Page 1 of 2

admin permission

Posted: Mon Dec 04, 2006 2:59 pm
by hrubos
I wrote for user_permission and admin_permission, I have isAdmin in database, and I call admin = 1 , user = 0.
Now this code has error : Undefined variable: MSQ in D:\htdocs\BP\autorizace\autorizace_DB.php on line 44

Code: Select all

<?php 

Header("Pragma: No-cache");
Header("Cache-Control: No-cache, Must-revalidate");
Header("Expires: ".GMDate("D, d M Y H:i:s")." GMT");

$password = $_POST['password'];
$login = $_POST['login'];

$MC = MySQL_Connect("localhost", "root", "");
$MS = MySQL_Select_DB("hostel");
$isAdmin = MySQL_Query("SELECT isAdmin FROM users");


if(!$password||!$login){
  echo 'T&#345;eba vyplnit upnle informace !!!';
  exit;
 }
 
if(!get_magic_quotes_gpc())
 {
 $password  = addslashes($password);
 $login  = addslashes($login);
 }
 
//for admin 
if ((IsSet($login)) AND (IsSet($password)) AND ($isAdmin == 1)){
$p = MD5($password);
//for only admin
$MSQ = MySQL_Query("SELECT * FROM users WHERE (login LIKE '$login') AND (password LIKE '$p') ");
}

if (IsSet($lo)){

$SN = "autorizace";

Session_name("$SN");
Session_start();

$sid = Session_id();
$MSQ = MySQL_Query("DELETE FROM autorizace WHERE id = '$sid'");
echo "Byl(a) jste odhlášen(a)!";
}

if (MySQL_Num_Rows($MSQ) <> 1)
{
echo "Neautorizovaný p&#345;ístup";
echo "hello you";
exit;
}
else{
$SN = "autorizace";
Session_name("$SN");
Session_start();
$sid = Session_id();
$time = Date("U");
$at = Date("U") - 1800;
$MSQ = MySQL_Query("INSERT INTO autorizace VALUES ('$sid', $time)");
$MSQ = MySQL_Query("DELETE FROM autorizace WHERE time < $at");

include ("D:\htdocs\BP\Room\outputRoom.php");
echo '<p> <a href="autorizace.php?lo=true">Odhlásit se</a> </p>';
}
?>

Posted: Mon Dec 04, 2006 3:13 pm
by ok
Which line is 44? Which command evaluates the error?

Posted: Mon Dec 04, 2006 3:18 pm
by hrubos
ok wrote:Which line is 44? Which command evaluates the error?
I think I have problem when i set condition for admin here

Code: Select all

$isAdmin = MySQL_Query("SELECT isAdmin FROM users"); 

........
if ((IsSet($login)) AND (IsSet($password)) AND ($isAdmin == 1)){
$p = MD5($password);
//for only admin
$MSQ = MySQL_Query("SELECT * FROM users WHERE (login LIKE '$login') AND (password LIKE '$p') ");

...........
}

Posted: Mon Dec 04, 2006 3:18 pm
by Zoxive
I think you need to check to see if MSQ isset or something, its hard to tell..

Code: Select all

if (isset($MSQ) && MySQL_Num_Rows($MSQ) <> 1)
{
echo "Neautorizovaný p&#345;ístup";
echo "hello you";
exit;
}
And it wouldn't hurt if you tell us what line 44 is either...

Posted: Mon Dec 04, 2006 3:25 pm
by hrubos
Zoxive wrote:I think you need to check to see if MSQ isset or something, its hard to tell..

Code: Select all

if (isset($MSQ) && MySQL_Num_Rows($MSQ) <> 1)
{
echo "Neautorizovaný p&#345;ístup";
echo "hello you";
exit;
}
And it wouldn't hurt if you tell us what line 44 is either...
I tried and it is ok, but problem that user_name is too accepted.

When I code without isAdmin, only in command Sql, it runs but only accept admin, no user

Code: Select all

...............
$MSQ = MySQL_Query("SELECT * FROM users WHERE (login LIKE '$login') AND (password LIKE '$p') AND (isAdmin LIKE '1')");
.....................

