Protect access to files on my system (php)

Navigation
1

Implement a session system to protect my php files, I include it in every php file that shows a menu. 

<?php
   // CONECTANDO AL SISTEMA SEGUN TIPO DE USUARIO//
   if (isset($_SESSION['conectado']) && $_SESSION['conectado'] == true && $_SESSION['nivel']==0) {
   // ------------------------ //
   } else {
   // MENSAJE DE ACCESO NEGADO //
   echo ('<script>alert("No tiene permisos suficientes para acceder a esta parte del sistema");</script>');
   echo ("<script>window.location = 'index.php';</script>");
   exit;
   // ------------------------ //
   }
   // ------------------------ //
   $now = time();
   if($now > $_SESSION['expira']) {
   //DESTRUYO LA SESION, ANTES DE SACARLO DEL SISTEMA//
   session_destroy();
   // MENSAJE DE SESIÓN EXPIRADA //
   echo ('<script>alert("Su sesión ha expirado");</script>');
   echo ("<script>window.location = 'index.php';</script>");
   exit;
   }
   // ------------------------ //
?>

It happens that I also have another type of file called actions, these are all the actions that execute the php: insert, modify, delete, consult to prevent people from entering them add: 

if(!isset($_POST['submit'])){
  }
echo ('<script>alert("No tiene permisos suficientes para acceder a esta parte del sistema");</script>');
echo ("<script>window.location = 'index.php';</script>");
exit;

and finally I have FUNCTIONS, which are responsible for filling selects, checkbox, one that another function that shows the user data and functions that are activated with $ .post of JSON.

The problem is that I do not know how to protect these files and the person could access them (although not all of them show important information)

  • * If I use the ISSET method they give me an error because there is no submit and it does not include them in the system.

  • * If I include the session's method, it gives me an error because I must start the session before, I write the session_start and it tells me that they have already sent the header (before in the menu where this file is included of function

    • What can I do to avoid access to these files?

        
    asked by Victor Alvarado 22.03.2017 в 19:57
    source

    2 answers

    1

    Use the following measures to protect my system without having to change the database.

      

    SESSIONS: 

    <?php   
       if ((isset($_SESSION['conectado']) && ($_SESSION['conectado'] == true) && ($_SESSION['nivel']==0) && ($_SESSION['nivel']==1)))
       {
    } else {
   echo ('<script>alert("No tiene permisos suficientes para acceder a esta parte del sistema");</script>');
   echo ("<script>window.location = 'index.php';</script>");
   exit;
   }
   $now = time();
   if($now > $_SESSION['expira']) {
   session_destroy();
   echo ('<script>alert("Su sesi\u00f3n ha expirado");</script>');
   echo ("<script>window.location = 'index.php';</script>");
   exit;
   }
   ?>
      

    MENUS 

    <?php
   session_start();
   include_once 'sesion_todos.php';
?>
      

    ACTIONS 

     <?php
    $temp = $_POST["temp"];

    if ($temp == 1)
      {

      }
      else
      {
      echo ('<script>alert("No tiene permisos suficientes para acceder a esta parte del sistema");</script>');
      echo ("<script>window.location = 'index.php';</script>");
      }

    ?>
        
    answered by 03.04.2017 / 15:51
    source
    1

    Here I give you the example, I hope it serves you. Basically what you have to do is create two tables, one for the menu and the second for the permissions. The permit table if you have to relate it to the user's.

    Structure of the menu table: 

    CREATE TABLE IF NOT EXISTS menu (
  id int(15) NOT NULL AUTO_INCREMENT,
  nombre varchar(100) NOT NULL,
  link varchar(100) NOT NULL,
  orden int(2) NOT NULL,
  grupo int(2) NOT NULL,
  PRIMARY KEY (id),
  KEY id (id) USING BTREE
) ENGINE=InnoDB AUTO_INCREMENT=20 DEFAULT CHARSET=utf8;

    permission table: 

    CREATE TABLE IF NOT EXISTS permisos (
  id int(15) NOT NULL AUTO_INCREMENT,
  id_usaurio int(15) NOT NULL,
  id_menu int(15) NOT NULL,
  nuevo int(1) NOT NULL,
  editar int(1) NOT NULL,
  mostrar int(1) NOT NULL,
  borrar int(1) NOT NULL,
  pdf int(1) NOT NULL,
  excel int(1) NOT NULL,
  PRIMARY KEY (id),
  KEY id_menu (id_menu) USING BTREE,
  KEY id (id) USING BTREE,
  KEY permisos_ibfk_1 (id_usaurio) USING BTREE,
  CONSTRAINT permisos_ibfk_2 FOREIGN KEY (id_menu) REFERENCES menu (id) ON DELETE CASCADE ON UPDATE NO ACTION,
  CONSTRAINT permisos_ibfk_3 FOREIGN KEY (id_usaurio) REFERENCES agent (id) ON DELETE CASCADE ON UPDATE NO ACTION
) ENGINE=InnoDB AUTO_INCREMENT=1696 DEFAULT CHARSET=utf8;

    In the view: 

           <ul class="nav">
        <li class="divider-vertical"></li>
          <?php 
          $data_gru = $rol->get_menu_grupo($_SESSION["credentials"]["userType"],$_SESSION["credentials"]["userId"]);
          foreach($data_gru as $valueg){
           ?>
          <li class="dropdown">
            <a data-toggle="dropdown" class="dropdown-toggle" href="#"><?php echo $valueg['nombre'] ?><b class="caret"></b></a>
            <ul class="dropdown-menu">
            <?php 
                $data_men = $rol->get_menu_link($_SESSION["credentials"]["userType"],$_SESSION["credentials"]["userId"],$valueg['grupo']);
                foreach($data_men as $value){
             ?>
              <li><a href="index.php?c=<?php echo $value['link']; ?>"><?php echo $value['nombre']; ?></a></li>
            <?php } ?>
            </ul>

    In the model: 

    //Función donde extraemos el número de grupos del menú.
public function get_menu_grupo($tipo, $usuario){
    if($tipo == 1){
        $query = $this->db->query("SELECT menu.id, menu.nombre, menu.grupo FROM menu WHERE menu.link = '' Order By  menu.grupo ASC");   
    }else{
        $query = $this->db->query("SELECT menu.id, menu.nombre, menu.grupo FROM menu INNER JOIN permisos ON menu.id = permisos.id_menu WHERE menu.link = '' AND permisos.id_usaurio = '".$usuario."' GROUP BY menu.nombre Order By  menu.grupo ASC");
    }
    $this->aplicacion = '';
    while($list = mysqli_fetch_assoc($query)){
        $this->aplicacion[] = array_merge(array('nombre'=> $list['nombre']),array('grupo'=> $list['grupo']),array('id'=> $list['id']));
    }
    return $this->aplicacion;
}
        
    answered by 23.03.2017 в 04:15
    res.json is not a function csv data file as array in Python