Page 1 of 1
Security checking... I'm really lost...
Posted: Thu Feb 12, 2004 6:32 pm
by kanshou
ok, I have a users table, and I have a column called 'sec_lvl'. a value of 1 is a super user, and a value of 0 is a regular user. Atleast, that is the plan.
I have a page that I want to check if that user is a 1 or a 0. Here's what I have, maybe someone can point out what I need to do to make this right.
Code: Select all
<?php
$query = ("SELECT * FROM users");
if($logged_in){
if($query['sec_lvl'] == 1){
//CONTENT HERE
}
}
?>
The problem is, I just get a white screen, instead of it displaying the content.
Honestly, I'm not sure if the value $logged_in is even the correct one for it. I also have the variables
Code: Select all
<?php
$_SESSION['username']
$_SESSION['password']
?>
If you need more clarification, just ask and I will try to give as much as possible.
Thanks
Posted: Thu Feb 12, 2004 6:38 pm
by markl999
Example :
Code: Select all
$db = mysql_connect('localhost', 'user', 'pass') or die(mysql_error());
mysql_select_db('thedbname') or die(mysql_error());
//I've used $id but you can use whatever variable you have that
//identifies the user you are checking
$sql = "SELECT sec_lvl FROM users WHERE userid=$id";
$res = mysql_query($sql) or die(mysql_error());
if(mysql_num_rows($res)){
$row = mysql_fetch_assoc($res);
if($row['sec_lvl'] == 1){
//superuser
} else {
//normal user
}
} else {
echo 'No rows returned!';
}
Posted: Thu Feb 12, 2004 6:40 pm
by kanshou
Thanks, I think I can get that to do what I need it to!
Posted: Thu Feb 12, 2004 6:57 pm
by kanshou
Ok, new problem ...
Here's what I have modified it to....
Code: Select all
<?php
if($logged_in){
$sql = "SELECT sec_lvl FROM users WHERE username =".$_SESSION['username'];
$res = mysql_query($sql) or die(mysql_error());
if(mysql_num_rows($res)){
$row = mysql_fetch_assoc($res);
if($row['sec_lvl'] == 1){
if ($id) {
//content and other stuff.... below.
?>
Now the problem is, I am getting an error that says
Unknown column 'rlowe' in 'where clause'
rlowe being the username login. BTW, the $id is not a login ID, its the var that gets passed between pages.
Thanks for the help thus far.
Posted: Thu Feb 12, 2004 7:19 pm
by tim
So i take it your passing the rlowe var via a form? like so:
Code: Select all
<form action=whatever.php input type=text method=POST name=rlowe>
try the isset() command:
Code: Select all
if(isset($rlowe)) {
$sql = "SELECT sec_lvl FROM users WHERE username ="'$rlowe'";
$res = mysql_query($sql) or die(mysql_error());
// so-on so-on
?
Posted: Thu Feb 12, 2004 7:20 pm
by markl999
$sql = "SELECT sec_lvl FROM users WHERE username =".$_SESSION['username'];
needs to be
$sql = "SELECT sec_lvl FROM users WHERE username ='".$_SESSION['username']."'";
otherwise it evaluates to username=rlowe and treats rlowe as a column name.