Access Editor (i.e. CRUD) pages via login only - variable-based header code

Access Editor (i.e. CRUD) pages via login only - variable-based header code

shawngibsonshawngibson Posts: 32Questions: 9Answers: 0

Hi All,

Happy New Year!

I realize this is not a PHP forum, but it's the only forum I'm an active participant in, and DataTables + Editor is core to my work.

Now that I need to start passing out the link to my server, I need to modify any editable database pages such that they are only editable via authorized login, credentials for which I can provide only to potential employers.

I already have a functional login system (PHP/Mariadb) and I have separated out my many database pages into editable and read-only variants. The read-only pages are served in the website's pages and the Editor versions are to be only accessible via a link within the read-only versions of the same page.

I have been scouring the internet for hours, but I have absolutely no PHP experience, so I'm just left scratching my head even though I'm pretty sure my problem is very simple.

The authentication script when successfully logged in sends the user to a particular (home.php) page, thus::

etc...
        header('Location: home.php');

        } else {
        // Incorrect password
        echo 'Incorrect username and/or password!';
    }
} else {
    // Incorrect username
    echo 'Incorrect username and/or password!';
}

And home.php therefore has this code before displaying the full HTML page:

<?php
// We need to use sessions, so you should always start sessions using the below code.
session_start();
// If the user is not logged in redirect to the login page...
if (!isset($_SESSION['loggedin'])) {
    header('Location: index.html');
    exit;
}
?>

...HTML CODE of actual page

Since I now need to have the first script direct the user to the appropriate Editor page, I need to include the second script at the top of each editable page but somehow need to tell the first (authentication) script which page to jump to once authenticated. So the Location of the Header script above needs to somehow pick up a variable given to it by the appropriate page and then go to that location with the header. So I need to create a variable in the editable page something like this mockup:

<?php

session_start();
$currentPage = "/dbs/mine/database1.php";

etc...
?>

...where $currentPage would be the URL of any particular page which is asking to be authorized before allowing access,
and inject it here:

        header('Location: $currentPage');

But it seems I can't even create a variable on Page1 and have it appear to exist on Page2, so I'm lost...

All linked pages of the website now direct to read-only DataTables pages, with a link therein directing the user to the editable/Editor version of the same page if they authenticate. It's simple but keeps users who may find an unlinked but editable page from doing any damage should they try.

Answers

  • shawngibsonshawngibson Posts: 32Questions: 9Answers: 0

    Got it, though I offer no assurances to its actual security.

    The header now reads:

    header('Location: ' .$value);
    

    with the following line added after session_start();:

    $value = $_SESSION['page'];
    

    And top of each editable page, we have:

    <?php
        
    // We need to use sessions, so you should always start sessions using the below code.
    session_start();
    $phpVariable = "../me/products_all.php";
    $_SESSION['page'] = $phpVariable;
    // If the user is not logged in redirect to the login page...
    if (!isset($_SESSION['loggedin'])) {
        header('Location: ../login.php');
        exit;
    }
    ?>
    

    where ./me/products_all.php is the current, editable page.

    Et voila:)

  • allanallan Posts: 62,099Questions: 1Answers: 10,183 Site admin

    In PHP a single quote creates a string that is literal - it will not expand the variables in it. If you'd used header("Location: $currentPage"); that would have worked. See the PHP docs here for more details.

    Good to hear you got something working.

    Allan

Sign In or Register to comment.