Posted: Mon Dec 04, 2006 3:28 pm
by RobertGonzalez
You are setting $MSQ several times, so there is a strong likelihood that your problem lies in what the value of $MSQ is assigned to at line 44.

Posted: Mon Dec 04, 2006 3:31 pm
by ok
hrubos wrote:

Code: Select all

$isAdmin = MySQL_Query("SELECT isAdmin FROM users"); 

........
if ((IsSet($login)) AND (IsSet($password)) AND ($isAdmin == 1)){
$p = MD5($password);
//for only admin
$MSQ = MySQL_Query("SELECT * FROM users WHERE (login LIKE '$login') AND (password LIKE '$p') ");

...........
}
Why you use LIKE???

You can write the SQL query like that:

Code: Select all

SELECT * FROM `users` WHERE `login` =  '$login' AND `password` = '$p'

Posted: Mon Dec 04, 2006 3:48 pm
by hrubos
Everah wrote:You are setting $MSQ several times, so there is a strong likelihood that your problem lies in what the value of $MSQ is assigned to at line 44.
What would I do if i wanto set isAdmin to check user login, user has isAdmin = 1 --> have user's permission, user doesn't have --> user's permission

@ ok : I know that I can user follow ur idea. Thanx

Posted: Mon Dec 04, 2006 3:53 pm
by RobertGonzalez
Please review my comments...

Code: Select all

<?php
Header("Pragma: No-cache");
Header("Cache-Control: No-cache, Must-revalidate");
Header("Expires: ".GMDate("D, d M Y H:i:s")." GMT");

$password = $_POST['password'];
$login = $_POST['login'];

$MC = MySQL_Connect("localhost", "root", "");
$MS = MySQL_Select_DB("hostel");
$isAdmin = MySQL_Query("SELECT isAdmin FROM users");


if(!$password||!$login){
  echo 'T&#345;eba vyplnit upnle informace !!!';
  exit;
 }
 
if(!get_magic_quotes_gpc())
 {
 $password  = addslashes($password);
 $login  = addslashes($login);
 }
 
//for admin
/************************************************
* If these conditionals do not ALL add up to true, MSQ will not be set
************************************************/
if ((IsSet($login)) AND (IsSet($password)) AND ($isAdmin == 1)){
$p = MD5($password);
//for only admin
$MSQ = MySQL_Query("SELECT * FROM users WHERE (login LIKE '$login') AND (password LIKE '$p') ");
}

/************************************************
* If $lo is not set MSQ will not be set again
************************************************/
if (IsSet($lo)){

$SN = "autorizace";

Session_name("$SN");
Session_start();

$sid = Session_id();
$MSQ = MySQL_Query("DELETE FROM autorizace WHERE id = '$sid'");
echo "Byl(a) jste odhlášen(a)!";
}

/************************************************
* At this point, since you did not declare MSQ 
* with a default value, if the two above 
* conditionals fail, MSQ is not set at all. I 
* think this is where your errors are coming from.
************************************************/
if (MySQL_Num_Rows($MSQ) <> 1)
{
echo "Neautorizovaný p&#345;ístup";
echo "hello you";
exit;
}
else{
$SN = "autorizace";
Session_name("$SN");
Session_start();
$sid = Session_id();
$time = Date("U");
$at = Date("U") - 1800;
$MSQ = MySQL_Query("INSERT INTO autorizace VALUES ('$sid', $time)");
$MSQ = MySQL_Query("DELETE FROM autorizace WHERE time < $at");

include ("D:\htdocs\BP\Room\outputRoom.php");
echo '<p> <a href="autorizace.php?lo=true">Odhlásit se</a> </p>';
}
?>

Posted: Mon Dec 04, 2006 4:11 pm
by hrubos
thank for ur comment

If I do for the last point , it runs with all conditions but user and admin can't be realized

