I am new in php
this is login page script
<?php include('dbconnect.php');
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);
$admins_sql = "SELECT * FROM administrator WHERE username = '" .$username. "' AND password = '".md5($password). "' AND status = 'Active'";
$admin_exe = mysql_query($admins_sql, $con);
//Setting session variable
$admin_row=mysql_fetch_array($admin_exe);
$_SESSION['username'] = $admin_row['username'];
$_SESSION['type'] = $admin_row['type'];
IF($_SESSION['type'] == 'Admin') {header("Location:admin");exit(); }
IF($_SESSION['type'] == 'Main') {header("Location:main"); exit(); }
IF($_SESSION['type'] == 'Teaching') {header("Location:Teaching"); exit(); }
IF($_SESSION['type'] == 'Exam Cell') {header("Location:Exam Cell"); exit(); }
IF($_SESSION['type'] == 'Non-Teaching') {header("Location:Non-Teaching"); exit(); }
IF($_SESSION['type'] == 'Library') {header("Location:Library"); exit(); }
IF($_SESSION['type'] == 'Main') {header("Location:office"); exit(); }
IF($_SESSION['type'] == 'Placement') {header("Location:Placement"); exit(); }
IF($_SESSION['type'] == 'Systems') {header("Location:CC"); exit(); }
IF($_SESSION['type'] == 'student') {header("Location:student"); exit(); }
?>
have folders as seen in the redirects in the above script.
My problem is if a teaching type user logs in, they will be redirected to display url IP Address/main folder name/Teaching/index.php. They could just change Teaching in the url to admin, and then enter the admin folder and access the admin features.
What I want is for one type of user not to enter in another type of users folder.
For example on top of your Main page, you should validate the access, and do the same for each area you have. There are other ways to do this, but this way should be ok for what you are looking for.