[PHP]Multiple sessions handle

[elmarcia]

Hi guys i'm learning basics of php, didn't read anything just start programming

I want to try developing an app that will have 3 posible session rights:

->Root : Complete access (read/write) to databases. (add/remove admins,drop tables,etc)
->Admin: Limited access to some tables (add/remove Downloadable content,etc)
->Guest: Read downloadable content table and download files...

This is the code by now:

index.php

 Spoiler

PHP Code:

<?php
session_start();

if (isset($_SESSION["user_type"])){
$typeUser = $_SESSION["user_type"];
switch($typeUser){
case "root":
header("Location: root.php");
break;
case "guest":
header("Location: guest.php");
break;
case "admin":
header("Location: admin.php");
break;
default:
$_SESSION["user_type"] = "guest";
}
}else{
if (isset($_GET['usertype'])) {
$_SESSION["user_type"] = "guest";
header("Location: index.php");
}
}

?>
<html>
<head> 
<title>SomeTitle</title>
<link rel="stylesheet" type="text/css" href="../css/bootstrap.css">
</head>
<body>
<a href='?usertype=1' class="btn btn-default">I'm guest</a>
<a href='login.php' class = "btn btn-default">I'm user</a>
</body>
</html>

login.php

 Spoiler

PHP Code:

<?php
session_start();
if (isset($_SESSION["user_type"])){
header("Location: index.php"); //already logued in
}
if (isset($_POST["user"])){
$user = $_POST["user"];
$pass = $_POST["pass"];
$dbname = "misdatos";
$conection = dbConect($dbname);
validate($user,$pass,$conection);
}

function dbConect($dbname){
$servername = "localhost";
$username = "root";
$password = "";
$conn = mysqli_connect($servername, $username, $password,$dbname);
return $conn;
}

function validate($user,$psw,$conect){
$query = "SELECT * FROM usuarios,tipo_usu WHERE usuarios.id_tipo = tipo_usu.id_tipo AND usuarios.user='".$user."' AND usuarios.password='".$psw."'";
$result = mysqli_query($conect,$query)
 or die(mysqli_connect_error());
$row = mysqli_fetch_assoc($result);
if(is_array($row)){
$_SESSION["user_type"] = strtolower($row["descripcion"]);//user type 
$_SESSION["user"] = $row["user"];
header("Location: index.php");
}else{
header("Location:login.php?login=failed");
}
}
?>
<html>
<head>
<title>Login</title>
</head>
<body>
<?php 
if(isset($_GET["login"]))
{
echo "<h3>Wrong username or password</h3>"; 
}
?>
<form method="post" action="login.php">
<label>User</label>
<br></br>
<input name="user"></input>
<br></br>
<label>Password</label>
<br></br>
<input name="pass" type="password"></input>
<button type="submit">Login</button>
</form>
</body>
</html>

admin.php|root.php|guest.php

 Spoiler

PHP Code:

//--------ADMIN.PHP------------
<?php
session_start();
if(!isset($_SESSION["user_type"]) or $_SESSION["user_type"] != "admin")
{
header("Location:/miapp/"); //Go back we aren't admin or not session set yet.
}    
?>
<html>
<head>
<link rel="stylesheet" type="text/css" href="../css/bootstrap.css">
<title>Admin view</title>
</head>
<body>
<h1>Welcome admin <?php echo strtoupper($_SESSION["user"]);?></h1>
<a href="logout.php" class="btn btn-default">Logout</a>
</body>
</html>
//--------------------------------
//------------ROOT.PHP---------
<?php
session_start();
if(!isset($_SESSION["user_type"]) or $_SESSION["user_type"] != "root")
{
header("Location:/miapp/"); //Go back we aren't root or not session set yet.
}    
?>
<html>
<head>
<link rel="stylesheet" type="text/css" href="../css/bootstrap.css">
<title>Root view</title>
</head>
<body>
<h1>Welcome root <?php echo strtoupper($_SESSION["user"]);?></h1>
<a href="logout.php" class="btn btn-default">Logout</a>
</body>
</html>
//-----------------------------------------------
//-----------------GUEST.PHP-----------------
<?php
session_start();
if(!isset($_SESSION["user_type"]) or $_SESSION["user_type"] != "guest")
{
header("Location:/miapp/");
}    
?>
<html>
<head>
<link rel="stylesheet" type="text/css" href="../css/bootstrap.css">
</head>
<body>
<h1>Welcome guest :)</h1>
<a href="logout.php" class="btn btn-default">Logout</a>
</body>
</html>
//---------------------------------------

Now my question is, how can i make it better?, i don't know if this way is good for what i need or if what i did is all wrong

P.S: I'm ussing xampp

Thx for your time

[florian0]

Thats pretty good for now. Keep working and your techniques will "evolve".

Some points to start:

1. You may want to avoid duplicate code like:

Code:

if(!isset($_SESSION["user_type"]) or $_SESSION["user_type"] != "root")
{
header("Location:/miapp/"); //Go back we aren't root or not session set yet.
}

Put it in a function called e.g. require_privilege("root");

Try to avoid duplicate code at all. When you notice you're reusing code from other files, consider defining it as a function. Not everything is a suitable function, but get used to functions.


2. After setting header('Location: ...') you should exit the script.
Otherwise the code after that may still be executed (without you having the corresponding permissions):

Code:

if(!isset($_SESSION["user_type"]) or $_SESSION["user_type"] != "root")
{
header("Location:/miapp/"); //Go back we aren't root or not session set yet.
exit; 
}

3. Database Security

Code:

$query = "SELECT * FROM usuarios,tipo_usu WHERE usuarios.id_tipo = tipo_usu.id_tipo AND usuarios.user='".$user."' AND usuarios.password='".$psw."'";

SQL-Injections will occur. Avoid building your query like this. Use Prepared-Statementes. Easy, secure.
(< thanks emote -.-)

4. Templating
Think about separating your code and your html into different files. PHP is, by design, just a big template system. Your code is simple for now, but when it gets more complex, give that a try.
It's easier to work on the code without having html-tags floating all around and it's easier to work on the design without complex php-code everywhere.

[elmarcia]

Thx u so much i will read and continue improving