Creating Access control in PHP and MySql

When I was working for a module, I want to give access for the selected user for the selected access control for a webpage.  But how its possible for all the users for different access control.

So I have decided to go with session side for access control. Which I can handle with PHP and MYSQL side. Before starting with our code, let discuss about the access control.

Most of the website have a feature for free and premium users, where they have different access control for both users. Where free user have limited control, so they cannot have privilege as premium user.

Premium user have unlimited access where they will get quick response than the free user. Its just an example for access control in different between free and premium users.

Let’s start our code side and see how its works.  Users table to store the username, password with access control.

CREATE TABLE IF NOT EXISTS `users` (
  `user_id` int(11) NOT NULL AUTO_INCREMENT,
  `username` varchar(20) NOT NULL,
  `password` varchar(32) NOT NULL,
  `access_control` tinyint(1) NOT NULL,
  PRIMARY KEY (`user_id`),
  UNIQUE KEY `idx_username` (`username`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8 AUTO_INCREMENT=1 ;


Lets create two user for free and paid
INSERT INTO `users` (`user_id`, `username`, `password`, `access_control`) VALUES
(1, 'free_user', 'f2ffd12f81567f535ace07a8730ce92c', 1),
(2, 'paid_user', '8208ccaa5835da2b29bf779310f03b4f', 2);

db_config.php file have database connection.

<?php 
// Database connection using mysqli
$mySqli = new mysqli("localhost","root","","demo");

Now our login.php page with username and password.

<html>
<head>
<title>Codeasearch.com - Login for Access Control</title>
</head>
<body>
<table align="center">
<tr>
<td colspan="2" height="150px"></td>
</tr>
<form action="auth.php" method="post">
<tr>
<td>Username</td>
<td><input type="text" name="txtUsr" /></td>
</tr>
<tr>
<td>Password</td>
<td><input type="password" name="txtPwd" /> <input type="submit" name="btnLogin" value="Login" /></td>
</tr>
</form>
</table>
</body>
</html>

auth.php page will authenticate username and password, it will redirect to webpage based on the credentials and access control.

<?php 
//including database connection 	
require_once("db_config.php"); session_start(); 

//assigning default url for redirection
$strUrl = 'login.php?error=invalid';

if(isset($_POST["btnLogin"])) {
	$txtUsr = $_POST["txtUsr"];
	$txtPwd = md5($_POST["txtPwd"]);	

	// checking the username and password is valid or not
	$strSql = "select user_id,username,access_control from users where username='".$txtUsr."' and password='".$txtPwd."'";
	$result = $mySqli->query($strSql);
	
	// if the auth is valid it will assign to session and redirect to my-account.php page
	if($result->num_rows==1) {
		$row = $result->fetch_array(MYSQLI_BOTH);
		$_SESSION["userid"] = $row["user_id"];
		$_SESSION["username"] = $row["username"];
		$_SESSION["access_control"] = $row["access_control"];
		$strUrl = 'my-account.php';
	}
	
	$result->free();
	
	// closing the connection
	$mySqli->close();
	
}

//redirecting the webpage based on the condiation
header("Location: $strUrl");

my-account.php page will show different between free and premium users content.

<?php session_start(); 
// assiging session variable to access_control
$access_control = $_SESSION["access_control"]; 

// if not session is null it will redirect to login.php page
if($_SESSION["userid"]=="") { header("Location: login.php?error=session_expired"); } ?>
<html>
<head>
<title></title>
</head>
<body>
<table>
<tr>
<td>Welcome <?php echo $_SESSION["username"];?>! |  <a href="logout.php">Logout</a></td>
</tr>
<tr>
<td height="50"></td>
</tr>
<tr>
<td>
<?php 
// based on the access control we are display the access level.
if($access_control==1) { ?> 
You are free user,  you have limited access only 
<table>
<tr>
<td>Access 1</td><td>Access 2</td>
</tr>
<?php } ?>
<?php if($access_control==2) { ?> You are paid user,  you have unlimited access only 
<table>
<tr>
<td>Access 1</td><td>Access 2</td><td>Access 3</td><td>Access 4</td>
</tr>
<?php } ?>
</td>
</tr>
</table>
</body>
</html>

finally our logout page which will destroy all the session, redirect to login page.

<?php 
// destroy the session and redirect to login.php page
session_start(); session_destroy(); header("Location: login.php?logout");