admin permission

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

hrubos
Forum Contributor
Posts: 172
Joined: Sat Oct 07, 2006 3:44 pm

admin permission

Post by hrubos »

I wrote for user_permission and admin_permission, I have isAdmin in database, and I call admin = 1 , user = 0.
Now this code has error : Undefined variable: MSQ in D:\htdocs\BP\autorizace\autorizace_DB.php on line 44

Code: Select all

<?php 

Header("Pragma: No-cache");
Header("Cache-Control: No-cache, Must-revalidate");
Header("Expires: ".GMDate("D, d M Y H:i:s")." GMT");

$password = $_POST['password'];
$login = $_POST['login'];

$MC = MySQL_Connect("localhost", "root", "");
$MS = MySQL_Select_DB("hostel");
$isAdmin = MySQL_Query("SELECT isAdmin FROM users");


if(!$password||!$login){
  echo 'T&#345;eba vyplnit upnle informace !!!';
  exit;
 }
 
if(!get_magic_quotes_gpc())
 {
 $password  = addslashes($password);
 $login  = addslashes($login);
 }
 
//for admin 
if ((IsSet($login)) AND (IsSet($password)) AND ($isAdmin == 1)){
$p = MD5($password);
//for only admin
$MSQ = MySQL_Query("SELECT * FROM users WHERE (login LIKE '$login') AND (password LIKE '$p') ");
}

if (IsSet($lo)){

$SN = "autorizace";

Session_name("$SN");
Session_start();

$sid = Session_id();
$MSQ = MySQL_Query("DELETE FROM autorizace WHERE id = '$sid'");
echo "Byl(a) jste odhlášen(a)!";
}

if (MySQL_Num_Rows($MSQ) <> 1)
{
echo "Neautorizovaný p&#345;ístup";
echo "hello you";
exit;
}
else{
$SN = "autorizace";
Session_name("$SN");
Session_start();
$sid = Session_id();
$time = Date("U");
$at = Date("U") - 1800;
$MSQ = MySQL_Query("INSERT INTO autorizace VALUES ('$sid', $time)");
$MSQ = MySQL_Query("DELETE FROM autorizace WHERE time < $at");

include ("D:\htdocs\BP\Room\outputRoom.php");
echo '<p> <a href="autorizace.php?lo=true">Odhlásit se</a> </p>';
}
?>
User avatar
ok
Forum Contributor
Posts: 393
Joined: Wed May 31, 2006 9:20 am
Location: The Holy Land

Post by ok »

Which line is 44? Which command evaluates the error?
hrubos
Forum Contributor
Posts: 172
Joined: Sat Oct 07, 2006 3:44 pm

Post by hrubos »

ok wrote:Which line is 44? Which command evaluates the error?
I think I have problem when i set condition for admin here

Code: Select all

$isAdmin = MySQL_Query("SELECT isAdmin FROM users"); 

........
if ((IsSet($login)) AND (IsSet($password)) AND ($isAdmin == 1)){
$p = MD5($password);
//for only admin
$MSQ = MySQL_Query("SELECT * FROM users WHERE (login LIKE '$login') AND (password LIKE '$p') ");

...........
}
User avatar
Zoxive
Forum Regular
Posts: 974
Joined: Fri Apr 01, 2005 4:37 pm
Location: Bay City, Michigan

Post by Zoxive »

I think you need to check to see if MSQ isset or something, its hard to tell..

Code: Select all

if (isset($MSQ) && MySQL_Num_Rows($MSQ) <> 1)
{
echo "Neautorizovaný p&#345;ístup";
echo "hello you";
exit;
}
And it wouldn't hurt if you tell us what line 44 is either...
hrubos
Forum Contributor
Posts: 172
Joined: Sat Oct 07, 2006 3:44 pm

Post by hrubos »

Zoxive wrote:I think you need to check to see if MSQ isset or something, its hard to tell..

Code: Select all

if (isset($MSQ) && MySQL_Num_Rows($MSQ) <> 1)
{
echo "Neautorizovaný p&#345;ístup";
echo "hello you";
exit;
}
And it wouldn't hurt if you tell us what line 44 is either...
I tried and it is ok, but problem that user_name is too accepted.

