Reputation:
Security On Folder Using PHp
My Main Path of My Application is as follow
http://example.com/login.php
If User Login and type is seller than
http://example.com/login.php/seller/index.php
If User Login and type is caller than
http://example.com/login.php/caller/index.php
Problem :
If seller is logged in and if he/she changes url
http://example.com/login.php/seller/index.php
to
http://example.com/login.php/caller/index.php
So php allows to change Whole Module. So how can i prevent Seller to Enter in Caller Module.
my application is in core php. no frameworks i used. and i have field in database named with type which have type like caller or seller or admin
and my database structure is as followw
Sorry i have hided Contact Credential. i hope it doesn't matter
Upvotes: 3
Views: 89
Answers (3)
Reputation: 78
Store logged user 'role' in session upon login process
Example :
$_SESSION['role'] = 'caller'
In each module check user 'role'
If your clinet/index.php and seller/index.php is sharing same code, you can get exact URI from
$_SERVER['REQUEST_URI']
if (!preg_match('!(caller|seller)/index.php!',$_SERVER['REQUEST_URI'],$m))
{
die("Wrong access");
}
$role = $m[1];
Hope this helps
Upvotes: 1
Reputation: 1185
This can be solved by simply validating that a user has the correct account type, or access rights as it were to view each module. As there is no code in your question, this answer is going to be generic, but should guide you to be able to implement a similar solution in your own application.
So, you have two routes:
Seller
http://example.com/login.php/seller/index.php
Caller
http://example.com/login.php/caller/index.php
As Daniel wrote in the above answer, you could store the account types in a session variable. As there is a field in the database which stores the account type of each user, you can fetch this and store it.
When the user logs in, you can fetch this information from the database, and store it in a session:
<?php
// Login page
//...code to login user
$accountType = $queryResultAccountType; // Fetch the user's role from the database,
$_SESSION['account_type'] = $accountType; // Store it in the session
Now, for each of your module pages, simply check to see if the user accessing the module has the correct account type:
Seller Route: index.php
<?php
if (!isset($_SESSION['account_type']) || $_SESSION['account_type'] != 'seller') {
exit('No permission');
}
// load page here if they do have permission
Caller Route: index.php
<?php
if (!isset($_SESSION['account_type']) || $_SESSION['account_type'] != 'caller') {
exit('No permission');
}
// load page here if they do have permission
This is a very broad and basic example, but hopefully you get the idea. You can adapt this to redirect them, show custom views and so on. I would highly recommend using a framework in future though, as a lot of this bare-bone functionality is already handled for you, in a much more robust way.
Upvotes: 2
Reputation: 372
You can add field type (seller or caller) in database of User
Every login, you check type with seller or caller
Upvotes: 0
Related Questions
- Securing a folder on my webserver
- php file in URL - security
- Protect access to files and folders via url
- make folder secure in php
- How to protect my image and file folder from direct access using url in PHP?
- How to protect access to a url?
- php directory traversal issue
- PHP protect a folder
- How can I protect a directory using PHP?
- Folder security?