0

Ok so I'm trying to pull some data from my SQL database and use it in an IF statement.

I have a database called DB_Default and I have a table called Users

Inside Users I have all the normal columns such as id, username, password but I also have a column called isadmin.

I want to be able to do a mysql query through PHP selecting all users with the username $_SESSION[username] and isadmin = 1.

What I aim on doing is including a few navigation links for escalated privileged users only. So as the page that the code is going to be put into is for logged in users only I thought right, lets use the already defined username session i,e if my sessions username was set to Admin.

the statement should be 

$result = mysql_query("SELECT * FROM users WHERE user_name='" . $_SESSION["user_name"] . "' and isadmin = '". $admin."'");

I have set $admin = "1"; so that it should only be able to return results if the user logged in has isadmin set to 1.

Instead I'm either having the navigation links show to any user regardless of their isadmin status or not at all.

To be honest the code is very messy as it's 5:40am and I haven't been coding for a while so quite rusty so I'm more than aware of how easy this should be of a fix.

I'm 99% sure it has to do with the fact I just set $admin = "1"; but for the life of me can't figure out where I've gone wrong. Going to give it a rest for today and come back tomorrow. Hopefully by then someone will have posted a resolution and obviously I'll vote up the best answer otherwise I'll give the code a lookover and see if I can't fix it myself!

Thanks!

UPDATE - Included code

    <?php
$admin = 1;
$conn = mysql_connect("localhost","root","password");
mysql_select_db("DB_Default",$conn);
$result = mysql_query("SELECT * FROM users WHERE user_name='" . $_SESSION["user_name"] . "' and isadmin = '". $admin."'");
$row  = mysql_fetch_array($result);
if(is_array($row)) {
$_SESSION["isadmin"] = $row[isadmin];
} else {
}
if($_SESSION["isadmin"] == '1'){
//has admin privs
} else {
//does not have admin privs
}

I have not yet set up the navigation links as I haven't gotten to that stage yet however the links would be inside the if statement admin links in the admin part and not in the non admin part.

Improve this question
7
  • The query itself seems to be fine. Try assigning the query to some variable and var_dump it to make sure that the string is generated properly. $sql = "SELECT * FROM users WHERE user_name='" . $_SESSION["user_name"] . "' and isadmin = '". $admin."'"; var_dump($sql); Commented Aug 30, 2015 at 4:53
  • Agreed with Danny that the query seems to be fine. I recommend posting the code where you show (or hide) the navigation links that you refer to. Commented Aug 30, 2015 at 4:56
  • @DannyPhantom thanks for the response. This was the response the server gave me. string(61) "SELECT * FROM users WHERE user_name='Admin' and isadmin = '1'" Commented Aug 30, 2015 at 4:56
  • Without seeing the rest of you code, my guess is that you are checking if $result returns true - ie. if($result){ // isadmin } - instead of checking if a row is returned - if(mysql_num_rows($result)){ // isadmin }. A empty returned query is still a successful query Commented Aug 30, 2015 at 4:57
  • My guess right now is going to be the following: You set the $_SESSION variable when you log in as Admin. After that the $_SESSION is never changed. Which pretty much means that if you log in as Admin and then re-log in as someone else, $_SESSION['isadmin'] will already be set to 1 thus providing full access. So what you will need to do is change the else part to: if(is_array($row)) { $_SESSION["isadmin"] = $row[isadmin]; } else { $_SESSION['isadmin'] = 0; } Commented Aug 30, 2015 at 5:12

1 Answer 1

Reset to default
1

My guess right now is going to be the following: You set the $_SESSION variable when you log in as Admin. After that the $_SESSION is never changed. Which pretty much means that if you log in as Admin and then re-log in as someone else, $_SESSION['isadmin'] will already be set to 1 thus providing full access. So what you will need to do is change the else part to: 

if(is_array($row)) 
    { $_SESSION["isadmin"] = $row[isadmin]; } 
else 
    { $_SESSION['isadmin'] = 0; }
Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

This. Thanks Danny! Hopefully your post will help others with similar problems to myself! Great work :)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.