Page 1 of 2
admin permission
Posted: Mon Dec 04, 2006 2:59 pm
by hrubos
I wrote for user_permission and admin_permission, I have isAdmin in database, and I call admin = 1 , user = 0.
Now this code has error : Undefined variable: MSQ in D:\htdocs\BP\autorizace\autorizace_DB.php on line 44
Code: Select all
<?php
Header("Pragma: No-cache");
Header("Cache-Control: No-cache, Must-revalidate");
Header("Expires: ".GMDate("D, d M Y H:i:s")." GMT");
$password = $_POST['password'];
$login = $_POST['login'];
$MC = MySQL_Connect("localhost", "root", "");
$MS = MySQL_Select_DB("hostel");
$isAdmin = MySQL_Query("SELECT isAdmin FROM users");
if(!$password||!$login){
echo 'Třeba vyplnit upnle informace !!!';
exit;
}
if(!get_magic_quotes_gpc())
{
$password = addslashes($password);
$login = addslashes($login);
}
//for admin
if ((IsSet($login)) AND (IsSet($password)) AND ($isAdmin == 1)){
$p = MD5($password);
//for only admin
$MSQ = MySQL_Query("SELECT * FROM users WHERE (login LIKE '$login') AND (password LIKE '$p') ");
}
if (IsSet($lo)){
$SN = "autorizace";
Session_name("$SN");
Session_start();
$sid = Session_id();
$MSQ = MySQL_Query("DELETE FROM autorizace WHERE id = '$sid'");
echo "Byl(a) jste odhlášen(a)!";
}
if (MySQL_Num_Rows($MSQ) <> 1)
{
echo "Neautorizovaný přístup";
echo "hello you";
exit;
}
else{
$SN = "autorizace";
Session_name("$SN");
Session_start();
$sid = Session_id();
$time = Date("U");
$at = Date("U") - 1800;
$MSQ = MySQL_Query("INSERT INTO autorizace VALUES ('$sid', $time)");
$MSQ = MySQL_Query("DELETE FROM autorizace WHERE time < $at");
include ("D:\htdocs\BP\Room\outputRoom.php");
echo '<p> <a href="autorizace.php?lo=true">Odhlásit se</a> </p>';
}
?>
Posted: Mon Dec 04, 2006 3:13 pm
by ok
Which line is 44? Which command evaluates the error?
Posted: Mon Dec 04, 2006 3:18 pm
by hrubos
ok wrote:Which line is 44? Which command evaluates the error?
I think I have problem when i set condition for admin here
Code: Select all
$isAdmin = MySQL_Query("SELECT isAdmin FROM users");
........
if ((IsSet($login)) AND (IsSet($password)) AND ($isAdmin == 1)){
$p = MD5($password);
//for only admin
$MSQ = MySQL_Query("SELECT * FROM users WHERE (login LIKE '$login') AND (password LIKE '$p') ");
...........
}
Posted: Mon Dec 04, 2006 3:18 pm
by Zoxive
I think you need to check to see if MSQ isset or something, its hard to tell..
Code: Select all
if (isset($MSQ) && MySQL_Num_Rows($MSQ) <> 1)
{
echo "Neautorizovaný přístup";
echo "hello you";
exit;
}
And it wouldn't hurt if you tell us what line 44 is either...
Posted: Mon Dec 04, 2006 3:25 pm
by hrubos
Zoxive wrote:I think you need to check to see if MSQ isset or something, its hard to tell..
Code: Select all
if (isset($MSQ) && MySQL_Num_Rows($MSQ) <> 1)
{
echo "Neautorizovaný přístup";
echo "hello you";
exit;
}
And it wouldn't hurt if you tell us what line 44 is either...
I tried and it is ok, but problem that user_name is too accepted.
When I code without isAdmin, only in command Sql, it runs but only accept admin, no user
Code: Select all
...............
$MSQ = MySQL_Query("SELECT * FROM users WHERE (login LIKE '$login') AND (password LIKE '$p') AND (isAdmin LIKE '1')");
.....................
