I am new to programming and would like to get some insight from the smart folks here at DP. I am creating a series of pages to share information from a mysql db to users who authenticate from a login screen. I have been able to authenticate a user utilizing an md5 translation on password and it works great. Here is my problem, I don't know how to make every page require an authenticated user. I dont want people to be able to navigate my site structure directly to view data. I want all users to be logged in and then only will they be able to follow the links offered from their login validated page. I hope this makes sense. I am not looking for DP members to do my work for me, just advice and pointers to what I need to do in order to accomplish the task. My research has been steering me to sessions but I just don't know what to do. Please help.
Here's a really simple example that leaves some for you to do. Once they've authenticated, set a session variable to their username, $_SESSION['valid_user'] = $username; Then you can have a function that checks to make sure they're still valid for every page, something like: function check_valid_user($username) { //Run a query to see if their username is found in the database if($username_found == true) return true; else return false; } Code (markup): then in your pages use this if(check_valid_user($_SESSION['valid_user'])) { //display content that is only for authenicated users } else { //display login form or 'you must log in', etc... } Code (markup): -the mole
Thank you to themole! This is a great start for me... thanks a lot. Suppose I have a directory of files ( a catch all directory ) and I have a db table that lists all clients id's along with file pointers to their files located in the catch all directory. How would I prevent a user from accessing a file directly once logged in? In other words, how do I keep user A from (if he knew the file name) from seeing user B's files or vice versa? I am setting up pages to query db for all client files (from the db) and showing them to user in html <ul></ul> format. But I just want to insure that alterring the url specification does not allow them accesss to other files in catch all other than their db specified files. Thanks again.