privileges

[localhost]

alright so whenever any user signs up to my site their priv table is set to "1"

i want this to be completely backended, i just want a script that will check for priv..and then an if statement like

if priv==1
whatever
}

if priv==10
echo " admin panel link";
include('admin/');
}

you guys get it right?

[AndyB]

User login/password
Connect to database
Retrieve record (if doesn't exist, go back to login)
If priv == 10 {
// whatever admin stuff
} else {
// just do normal user stuff
}

... what specific problem do you have??

[localhost]

the script to actually fetch from the database the user thats trying to do admin stuff has a privilege of 10

i want a file called check.php

and basically i want it to be run before doing any admin tasks

and i want it to check the user thats logged in, and their privilege wether its 1 or 10 and if its 10 to do certain things

[poirot]

Something like this will do:

[code]if ($priv !== 10) {
   die();
}[/code]

[localhost]

true but the query...like

$user = $_SESSION['user'];

select username from $user

if logged in user priv==10

do this

i cant really explain it better

[redarrow]

exsplain slowly in deatail what your doing and what you need to do.


Do you need help with the select statement or what, as i can see the quistion has been ansawed.

[localhost]

I need to know the script that I can have that does this:

- Checks the username
- Then checks their privilege.

The above 2 I need help with, the query's to check their username and what their privilege is.

- Then I need to know how to use it in an if statement like some said,

if($priv==10) {
// do this
} else {
// do this
}

This way, I can start protecting the admin panel, and the news submission, etc.

[redarrow]

<? session_start();

connect database

$query="select username from $user where user='$user'";

$result=mysql_query($query);

if(mysql_num_rows($result)==0) {

echo "sorry login";

}else{

if($prv==10) {

admin stuff

}

?>

[localhost]

like this:


$query2 = "SELECT * FROM users WHERE username==$user AND
priv==10";

then it has the user logged in with a priv of 10...wait

im lost, really confused...goddamn it

[redarrow]

[code]
$query2 = "SELECT * FROM users WHERE username='$user' AND
priv='10'";
[/code]

[localhost]

this is what i have:

[code]
// Define the current logged in persons username
$user = $_SESSION['user'];

// Select all usernames with the username of the currently logged in persons (1)
$query = "SELECT * FROM users WHERE username=$user AND priv=10";
$result = mysql_query($query) or die('Cannot select all users with a privilege of 10 out of logged in user.');

// See how many match the above query, if it's 1, then they have admin privileges, if it's 0 they do not
$num=mysql_numrows($result);

if($num=1) {
echo "You have sufficient administrative privileges.";
} else {
echo "You do not have the privileges for this.";
}
[/code]

now to figure out how to just use an include before all admin activity

[poirot]

Simple, but functional.

[code]$user = $_SESSION['user'];

mysql_query("SELECT priv FROM users WHERE priv=10 AND username='$user'");

if (mysql_num_rows == 0) {
   die();
}[/code]

Just remember to include this AFTER connecting to the database. If no rows are found, the script immediately stops execution.

[localhost]

Would that not work the same? also I would need session start and connect to db right?

and then i could just put that on top of every form in the admin panel right?

[poirot]

Acutally, if the user is an admin, it does nothing; but if he/she isn't, it will abort the script.
This should do what you need, I guess.

And yes, you need to connect to the database and use session_start()

[localhost]

Very interesting... so will this work...

[code]
<?php
session_start();
?>
<?php

/*
submit news script made by dann for access
from the admin panel
admin/
*/

include('../includes/connect.php');

$user = $_SESSION['user'];

mysql_query("SELECT priv FROM users WHERE priv=10 AND username='$user'");

if (mysql_num_rows == 0) {
   header('Location: ../index.php');
} else {

if($user) {

if(isset($_POST['submit'])) {

$username = $_POST['username'];
$title = $_POST['title'];
$description = $_POST['description'];
$ip = $_POST['ip'];
$date = $_POST['date'];

if($title==NULL || $description==NULL) {
echo "All fields must be filled in.";
} else {
$query = "INSERT INTO news (`username`, `title`, `description`, `ip`, `date`) VALUES ('$username', '$title', '$description', '$ip', '$date')";
$result = mysql_query($query) or die('Could not insert news into system contact Copernicus');

} // for submit button if
} // for if is NULL
} else { // for the logged in if statement
echo "you must be logged in.";
}
} // for priv check

?>
<style type="text/css">
<!--
.style1 {
    font-family: Verdana, Arial, Helvetica, sans-serif;
    font-size: x-small;
}
-->
</style>
<form action="" method="POST">
<title>Submit News</title>
<p><input type="hidden" name="username" value="<?php echo $_SESSION['user']; ?> " />
  <Br>
  <span class="style1">Title:<Br>
  <input type="text" name="title" />
    <input type="hidden" name="ip" value=" <?php echo $_SERVER['REMOTE_ADDR']; ?> ">
  <input type="hidden" name="date" value=" <?php echo date('m/d/Y'); ?> ">
  <BR>
  Description:
  <Br>
  <input name="description" type="text" value="" height="50">
  <BR>
  <input type="submit" name="submit" value="Submit" />
  </span></form>
  </span></p>
[/code]

BTW, Thanks for all your help.