When I code without isAdmin, only in command Sql, it runs but only accept admin, no user

Code: Select all

...............
$MSQ = MySQL_Query("SELECT * FROM users WHERE (login LIKE '$login') AND (password LIKE '$p') AND (isAdmin LIKE '1')");
.....................
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

You are setting $MSQ several times, so there is a strong likelihood that your problem lies in what the value of $MSQ is assigned to at line 44.
User avatar
ok
Forum Contributor
Posts: 393
Joined: Wed May 31, 2006 9:20 am
Location: The Holy Land

Post by ok »

hrubos wrote:

Code: Select all

$isAdmin = MySQL_Query("SELECT isAdmin FROM users"); 

........
if ((IsSet($login)) AND (IsSet($password)) AND ($isAdmin == 1)){
$p = MD5($password);
//for only admin
$MSQ = MySQL_Query("SELECT * FROM users WHERE (login LIKE '$login') AND (password LIKE '$p') ");

...........
}
Why you use LIKE???

You can write the SQL query like that:

Code: Select all

SELECT * FROM `users` WHERE `login` =  '$login' AND `password` = '$p'
hrubos
Forum Contributor
Posts: 172
Joined: Sat Oct 07, 2006 3:44 pm

Post by hrubos »

Everah wrote:You are setting $MSQ several times, so there is a strong likelihood that your problem lies in what the value of $MSQ is assigned to at line 44.
What would I do if i wanto set isAdmin to check user login, user has isAdmin = 1 --> have user's permission, user doesn't have --> user's permission

@ ok : I know that I can user follow ur idea. Thanx
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

Please review my comments...

Code: Select all

<?php
Header("Pragma: No-cache");
Header("Cache-Control: No-cache, Must-revalidate");
Header("Expires: ".GMDate("D, d M Y H:i:s")." GMT");

$password = $_POST['password'];
$login = $_POST['login'];

$MC = MySQL_Connect("localhost", "root", "");
$MS = MySQL_Select_DB("hostel");
$isAdmin = MySQL_Query("SELECT isAdmin FROM users");


if(!$password||!$login){
  echo 'T&#345;eba vyplnit upnle informace !!!';
  exit;
 }
 
if(!get_magic_quotes_gpc())
 {
 $password  = addslashes($password);
 $login  = addslashes($login);
 }
 
//for admin
/************************************************
* If these conditionals do not ALL add up to true, MSQ will not be set
************************************************/
if ((IsSet($login)) AND (IsSet($password)) AND ($isAdmin == 1)){
$p = MD5($password);
//for only admin
$MSQ = MySQL_Query("SELECT * FROM users WHERE (login LIKE '$login') AND (password LIKE '$p') ");
}

/************************************************
* If $lo is not set MSQ will not be set again
************************************************/
if (IsSet($lo)){

$SN = "autorizace";

Session_name("$SN");
Session_start();

$sid = Session_id();
$MSQ = MySQL_Query("DELETE FROM autorizace WHERE id = '$sid'");
echo "Byl(a) jste odhlášen(a)!";
}

/************************************************
* At this point, since you did not declare MSQ 
* with a default value, if the two above 
* conditionals fail, MSQ is not set at all. I 
* think this is where your errors are coming from.
************************************************/
if (MySQL_Num_Rows($MSQ) <> 1)
{
echo "Neautorizovaný p&#345;ístup";
echo "hello you";
exit;
}
else{
$SN = "autorizace";
Session_name("$SN");
Session_start();
$sid = Session_id();
$time = Date("U");
$at = Date("U") - 1800;
$MSQ = MySQL_Query("INSERT INTO autorizace VALUES ('$sid', $time)");
$MSQ = MySQL_Query("DELETE FROM autorizace WHERE time < $at");

include ("D:\htdocs\BP\Room\outputRoom.php");
echo '<p> <a href="autorizace.php?lo=true">Odhlásit se</a> </p>';
}
?>
hrubos
Forum Contributor
Posts: 172
Joined: Sat Oct 07, 2006 3:44 pm

Post by hrubos »

thank for ur comment

If I do for the last point , it runs with all conditions but user and admin can't be realized

