# PHP Access Restriction



## JustinF23 (Jan 29, 2010)

Hello,

I was wondering if anyone had any suggestions on ways to implement content restriction based on the user level, ie. Free or Subscription accounts. How would I go about limiting free user accounts from accessing the subscription account pages on my website? Any suggestions on reading material to accomplish this or possible solutions would be much appreciated.

Thanks,
Justin


----------



## Redcore (Aug 14, 2007)

How much do you know about PHP?


----------



## JustinF23 (Jan 29, 2010)

I am just starting to learn, but I primarily would like to be pointed in the right direction on which subjects to research about php in order to achieve this functionality.


----------



## Uranium-235 (Aug 29, 2002)

what kind of software are you already using? do you have any kind of user account system already setup?


----------



## JustinF23 (Jan 29, 2010)

I have a VPS running Cpanel which employs PHP 5. I currently have a login system in place, but I would like to restrict some visitors (non-paying) to only portions of the site, while the paying visitors can have exclusive access to other portions.


----------



## Uranium-235 (Aug 29, 2002)

you might have to do some editing to the php, and it might require some advanced programming


----------



## Redcore (Aug 14, 2007)

Not only that, but you'll need to learn how to interact with databases so you can store which users are free and which have subscribed (and from that, make a determination as to what pages they can view)


----------



## JustinF23 (Jan 29, 2010)

Ok, so what sort of advanced programming concepts will this involve. I am familiar with using PHP to interact with MySql Databases, but how can I use PHP to restrict user access to certain pages on my site?


----------



## Redcore (Aug 14, 2007)

Well, it doesn't really have to be advanced - there are dozens of ways to do it. You could just do it through including a file at the top of each page that checks if the user is logged in and that they're a subscriber, else move them away from pages that require a logged in subscriber (header).


----------



## JustinF23 (Jan 29, 2010)

Well that definitely sounds much simpler than I expected. Would this process still be relatively secure? Also, what would the file on the top of each page look like or include? Basically, how would I establish something like what you described? Thanks very much for your suggestions. Much appreciated!


----------



## Redcore (Aug 14, 2007)

Have you ever worked with Session variables? Essentially the script you include at the top of every page would check to see certain session variables were set (like username, encrypted password, subscriber and whatever else you wanted to track globally) and on pages that you wanted reserved only for subscribers, it would check the value of that subscriber variable and either let the page load or defer the user to a non-subscriber page.

In this case I normally set up a cookie that expires every 1 hour when the user successfully logs in and when it's expired it forces that script to sync the session variables with the database. So if a user's subscription has run out in the last hour, they won't have access all day just because they've left the page open that whole time. This is an alternative to checking the database every single time a page loads - so you'll save bandwidth and cut down on database connections.


----------



## JustinF23 (Jan 29, 2010)

I have never worked with session variables, but I will definitely look into them. Thank you very much for your quick and informative response. I greatly appreciate it.


----------



## Redcore (Aug 14, 2007)

They're simple. Think of them as a variable that is registered throughout your entire site (aka, "global"). With normal variables you register them ("$var = 1;", etc) those are only good throughout the script they're declared on. With sessions, you register them much the same way but you get to use them on every script for as long as the user is on your application (while they're loaded in memory, basically).

Whenever working with session variables, you have to put "session_start();" at the top of every page you want to use session variables so PHP knows you want to work with them (otherwise it's inefficient to load session variables into EVERY page you don't need them in).

Then to register one, you just do this:

```
$_SESSION['var'] = 1;
```
You call it the same way:

```
echo $_SESSION['var'];
```
Like I said, super simple and very useful  I used to do everything with cookies but sessions are much easier to work with and since they're server side, end users can't mess with them; so your website is much more secure.


----------

