.= "<a href=\"$targetpage&page=$lastpage\">$lastpage</a>";
}
//close to end; only hide early pages
else
{
$pagination.= "<a href=\"$targetpage&page=1\">1</a>";
$pagination.= "<a href=\"$targetpage&page=2\">2</a>";
$pagination.= "...";
for ($counter = $lastpage - (2 + ($adjacents * 2)); $counter <= $lastpage; $counter++)
{
if ($counter == $page)
$pagination.= "<span class=\"current\">$counter</span>";
else
$pagination.= "<a href=\"$targetpage&page=$counter\">$counter</a>";
}
}
}
//next button
if ($page < $counter - 1)
$pagination.= "<a href=\"$targetpage&page=$next\">next »</a>";
else
$pagination.= "<span class=\"disabled\">next »</span>";
$pagination.= "</div>\n";
}
?>
<!-- end of the pagination -->
<div class="row">
<div class="col-xs-12 col-ms-12 col-sm-12 col-md-12 col-lg-12">
<h1>KPI List</h1>
<form action="menu/KPI list/kpi_search.php" method="post" name="testform">
<div class="well well-sm">
<div class="pull-left">
<select name="com" class="form-control">
<option value="f_name">First Name</option>
<option value="l_name">Last Name</option>
<option value="date">Date</option>
</select>
<div class="gap clearfix"></div>
<!-- <div id="testform_com_errorloc" class="alert alert-danger">Error message</div> -->
</div>
<div class="pull-left">
<input id="firstname" type="text" name="firstname" value="" class="required comment form-control" data-validation="required" data-validation-error-msg-required="This field is required"/>
<div class="gap clearfix"></div>
<!-- <div id="testform_firstname_errorloc" class="alert alert-danger">Error message</div> -->
</div>
<div class="pull-left"><input name="submit" type="submit" value="Search" class="btn btn-default"/></div>
</div>
</form>
<div class="gap"></div>
<table class="table table-striped">
<tr>
<th>Employee First Name</th>
<th>Employee Last Name</th>
<th>Job Title</th>
<th>Date</th>
<th>KPI given by</th>
<?php if($_SESSION['ut'] != "Employee"){ ?>
<th>Edit</th>
<th>Delete</th>
<th>Give Marks</th>
<?php } ?>
<th>View</th>
</tr>
<tr>
<?php
while($row = mysql_fetch_array($result))
{
$p = $row["kpi_no"];
$value = "1";
?>
<td><?php echo $row['e_f_name'];; ?></td>
<td><?php echo $row['e_l_name']; ?></td>
<td><?php echo $row['vac_name']; ?></td>
<td><?php echo $row['date']; ?></td>
<td><?php echo $row['kpi_given']; ?></td>
**<?php if($_SESSION['ut'] != "Employee"){ ?>**
<td class="text-center">
<a href="menu/KPI list/kpi_edit_details.php?x=<?php echo $p; ?>&v=<?php echo $page; ?>&val=<?php echo $value; ?>">
<!--<img width="15" height="15" src="http://localhost/project_2012/images/edit-icon.png"/>-->
<span class="glyphicon glyphicon-edit"></span>
</a>
</td>
<td class="text-center">
<div id="<?php echo $p; ?>" style="width:50px; "><a href="javascript:showUser(<?php echo $p; ?>)" onclick="return confirm('Are you sure you want to delete?')"></div>
<span class="glyphicon glyphicon-trash"></span>
</a>
</td>
<td class="text-center">
<a href="menu/KPI list/give_marks.php?x=<?php echo $p; ?>&v=<?php echo $page;?>">
<span class="glyphicon glyphicon glyphicon-certificate"></span>
</a>
</td>
**<?php }?>**
<td class="text-center">
<a href="view_vac.php?x=<?php echo $p; ?>" target="_blank">
<span class="glyphicon glyphicon-zoom-in"></span>
</a>
</td>
</tr>
<?php } // End of while loop
?>
</table>
<!--end of table -->
<br/><br/>
<?php echo $pagination; ?>
</div>
</div>
</div>
</body>
</html>
Footer.php
<footer>
<center>
Rising Logistics<br/>
© <?php date("Y") ?> Rising Logistics, Inc. All rights reserved.
</center>
</footer>
<!-- <script src="js/jquery.min.js"></script> -->
<script src="js/bootstrap.min.js"></script>
<script src="//cdnjs.cloudflare.com/ajax/libs/jquery-form-validator/2.2.8/jquery.form-validator.min.js"></script>
<script src="js/common.js"></script>
Logout.php:
<?php
session_start();
session_destroy();
header("Location:../index.php");
?>
Login_validaton.php
<?php
include('database.php');
include('loghis.php');
$con = $database->getConnection();
$time = mktime(date('H')+5,date('i')+30,date('s'),date('m'),date('d'),date('Y'));
$hourr = date('H',$time);//current time hour
$minn =date('i',$time);//current time min
$secc = date('s',$time);//current time seconds
$year = date('Y',$time);//current year
$month = date('m',$time);//current month
$date = date('d',$time);//current day
$b=$year."-".$month."-".$date;
$intime = $hourr.":".$minn.":".$secc;
$username = addslashes($_POST['username']);
$password = md5(addslashes($_POST['password']));
$msg = "username or password incorrect";
$result = mysql_query("SELECT * FROM users WHERE user_name='$username' and password ='$password'");
//echo $username;
$row=mysql_num_rows($result);
//echo "1";
if($row==1){//begin of $row count
session_start();
$_SESSION['uname']=$username;
$res = mysql_fetch_array($result);
$_SESSION['ut']=$res['emp_division'];
$use = $res['user_name'];
$pass = $res['password'];
$_SESSION['emp_id'] = $res['emp_id'];
$_SESSION['emp_division'] = $res['emp_division'];
$logh = new loginHis;
$logh->his($username,$b,$intime);
header("Location:../../trunk/template1.php");
}//end of $row count
else {
header("Location:../../trunk/index.php?err=$msg");
}
?>
I have bold the PHP line in content.php file. Hope this is clear and help me to solve the issue.
Upvotes: 1
Views: 257
Answers (2)
EladBash
Reputation: 95
The best solution for this case is to define "user_type" column in you dataBase, and by the user type return the value to your session object, by that you can seperate admin users and regular users from different content.
Now you have no seperation and that's why regular users can see admin's content.
Upvotes: 1
PaulH
Reputation: 3059
You could try to change the header statement in ˋLogout.phpˋ
header("Location:../index.php?logedout");
to avoid the cached page
Upvotes: 2