Code: Select all

if (isset($MSQ) && MySQL_Num_Rows($MSQ) <> 1)
{
echo "Neautorizovaný p&#345;ístup";
echo "hello you";
exit;
}
else{
$SN = "autorizace";
Session_name("$SN");
Session_start();
$sid = Session_id();
$time = Date("U");
$at = Date("U") - 1800;
$MSQ = MySQL_Query("INSERT INTO autorizace VALUES ('$sid', $time)");
$MSQ = MySQL_Query("DELETE FROM autorizace WHERE time < $at");

include ("D:\htdocs\BP\Room\outputRoom.php");
echo '<p> <a href="autorizace.php?lo=true">Odhlásit se</a> </p>';
}

Posted: Mon Dec 04, 2006 4:12 pm
by Zoxive
Everah wrote:Please review my comments...
Thats what i thought, so i said this..
Zoxive wrote:

Code: Select all

if (isset($MSQ) && MySQL_Num_Rows($MSQ) <> 1)
{
echo "Neautorizovaný p&#345;ístup";
echo "hello you";
exit;
}
To check and see if it isset().

Posted: Mon Dec 04, 2006 4:45 pm
by RobertGonzalez
$lo is never set anywhere, so your second conditional will always fail. This little snippet

Code: Select all

$isAdmin = MySQL_Query("SELECT isAdmin FROM users");
is causing all sorts of mischief. Once this is executed, $isAdmin becomes a resource identifier so your first conditional will always fail. That being said, $MSQ will never be set to anything and you will always have this error.

To fix this, you need to do something with the query result resource that is in $isAdmin. Once you extract some information from that, you should be able to get back on track.

Posted: Wed Dec 06, 2006 1:06 pm
by hrubos
I have changed here but I received message " mysql_fetch_array(): supplied argument is not a valid MySQL result resource in ".

Code: Select all

<?php 

Header("Pragma: No-cache");
Header("Cache-Control: No-cache, Must-revalidate");
Header("Expires: ".GMDate("D, d M Y H:i:s")." GMT");

$password = $_POST['password'];
$login = $_POST['login'];

$MC = MySQL_Connect("localhost", "root", "");
$MS = MySQL_Select_DB("kolej");



if(!$password||!$login){
  echo 'T&#345;eba vyplnit upnle informace !!!';
  exit;
 }
 
if(!get_magic_quotes_gpc())
 {$password  = addslashes($password);
 $login  = addslashes($login);
 }
 
if ((IsSet($login)) AND (IsSet($password)) AND (IsSet($isAdmin))){
$p = MD5($password);
//for only admin
$MSQ = MySQL_Query("SELECT * FROM users WHERE (login LIKE '$login') AND (password LIKE '$p') ");
}

if (IsSet($lo)){

$SN = "autorizace";

Session_name("$SN");
Session_start();

$sid = Session_id();
$MSQ = MySQL_Query("DELETE FROM autorizace WHERE id = '$sid'");
echo "Byl(a) jste odhlášen(a)!";
}

if (isset($MSQ) && MySQL_Num_Rows($MSQ) <> 1) 
{
echo "Neautorizovaný p&#345;ístup";
echo "hello you";
exit;
}
else{
$SN = "autorizace";
Session_name("$SN");
Session_start();
$sid = Session_id();
$time = Date("U");
$at = Date("U") - 1800;
$MSQ = MySQL_Query("INSERT INTO autorizace VALUES ('$sid', $time)");
$MSQ = MySQL_Query("DELETE FROM autorizace WHERE time < $at");

$row = mysql_fetch_array($MSQ);
$id = $row['id'];
$isAdmin = $row['isAdmin'];

if($isAdmin)
{
include ("D:\htdocs\BP\Room\outputRoom.php");
echo '<p> <a href="autorizace.php?lo=true">Odhlásit se</a> </p>';
}
else{
echo  "Error";
}
}

?>

Posted: Wed Dec 06, 2006 1:08 pm
by feyd
DELETE queries return true or false. There's nothing to fetch. Once again you're using the same for a lot of queries, this can lead to problems such as this one.

Posted: Wed Dec 06, 2006 3:16 pm
by hrubos
Please, I tried n*time and it doesn't still run.Who can hepl me to make condition isAdmin, by which user or admon can be realized.(I have table user contains fields id, login,password, isAdmin)