Page 1 of 1

form restriction

Posted: Wed Mar 02, 2005 2:15 am
by pleigh
i have the code below that restricts the appearance of the form if the user is not an administrator:

Code: Select all

$query = "SELECT status FROM users WHERE firstname='$fn' AND status='administrator'";
		$result = @mysql_query($query);
		if ($result)
		{
			include('commentform.php');
		}
		else
		{
			NULL;
		}
my problem is, when the user is not administrator, the form still appears....how can i improve my code??

thanks

Posted: Wed Mar 02, 2005 3:00 am
by anjanesh

Code: Select all

if (mysql_num_rows($result)!=0)
 {
         include('commentform.php');
 }
 else
 {
         NULL;
 }

Posted: Wed Mar 02, 2005 3:02 am
by CoderGoblin
Even if not found you will still get a result. The key is to check if any rows are found...

mysql_num_rows($result) should do this..

Regards

Posted: Wed Mar 02, 2005 3:11 am
by pleigh
i have almost similar code to my previous one

Code: Select all

<?
	$id = $_SESSION&#1111;'userID'];
	include('functions/library.php');
	$query = "SELECT status FROM users WHERE userID='$id' and status='administrator'";
	$result = @mysql_query($query);
	if ($result)
	&#123;
		//verify administrator
		if ($row&#1111;0])
		&#123;
			adminpagination();			
		&#125;
		//if not administrator
		else
		&#123;
			memberpagination();
		&#125;		
	&#125;			
	?>
this works fine, i can verify the status of the user, the problem is, i cannot understand this situation now....

Posted: Wed Mar 02, 2005 3:16 am
by pleigh
i did this

Code: Select all

if (mysql_num_rows($result) != 0)
		&#123;
			include('commentform.php');
		&#125;
		else
		&#123;
			NULL;
		&#125;
it worked now...thanks guys....but can u explain to me briefly how it mysql_num_row()..... affects my coding???should i do the same code my other code excerpt above??

Posted: Wed Mar 02, 2005 3:17 am
by anjanesh
$result will be NULL if something happens during db connectivity like wrong SQL syntax etc.
How could you have got this to work when theres no mysql_fetch_array() for $row[0] ?
If you ha done a $row=mysql_fetch_array($result) and then if ($row[0]), it'll work because you are checking for existance of a NULL in $row[0]

Posted: Wed Mar 02, 2005 3:27 am
by CoderGoblin
For this last instance you are trying to get $row[0] which does not exist hence no form.

Safer code would be:

Code: Select all

<?php
   // ensure the SESSION id variable is numeric
   $id = floor($_SESSION&#1111;'userID']);
   include('functions/library.php');
   $query = "SELECT status FROM users WHERE userID='$id'";
   $result = @mysql_query($query);
   if ($result)  &#123;
      if (@mysql_num_rows($result)==1)  &#123;
         // User ID exists
         if (@mysql_result($result,0,'status') == 'administrator') &#123;
           adminpagination();         
         &#125; else &#123;
           //if not administrator
           memberpagination();
         &#125;
      &#125;  else &#123;
         echo("User does not exist or is entered duplicate times (only if user id is not set to unique in DB");
      &#125;    
   &#125; else &#123;
      echo("Database Failure....");
   &#125;         
?>
Hopefully you can understand the additional checks.

Look up both http://www.php.net/manual/en/function.m ... m-rows.php and http://www.php.net/manual/en/function.m ... d-rows.php.

Other useful commands:
mysql_result
mysql_fetch_assoc
extract

Posted: Wed Mar 02, 2005 3:49 am
by pleigh
thanks coder, i did this instead....

Code: Select all

$query = "SELECT status FROM users WHERE userID='$id' and status='administrator'";
	$result = @mysql_query($query);
	if (mysql_num_rows($result) != 0)
	&#123;
		adminpagination();
	&#125;
	else
	&#123;
		memberpagination();
	&#125;
is this ok, i'm trying to code the simplest as possible, and be very readable...

Posted: Wed Mar 02, 2005 4:23 am
by CoderGoblin
Yes that will work, but not necessarily good programming. :wink:

The extra coding put in my example is called "Defensive Programming". It tries to catch errors "nicely". When using a language it is often easy to want just simple code BUT learning to do things properly "instinctively" (and defensive learning in my opinion is doing things properly) will save you hassle at a later stage when trying to debug/maintain code.

The exception to this rule is where you are writing a book or training course and don't want to introduce too many features at one time. The end result should end up being the same as you can introduce the "defensive coding" principle as you go highlighting what problems could occur.

To Summarise how to think "defensively" ask yourself the following questions....

1) What stupid errors can a non technical 70yr old user make.
2) How can I hack into the system.
3) What happens if the database is down
4) What happens if the database structure changes.