[PHP]Multiple sessions handle

04/14/2016 05:34 elmarcia#1
Hi guys i'm learning basics of php, didn't read anything just start programming :)

I want to try developing an app that will have 3 posible session rights:

->Root : Complete access (read/write) to databases. (add/remove admins,drop tables,etc)
->Admin: Limited access to some tables (add/remove Downloadable content,etc)
->Guest: Read downloadable content table and download files...

This is the code by now:

index.php

login.php

admin.php|root.php|guest.php

Now my question is, how can i make it better?, i don't know if this way is good for what i need or if what i did is all wrong :(

P.S: I'm ussing xampp

Thx for your time :D
04/14/2016 10:02 florian0#2
Thats pretty good for now. Keep working and your techniques will "evolve".

Some points to start:

1. You may want to avoid duplicate code like:
Code:
if(!isset($_SESSION["user_type"]) or $_SESSION["user_type"] != "root")
{
header("Location:/miapp/"); //Go back we aren't root or not session set yet.
}
Put it in a function called e.g. require_privilege("root");

Try to avoid duplicate code at all. When you notice you're reusing code from other files, consider defining it as a function. Not everything is a suitable function, but get used to functions.


2. After setting header('Location: ...') you should exit the script.
Otherwise the code after that may still be executed (without you having the corresponding permissions):
Code:
if(!isset($_SESSION["user_type"]) or $_SESSION["user_type"] != "root")
{
header("Location:/miapp/"); //Go back we aren't root or not session set yet.
exit; 
}
3. Database Security
Code:
$query = "SELECT * FROM usuarios,tipo_usu WHERE usuarios.id_tipo = tipo_usu.id_tipo AND usuarios.user='".$user."' AND usuarios.password='".$psw."'";
SQL-Injections will occur. Avoid building your query like this. Use Prepared-Statementes. Easy, secure.
[Only registered and activated users can see links. Click Here To Register...] (< thanks emote -.-)

4. Templating
Think about separating your code and your html into different files. PHP is, by design, just a big template system. Your code is simple for now, but when it gets more complex, give that a try.
It's easier to work on the code without having html-tags floating all around and it's easier to work on the design without complex php-code everywhere.
04/14/2016 15:35 elmarcia#3
Thx u so much i will read and continue improving