Page 1 of 1

Security checking... I'm really lost...

Posted: Thu Feb 12, 2004 6:32 pm
by kanshou
ok, I have a users table, and I have a column called 'sec_lvl'. a value of 1 is a super user, and a value of 0 is a regular user. Atleast, that is the plan.
I have a page that I want to check if that user is a 1 or a 0. Here's what I have, maybe someone can point out what I need to do to make this right.

Code: Select all

<?php
$query = ("SELECT * FROM users");
if($logged_in){
	if($query['sec_lvl'] == 1){
		//CONTENT HERE
}
}

?>
The problem is, I just get a white screen, instead of it displaying the content.
Honestly, I'm not sure if the value $logged_in is even the correct one for it. I also have the variables

Code: Select all

<?php
$_SESSION['username']
$_SESSION['password']


?>


If you need more clarification, just ask and I will try to give as much as possible.

Thanks

Posted: Thu Feb 12, 2004 6:38 pm
by markl999
Example :

Code: Select all

$db = mysql_connect('localhost', 'user', 'pass') or die(mysql_error());
mysql_select_db('thedbname') or die(mysql_error());
//I've used $id but you can use whatever variable you have that
//identifies the user you are checking
$sql = "SELECT sec_lvl FROM users WHERE userid=$id";
$res = mysql_query($sql) or die(mysql_error());
if(mysql_num_rows($res)){
    $row = mysql_fetch_assoc($res);
    if($row['sec_lvl'] == 1){
        //superuser
    } else {
        //normal user
    }
} else {
    echo 'No rows returned!';
}

Posted: Thu Feb 12, 2004 6:40 pm
by kanshou
Thanks, I think I can get that to do what I need it to!

Posted: Thu Feb 12, 2004 6:57 pm
by kanshou
Ok, new problem ...
Here's what I have modified it to....

Code: Select all

<?php
if($logged_in){
$sql = "SELECT sec_lvl FROM users WHERE username =".$_SESSION['username'];

$res = mysql_query($sql) or die(mysql_error());

if(mysql_num_rows($res)){

    $row = mysql_fetch_assoc($res);

    if($row['sec_lvl'] == 1){

		if ($id) {
//content and other stuff.... below.
?>
Now the problem is, I am getting an error that says
Unknown column 'rlowe' in 'where clause'
rlowe being the username login. BTW, the $id is not a login ID, its the var that gets passed between pages.

Thanks for the help thus far.

Posted: Thu Feb 12, 2004 7:19 pm
by tim
So i take it your passing the rlowe var via a form? like so:

Code: Select all

<form action=whatever.php input type=text method=POST name=rlowe>
try the isset() command:

Code: Select all

if(isset($rlowe)) &#123;
$sql = "SELECT sec_lvl FROM users WHERE username ="'$rlowe'"; 
$res = mysql_query($sql) or die(mysql_error()); 
// so-on so-on
?

Posted: Thu Feb 12, 2004 7:20 pm
by markl999
$sql = "SELECT sec_lvl FROM users WHERE username =".$_SESSION['username'];

needs to be

$sql = "SELECT sec_lvl FROM users WHERE username ='".$_SESSION['username']."'";
otherwise it evaluates to username=rlowe and treats rlowe as a column name.