Code: Select all

if (isset($MSQ) && MySQL_Num_Rows($MSQ) <> 1)
{
echo "Neautorizovaný p&#345;ístup";
echo "hello you";
exit;
}
else{
$SN = "autorizace";
Session_name("$SN");
Session_start();
$sid = Session_id();
$time = Date("U");
$at = Date("U") - 1800;
$MSQ = MySQL_Query("INSERT INTO autorizace VALUES ('$sid', $time)");
$MSQ = MySQL_Query("DELETE FROM autorizace WHERE time < $at");

include ("D:\htdocs\BP\Room\outputRoom.php");
echo '<p> <a href="autorizace.php?lo=true">Odhlásit se</a> </p>';
}
User avatar
Zoxive
Forum Regular
Posts: 974
Joined: Fri Apr 01, 2005 4:37 pm
Location: Bay City, Michigan

Post by Zoxive »

Everah wrote:Please review my comments...
Thats what i thought, so i said this..
Zoxive wrote:

Code: Select all

if (isset($MSQ) && MySQL_Num_Rows($MSQ) <> 1)
{
echo "Neautorizovaný p&#345;ístup";
echo "hello you";
exit;
}
To check and see if it isset().
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Post by RobertGonzalez »

$lo is never set anywhere, so your second conditional will always fail. This little snippet

Code: Select all

$isAdmin = MySQL_Query("SELECT isAdmin FROM users");
is causing all sorts of mischief. Once this is executed, $isAdmin becomes a resource identifier so your first conditional will always fail. That being said, $MSQ will never be set to anything and you will always have this error.

To fix this, you need to do something with the query result resource that is in $isAdmin. Once you extract some information from that, you should be able to get back on track.
hrubos
Forum Contributor
Posts: 172
Joined: Sat Oct 07, 2006 3:44 pm

Post by hrubos »

I have changed here but I received message " mysql_fetch_array(): supplied argument is not a valid MySQL result resource in ".

Code: Select all

<?php 

Header("Pragma: No-cache");
Header("Cache-Control: No-cache, Must-revalidate");
Header("Expires: ".GMDate("D, d M Y H:i:s")." GMT");

$password = $_POST['password'];
$login = $_POST['login'];

$MC = MySQL_Connect("localhost", "root", "");
$MS = MySQL_Select_DB("kolej");



if(!$password||!$login){
  echo 'T&#345;eba vyplnit upnle informace !!!';
  exit;
 }
 
if(!get_magic_quotes_gpc())
 {$password  = addslashes($password);
 $login  = addslashes($login);
 }
 
if ((IsSet($login)) AND (IsSet($password)) AND (IsSet($isAdmin))){
$p = MD5($password);
//for only admin
$MSQ = MySQL_Query("SELECT * FROM users WHERE (login LIKE '$login') AND (password LIKE '$p') ");
}

if (IsSet($lo)){

$SN = "autorizace";

Session_name("$SN");
Session_start();

$sid = Session_id();
$MSQ = MySQL_Query("DELETE FROM autorizace WHERE id = '$sid'");
echo "Byl(a) jste odhlášen(a)!";
}

if (isset($MSQ) && MySQL_Num_Rows($MSQ) <> 1) 
{
echo "Neautorizovaný p&#345;ístup";
echo "hello you";
exit;
}
else{
$SN = "autorizace";
Session_name("$SN");
Session_start();
$sid = Session_id();
$time = Date("U");
$at = Date("U") - 1800;
$MSQ = MySQL_Query("INSERT INTO autorizace VALUES ('$sid', $time)");
$MSQ = MySQL_Query("DELETE FROM autorizace WHERE time < $at");

$row = mysql_fetch_array($MSQ);
$id = $row['id'];
$isAdmin = $row['isAdmin'];

if($isAdmin)
{
include ("D:\htdocs\BP\Room\outputRoom.php");
echo '<p> <a href="autorizace.php?lo=true">Odhlásit se</a> </p>';
}
else{
echo  "Error";
}
}

?>
User avatar
feyd
Neighborhood Spidermoddy
Posts: 31559
Joined: Mon Mar 29, 2004 3:24 pm
Location: Bothell, Washington, USA

Post by feyd »

DELETE queries return true or false. There's nothing to fetch. Once again you're using the same for a lot of queries, this can lead to problems such as this one.
hrubos
Forum Contributor
Posts: 172
Joined: Sat Oct 07, 2006 3:44 pm

Post by hrubos »

Please, I tried n*time and it doesn't still run.Who can hepl me to make condition isAdmin, by which user or admon can be realized.(I have table user contains fields id, login,password, isAdmin)
Post Reply