form restriction

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
User avatar
pleigh
Forum Contributor
Posts: 445
Joined: Wed Jan 19, 2005 4:26 am

form restriction

Post by pleigh »

i have the code below that restricts the appearance of the form if the user is not an administrator:

Code: Select all

$query = "SELECT status FROM users WHERE firstname='$fn' AND status='administrator'";
		$result = @mysql_query($query);
		if ($result)
		{
			include('commentform.php');
		}
		else
		{
			NULL;
		}
my problem is, when the user is not administrator, the form still appears....how can i improve my code??

thanks
User avatar
anjanesh
DevNet Resident
Posts: 1679
Joined: Sat Dec 06, 2003 9:52 pm
Location: Mumbai, India

Post by anjanesh »

Code: Select all

if (mysql_num_rows($result)!=0)
 {
         include('commentform.php');
 }
 else
 {
         NULL;
 }
User avatar
CoderGoblin
DevNet Resident
Posts: 1425
Joined: Tue Mar 16, 2004 10:03 am
Location: Aachen, Germany

Post by CoderGoblin »

Even if not found you will still get a result. The key is to check if any rows are found...

mysql_num_rows($result) should do this..

Regards
User avatar
pleigh
Forum Contributor
Posts: 445
Joined: Wed Jan 19, 2005 4:26 am

Post by pleigh »

i have almost similar code to my previous one

Code: Select all

<?
	$id = $_SESSION&#1111;'userID'];
	include('functions/library.php');
	$query = "SELECT status FROM users WHERE userID='$id' and status='administrator'";
	$result = @mysql_query($query);
	if ($result)
	&#123;
		//verify administrator
		if ($row&#1111;0])
		&#123;
			adminpagination();			
		&#125;
		//if not administrator
		else
		&#123;
			memberpagination();
		&#125;		
	&#125;			
	?>
this works fine, i can verify the status of the user, the problem is, i cannot understand this situation now....
User avatar
pleigh
Forum Contributor
Posts: 445
Joined: Wed Jan 19, 2005 4:26 am

Post by pleigh »

i did this

Code: Select all

if (mysql_num_rows($result) != 0)
		&#123;
			include('commentform.php');
		&#125;
		else
		&#123;
			NULL;
		&#125;
it worked now...thanks guys....but can u explain to me briefly how it mysql_num_row()..... affects my coding???should i do the same code my other code excerpt above??
User avatar
anjanesh
DevNet Resident
Posts: 1679
Joined: Sat Dec 06, 2003 9:52 pm
Location: Mumbai, India

Post by anjanesh »

$result will be NULL if something happens during db connectivity like wrong SQL syntax etc.
How could you have got this to work when theres no mysql_fetch_array() for $row[0] ?
If you ha done a $row=mysql_fetch_array($result) and then if ($row[0]), it'll work because you are checking for existance of a NULL in $row[0]
User avatar
CoderGoblin
DevNet Resident
Posts: 1425
Joined: Tue Mar 16, 2004 10:03 am
Location: Aachen, Germany

Post by CoderGoblin »

For this last instance you are trying to get $row[0] which does not exist hence no form.

Safer code would be:

Code: Select all

<?php
   // ensure the SESSION id variable is numeric
   $id = floor($_SESSION&#1111;'userID']);
   include('functions/library.php');
   $query = "SELECT status FROM users WHERE userID='$id'";
   $result = @mysql_query($query);
   if ($result)  &#123;
      if (@mysql_num_rows($result)==1)  &#123;
         // User ID exists
         if (@mysql_result($result,0,'status') == 'administrator') &#123;
           adminpagination();         
         &#125; else &#123;
           //if not administrator
           memberpagination();
         &#125;
      &#125;  else &#123;
         echo("User does not exist or is entered duplicate times (only if user id is not set to unique in DB");
      &#125;    
   &#125; else &#123;
      echo("Database Failure....");
   &#125;         
?>
Hopefully you can understand the additional checks.

Look up both http://www.php.net/manual/en/function.m ... m-rows.php and http://www.php.net/manual/en/function.m ... d-rows.php.

Other useful commands:
mysql_result
mysql_fetch_assoc
extract
User avatar
pleigh
Forum Contributor
Posts: 445
Joined: Wed Jan 19, 2005 4:26 am

Post by pleigh »

thanks coder, i did this instead....

Code: Select all

$query = "SELECT status FROM users WHERE userID='$id' and status='administrator'";
	$result = @mysql_query($query);
	if (mysql_num_rows($result) != 0)
	&#123;
		adminpagination();
	&#125;
	else
	&#123;
		memberpagination();
	&#125;
is this ok, i'm trying to code the simplest as possible, and be very readable...
User avatar
CoderGoblin
DevNet Resident
Posts: 1425
Joined: Tue Mar 16, 2004 10:03 am
Location: Aachen, Germany

Post by CoderGoblin »

Yes that will work, but not necessarily good programming. :wink:

The extra coding put in my example is called "Defensive Programming". It tries to catch errors "nicely". When using a language it is often easy to want just simple code BUT learning to do things properly "instinctively" (and defensive learning in my opinion is doing things properly) will save you hassle at a later stage when trying to debug/maintain code.

The exception to this rule is where you are writing a book or training course and don't want to introduce too many features at one time. The end result should end up being the same as you can introduce the "defensive coding" principle as you go highlighting what problems could occur.

To Summarise how to think "defensively" ask yourself the following questions....

1) What stupid errors can a non technical 70yr old user make.
2) How can I hack into the system.
3) What happens if the database is down
4) What happens if the database structure changes.
Post Reply