SESSION changing for some odd reason

[Asheeown]

Okay, so my sessions work flawlessly for my site, however in the admin section I have a section to view, edit, add and delete users.  When I view all users, or try to edit one of the current users the userlevel changes from 3 (admin status) to 1 (user status).

 

This does NOT happen on my development server, same files, different database information.

 

Here is my page code:

 

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<?php
require_once("../include/config.php");
require_once("../include/functions.php");
require_once("../include/db_connect.php");
if(!$_SESSION['LoggedIn']) {
$Errors .= "You must be logged in to view that page.";
$URL = "../login.php?Error=1";
echo("<meta http-equiv='refresh' content='0;URL=$URL'>");
die();
}
if($_SESSION['UserLevel'] < 2) {
$URL = "../index.php?Error=1";
echo("<meta http-equiv='refresh' content='0;URL=$URL'>");
die();
}
?>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>EGM .::. Admin .::. View Users</title>
<link rel="stylesheet" href="../assets/css/style.css" type="text/css" media="all" />
<style type="text/css">
<!--
body {
background-color: #999999;
}
.style1 {color: #FFFFFF}
-->
</style></head>
<body>
<div id="wrapper">
  <div id="header">
    <p class="logotext"> </p>
  </div>
  <div id="nav">
    <ul>
      <li><a href="../index.php">Home</a></li>
      <li><a href="../aboutus.php">About Us</a></li>
      <li><a href="../contact.php">Contact Us</a></li>
      <li><a href="../faq.php">FAQ</a></li>
    </ul>
  </div>
  <div id="content">
    <div id="left">
      <h2 class="style1">Admin Menu</h2>
      <ul>
      <li><a href="../index.php">Leave Admin Area</a></li>
      <li><a href="viewnews.php">News</a></li>
      <li><a href="viewusers.php">Users</a></li>
      </ul>
      <h2 class="style1">Users Menu</h2>
      <ul>
      <li><a href="viewusers.php">View All</a></li>
      <li><a href="adduser.php">Add New</a></li>
      </ul>
      
<?php
  UserMenu('../');
?>
    </div>
    <br />
    <div id="breadcrumb"><span class="style1">Home » Administration » Users » View All</span></div>
    <br />
    <br />
    <div id="right">
    
    <?php

if(!isset($_GET['page'])){
	$page = 1;
} else {
	$page = $_GET['page'];
}

// Define the number of results per page
$max_results = 10;

// Figure out the limit for the query based
// on the current page number.
$from = (($page * $max_results) - $max_results); 	

$Result = mysql_query("SELECT * FROM Users ORDER BY Id DESC LIMIT $from, $max_results") or die(mysql_error());
echo("
<table width=\"100%\" border=\"0\" align=\"center\" cellpadding=\"5\" cellspacing=\"2\">
  <tr>
	<td width=\"5%\">Id:</td>
	<td width=\"25%\">Username:</td>
	<td width=\"20%\">First Name:</td>
	<td width=\"30%\">Email:</td>
	<td width=\"20%\">Options:</td>
  </tr>
");
while($Row = mysql_fetch_assoc($Result)) {
extract($Row);

echo("
  <tr>
	<td width=\"20%\">$Id</td>
	<td width=\"20%\">$Username</td>
	<td width=\"20%\">$FirstName</td>
	<td width=\"20%\">$Email</td>
	<td width=\"20%\"><div id=\"reglink\"><a href=\"edituser.php?Id=$Id\"><img border=\"0\" src=\"../assets/images/edit_icon.png\" /></a>  <a href=\"deleteuser.php?Id=$Id\"><img border=\"0\" src=\"../assets/images/delete_icon.png\" /></a></div></td>
  	
  </tr>
");
}
echo("
</table>
");

// Figure out the total number of results in DB:
$total_results = mysql_result(mysql_query("SELECT COUNT(*) as Num FROM Users"),0);

// Figure out the total number of pages. Always round up using ceil()
$total_pages = ceil($total_results / $max_results);

// Build Page Number Hyperlinks
echo "<center>Select a Page</span><br />";
echo "<div id=\"pagination\">";
// Build Previous Link
if($page > 1){
	$prev = ($page - 1);
	echo "<a href=\"".$_SERVER['PHP_SELF']."?page=$prev\">< Previous</a> ";
}

for($i = 1; $i <= $total_pages; $i++){
	if(($page) == $i){
		echo "$i ";
		} else {
			echo "<a href=\"".$_SERVER['PHP_SELF']."?page=$i\">$i</a> ";
	}
}

// Build Next Link
if($page < $total_pages){
	$next = ($page + 1);
	echo "<a href=\"".$_SERVER['PHP_SELF']."?page=$next\">Next ></a>";
}
echo "</div>";
echo "</center>"; 
    ?>
    
    </div>
  </div>
  <br class="clear" />
  <div id="footer">
    <p>
    <?php Footer(); ?>
    </p>
  </div>
</div>
</body>
</html>

 

 

The news admin portion of my site is almost identical just with different tables and rows

 

Any ideas of what it could be?  It's really weird it works on one server and not on the other

[btherl]

I suspect the problem is with extract().  There's a number of solutions, the safest being to use {$Row['Id']}, {$Row['Username']}, etc etc inside the echo.  That way you can never clobber your session variables.

 

And the reason that may work on one server but not another is probably the register_globals setting.  With registered globals, it's possible for a standard variable like $UserLevel to overwrite $_SESSION['UserLevel'], because they both reference the same value.

 

Edit: To fix the problem (if this is what it is), remove the extract() line and use {$Row['Id']} in place of each of your $Id style variables in the mysql result loop.

[GingerRobot]

I'd say you should fix the problem by turning off the register_globals setting if at all possible (though you might experience problems with forms etc if you've been used to writing code with register_globals turned on).

[PFMaBiSmAd]

Sessions won't work in the posted code unless session.auto_start is on or that whole code is being included by a page that is doing session_start();

 

extract() should almost always be used with the EXTR_SKIP second parameter to avoid overwriting any existing variables.

[btherl]

EXTR_SKIP doesn't make sense in the way he's using extract().  He wants to overwrite the variables for each row.  But I think he is inadvertently overwriting other variables because he used "SELECT *", fetching more than just the ones he is interested in, including the user level.