Posted: Mon Dec 04, 2006 3:28 pm
by RobertGonzalez
You are setting $MSQ several times, so there is a strong likelihood that your problem lies in what the value of $MSQ is assigned to at line 44.
Posted: Mon Dec 04, 2006 3:31 pm
by ok
hrubos wrote:
Code: Select all
$isAdmin = MySQL_Query("SELECT isAdmin FROM users");
........
if ((IsSet($login)) AND (IsSet($password)) AND ($isAdmin == 1)){
$p = MD5($password);
//for only admin
$MSQ = MySQL_Query("SELECT * FROM users WHERE (login LIKE '$login') AND (password LIKE '$p') ");
...........
}
Why you use LIKE???
You can write the SQL query like that:
Code: Select all
SELECT * FROM `users` WHERE `login` = '$login' AND `password` = '$p'
Posted: Mon Dec 04, 2006 3:48 pm
by hrubos
Everah wrote:You are setting $MSQ several times, so there is a strong likelihood that your problem lies in what the value of $MSQ is assigned to at line 44.
What would I do if i wanto set isAdmin to check user login, user has isAdmin = 1 --> have user's permission, user doesn't have --> user's permission
@ ok : I know that I can user follow ur idea. Thanx
Posted: Mon Dec 04, 2006 3:53 pm
by RobertGonzalez
Please review my comments...
Code: Select all
<?php
Header("Pragma: No-cache");
Header("Cache-Control: No-cache, Must-revalidate");
Header("Expires: ".GMDate("D, d M Y H:i:s")." GMT");
$password = $_POST['password'];
$login = $_POST['login'];
$MC = MySQL_Connect("localhost", "root", "");
$MS = MySQL_Select_DB("hostel");
$isAdmin = MySQL_Query("SELECT isAdmin FROM users");
if(!$password||!$login){
echo 'Třeba vyplnit upnle informace !!!';
exit;
}
if(!get_magic_quotes_gpc())
{
$password = addslashes($password);
$login = addslashes($login);
}
//for admin
/************************************************
* If these conditionals do not ALL add up to true, MSQ will not be set
************************************************/
if ((IsSet($login)) AND (IsSet($password)) AND ($isAdmin == 1)){
$p = MD5($password);
//for only admin
$MSQ = MySQL_Query("SELECT * FROM users WHERE (login LIKE '$login') AND (password LIKE '$p') ");
}
/************************************************
* If $lo is not set MSQ will not be set again
************************************************/
if (IsSet($lo)){
$SN = "autorizace";
Session_name("$SN");
Session_start();
$sid = Session_id();
$MSQ = MySQL_Query("DELETE FROM autorizace WHERE id = '$sid'");
echo "Byl(a) jste odhlášen(a)!";
}
/************************************************
* At this point, since you did not declare MSQ
* with a default value, if the two above
* conditionals fail, MSQ is not set at all. I
* think this is where your errors are coming from.
************************************************/
if (MySQL_Num_Rows($MSQ) <> 1)
{
echo "Neautorizovaný přístup";
echo "hello you";
exit;
}
else{
$SN = "autorizace";
Session_name("$SN");
Session_start();
$sid = Session_id();
$time = Date("U");
$at = Date("U") - 1800;
$MSQ = MySQL_Query("INSERT INTO autorizace VALUES ('$sid', $time)");
$MSQ = MySQL_Query("DELETE FROM autorizace WHERE time < $at");
include ("D:\htdocs\BP\Room\outputRoom.php");
echo '<p> <a href="autorizace.php?lo=true">Odhlásit se</a> </p>';
}
?>
Posted: Mon Dec 04, 2006 4:11 pm
by hrubos
thank for ur comment
If I do for the last point , it runs with all conditions but user and admin can't be realized
Code: Select all
if (isset($MSQ) && MySQL_Num_Rows($MSQ) <> 1)
{
echo "Neautorizovaný přístup";
echo "hello you";
exit;
}
else{
$SN = "autorizace";
Session_name("$SN");
Session_start();
$sid = Session_id();
$time = Date("U");
$at = Date("U") - 1800;
$MSQ = MySQL_Query("INSERT INTO autorizace VALUES ('$sid', $time)");
$MSQ = MySQL_Query("DELETE FROM autorizace WHERE time < $at");
include ("D:\htdocs\BP\Room\outputRoom.php");
echo '<p> <a href="autorizace.php?lo=true">Odhlásit se</a> </p>';
}
Posted: Mon Dec 04, 2006 4:12 pm
by Zoxive
Everah wrote:Please review my comments...
