Here is a bit of php code and a color-coded menu system for building websites with more than one level of access. I use this system on a three-level subscription website for landlords and property managers. The guest level provides no access to our tenant database. Confirmed landlords and property managers are given a four-digit code, which allows them to search for a tenant’s name in our database and offers them a chance to purchase a report if a match is found. Landlords and property managers with a paid subscription receive a six-digit code, which permits full access to our database.
Guest users, those without a four- or six-digit code, won’t be able to get beyond the index page when they try to look up a tenant in the database. Any of several four-digit codes will load page35.php, which offers limited search capability. The six-digit codes, which are given to paid subscribers, redirect to page57.php.
To see how all of this works, visit http://www.wnylandlord.com.
First, the php. You’ll need a *nix server with register_globals set to “ON”.
<?php ob_start();
error_reporting(E_ALL);
<head>
<?php session_start();
if (!isset($_SESSION['count'])) {
$_SESSION['count'] = 0;
} else {
$_SESSION['count']++;
}
$_SESSION['kode']='0';
?>
<P><form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST">
<strong><SPAN CLASS="SMALLER">To search the database, enter your confirmation or
subscription code here: </SPAN></strong><input type="text" name="SubCode" size="10">
<INPUT TYPE="image" src="sendbutton.jpg" alt="send!">
</form>
<?php $kode = strtolower($SubCode);
$confcode = array('43qy', '7ck4', 'b8ju', 'df73', 'tsr5', 'gb97');
// The above codes are for limited access, to allow a person to
// see names only, and are to be given only to verified
// landlords and property managers.
$subscrcode = array('43qy6u', '7ck45x', 'b8ju68', 'df733k', 'tsr557', 'gb973h');
// Here are the months/years corresponding to the above codes.
// These codes are for full access.
// CHARTER MEMBERS 43qy6u never expires!!!!!!!
// Dec 08 7ck45x expires Dec 09
// Jan 09 b8ju68 " Jan 10
// Feb 09 df733k " Feb 10
// Mar 09 tsr557 " Mar 10
// Apr 09 gb973h " Apr 10
setcookie('user', 'kode', time()+86400);
$domain = ($_SERVER['HTTP_HOST'] != 'localhost') ? $_SERVER['HTTP_HOST'] : false;
setcookie('monthcode', 'kode', time()+60*60*24, '/', $domain, false);
if (in_array($kode, $subscrcode)) {
header("Location: page57.php");
}
if (in_array($kode, $confcode)) {
header("Location: page35.php");
}
... put some text for your page here. Don't forget to put this at the very end of the
page:
<?php ob_end_flush();
?>
The second part of the setup is three menus which go on the left side of the page, again depending on the visitor’s access level. On our site, they’re called leftmenu.php, nsleftmenu.php, and sleftmenu.php. The guest menu is beige, the limited-access menu is blue, and the subscribers’ menu is beige with a pale blue border. Call the menus up like this:
<P CLASS="LEFTCOLUMN">
<?php include "leftmenu.php"; ?>
</P>
Additional links and features for subscribers can be listed on menus just for them. Guest users can’t see the higher-level menus.
Just one more thing. Although our website has never had a security problem, I must point out that this system is _not_ secure enough to guard health, legal, or other sensitive information.
Alex Thiel on 24 February, 2010
Let aside access-levels normally referring to something completely different – the visibility of class-attributes and -methods, the above code is frightenly unsafe. If you don’t want to remove it. At least put a big sign on top of it, stating that is is quite inadvisable to use such code while there exist thousands of tutorials and ready-made CRMs that can accomplish all necessary stuff for you.