if elseif statement

[woodplease]

i'm having trouble with an elseif statement. its not displaying the result it should

?php
if(isset($_COOKIE['ID_forum'])){

$username = $_COOKIE['ID_forum'];

$query = "SELECT * FROM users WHERE username = '".$username."'";
$level = mysql_query($query) or die ("Select Error :" . mysql_error());
$userlevel = $level['user_level'];
echo $userlevel;

if ($userlevel == "1") {
echo 'you are a member';	
}
elseif ($userlevel == "2") {
echo 'you are a moderator';	
}
elseif ($userlevel == "3") {
echo 'you are an administrator ';	
}
else
echo'you are not logged in';
}
?>

 

it is echoing out 'you are not logged in', when it should be saying 'you are an administrator', as the value in the table is 3. i do know that the cookie 'ID_forum' is there, but i cant find why its not working properly. Any ideas would be great.

 

Thanks

[Pikachu2000]

What does the echo $userlevel; return?

 

[woodplease]

i forgot that was there. i was using it to check if the query was working or not, it should have returned the value from the table where the username is that of the one stored in the cookie, either a 1, 2 or 3.

i've just realised that if its not working, then theres a problem with the query, but looking at it, i cant see what the problem is.

[Pikachu2000]

Here, try this. However, using a cookie value to determine the user's access level is ill-advised. Cookies can be manipulated by the user; you'd be better off to use session data.

 

Also, you should avoid wildcard SELECT * statements unless all of the fields are actually going to be used. Just explicitly name the fields you need in the query string.

 

$query = "SELECT `user_level` FROM `users` WHERE `username` = '" . mysql_real_escape_string($username) . "'";
$result = mysql_query($query) or die ("Select Error :" . mysql_error());
$array = mysql_fetch_assoc($result);
$userlevel = $array['user_level'];
echo $userlevel;

[woodplease]

thanks, it works now. i'll have a look at using session data instead then to make it more secure