Thats what i thought, so i said this..
Zoxive wrote:
Code: Select all
if (isset($MSQ) && MySQL_Num_Rows($MSQ) <> 1)
{
echo "Neautorizovaný přístup";
echo "hello you";
exit;
}
To check and see if it isset().
Posted: Mon Dec 04, 2006 4:45 pm
by RobertGonzalez
$lo is never set anywhere, so your second conditional will always fail. This little snippet
Code: Select all
$isAdmin = MySQL_Query("SELECT isAdmin FROM users");
is causing all sorts of mischief. Once this is executed, $isAdmin becomes a resource identifier so your first conditional will always fail. That being said, $MSQ will never be set to anything and you will always have this error.
To fix this, you need to do something with the query result resource that is in $isAdmin. Once you extract some information from that, you should be able to get back on track.
Posted: Wed Dec 06, 2006 1:06 pm
by hrubos
I have changed here but I received message " mysql_fetch_array(): supplied argument is not a valid MySQL result resource in ".
Code: Select all
<?php
Header("Pragma: No-cache");
Header("Cache-Control: No-cache, Must-revalidate");
Header("Expires: ".GMDate("D, d M Y H:i:s")." GMT");
$password = $_POST['password'];
$login = $_POST['login'];
$MC = MySQL_Connect("localhost", "root", "");
$MS = MySQL_Select_DB("kolej");
if(!$password||!$login){
echo 'Třeba vyplnit upnle informace !!!';
exit;
}
if(!get_magic_quotes_gpc())
{$password = addslashes($password);
$login = addslashes($login);
}
if ((IsSet($login)) AND (IsSet($password)) AND (IsSet($isAdmin))){
$p = MD5($password);
//for only admin
$MSQ = MySQL_Query("SELECT * FROM users WHERE (login LIKE '$login') AND (password LIKE '$p') ");
}
if (IsSet($lo)){
$SN = "autorizace";
Session_name("$SN");
Session_start();
$sid = Session_id();
$MSQ = MySQL_Query("DELETE FROM autorizace WHERE id = '$sid'");
echo "Byl(a) jste odhlášen(a)!";
}
if (isset($MSQ) && MySQL_Num_Rows($MSQ) <> 1)
{
echo "Neautorizovaný přístup";
echo "hello you";
exit;
}
else{
$SN = "autorizace";
Session_name("$SN");
Session_start();
$sid = Session_id();
$time = Date("U");
$at = Date("U") - 1800;
$MSQ = MySQL_Query("INSERT INTO autorizace VALUES ('$sid', $time)");
$MSQ = MySQL_Query("DELETE FROM autorizace WHERE time < $at");
$row = mysql_fetch_array($MSQ);
$id = $row['id'];
$isAdmin = $row['isAdmin'];
if($isAdmin)
{
include ("D:\htdocs\BP\Room\outputRoom.php");
echo '<p> <a href="autorizace.php?lo=true">Odhlásit se</a> </p>';
}
else{
echo "Error";
}
}
?>
Posted: Wed Dec 06, 2006 1:08 pm
by feyd
DELETE queries return true or false. There's nothing to fetch. Once again you're using the same for a lot of queries, this can lead to problems such as this one.
Posted: Wed Dec 06, 2006 3:16 pm
by hrubos
Please, I tried n*time and it doesn't still run.Who can hepl me to make condition isAdmin, by which user or admon can be realized.(I have table user contains fields id, login,password, isAdmin)