Not redirecting page properly - Part 2

[HDFilmMaker2112]

Partially a continuation from my other thread, as this a little similar, but...

 

The below should be redirecting a user that is not logged into the admin control panel back to the admincp log-in page. Instead it's showing the actual page. This is only the case if the user has a cadmin number of 3 or 4... so it is limiting the access to people that should have access and blocking those that shouldn't. But it should still be pointing a user not logged in back to the admincp log-in page because the mypassword3 session variable should not be set. When I var_dump $_SESSION mypassword3 is NULL. Everything else is set properly.

 

<?php
require_once 'db_select.php';
require_once 'func.php';
session_start();
$cadmin2=$_SESSION['admin_check'];
if($cadmin2=="4" || $cadmin2=="3"  && isset($_SESSION['mypassword3']) && $_SESSION['mypassword3']==$_SESSION['mypassword2']){
if($_GET['view']=="applications"){
$section.=' - New Applications';
$content.='
<div class="main">
<div class="main_header">New Investor Applications</div>
</div>
';
}
elseif($_GET['view']=="accounts"){
$section.=' - View Accounts';
$content.='
<div class="main">
<div class="main_header">View Investor Accounts</div>
</div>
';
}
else{
header("Location: ./index.php?admincp");
}
}
else{
header("Location: ./index.php?usercp");
}
?>

 

 

Here's the admin panel/admin panel log-in if it helps anything:

 

<?php
require_once 'func.php';
session_start();
$cadmin2=$_SESSION['admin_check'];
if($cadmin2=="3" || $cadmin2=="4"){
if(isset($_SESSION['myusername2']) && kam3($_POST['password'])==$_SESSION['mypassword2'] || isset($_SESSION['myusername2']) && $_SESSION['mypassword3']==$_SESSION['mypassword2']){
if(!empty($_POST['password'])){
$_SESSION['mypassword3']=kam3($_POST['password']);
}
$content.='
<div class="main">
<p class="main_header">Admin Control Panel</p>
</div>

<div class="usercp_links">';
if($cadmin2=="4"){
$content.='
<div class="ilink">
<a href="./index.php?admincp=users&do=add">New User</a>
</div>
<div class="ilink">
<a href="./index.php?admincp=investors&view=applications">Investor Applications</a>
</div>
<div class="ilink">
<a href="./index.php?admincp=requests&view=donation">Additional Donation Requests</a>
</div>
';
}
$content.='
<div class="ilink">
<a href="./index.php?admincp=manage&view=ideas">Manage Idea Submissions</a>
</div>
</div>

<div class="usercp_links">';
if($cadmin2=="4"){
$content.='
<div class="ilink">
<a href="./index.php?admincp=users&do=edit">Edit Users</a>
</div>
<div class="ilink">
<a href="./index.php?admincp=investors&view=accounts">Investor Accounts</a>
</div>
<!--<div class="ilink">
<a href="./index.php?admincp=requests&view=credit">Additional Credit Requests</a>
</div>-->';
}
$content.='
<div class="ilink">
<a href="./index.php?admincp=manage&view=exclusive">Manage Exclusive Content</a>
</div>
<div class="ilink">
<a href="./logout.php?logout=admin">Log-Out</a>
</div>
</div>';
}
else{
if(!isset($_SESSION['myusername2'])){
header("Location: ./index.php");
}
$content='
<table class="actors_table">
<tr>
<td align="center">';

if(isset($_GET['e']) && $_GET['e']=="0")
{
$content .= '<span style="color: #FF0000; font-weight: bold;">Incorrect Username or Password</span><br/><br/>';
} 

else{
$content .="";
}

$content .='Re-Type your password to view this information:
<form action="" method="post">
    <p>Username: <input type="text" name="username" value="'.$_SESSION['myusername2'].'" disabled="disabled" /></p>
<p>Password: <input type="password" name="password" /></p>
    <p><input type="submit" value="Submit" name="Submit" /></p>
    </form>

</td>
</tr>
</table>
';
}
}
else{
header("Location: ./index.php?usercp");
}
?>

[sunfighter]

First:

$section.=' - New Applications';

$content.='

 

The .= adds to a string that is already defined. You have not defined either and from what I see you don't need to, just change the .= to =

 

I think your problem is in the main logic:

if($cadmin2=="4" || $cadmin2=="3"  && isset($_SESSION['mypassword3']) && $_SESSION['mypassword3']==$_SESSION['mypassword2'])

 

If you set $cadmin2=="4" it will work, even if $_SESSION['mypassword3'] is set or unset. If you set $cadmin2=="3" it wont work because your logic needs to have $_SESSION['mypassword3'] set.  Is this what you want?  mypassword3 and mypassword2 can be anything it don't use it.

So in English what is the logic you need here?

[HDFilmMaker2112]

I need people to have access to the page when they are either $cadmin=4 or $cadmin=3 and mypassword3 is set and mypassword3 = mypassword2

 

So User A = $cadmin=4 and mypassword3 = mypassword2 would work

 

User B = $cadmin=3 and mypassword3 = mypassword2 would work

 

User C = $cadmin=2 would not work.

 

Or when mypassword3 isn't set or doesn't equal mypassword2.

 

 

[HDFilmMaker2112]

Had to change it to this:

 

if($cadmin2=="4" && isset($_SESSION['mypassword3']) && $_SESSION['mypassword3']==$_SESSION['mypassword2'] || $cadmin2=="3" && isset($_SESSION['mypassword3']) && $_SESSION['mypassword3']==$_SESSION['mypassword2']){

 

Seems pointless that I essentially had to double the length of the if statement conditional.

[sunfighter]

something a little shorter:

if ((isset($_SESSION['mypassword3']) && $_SESSION['mypassword3']==$_SESSION['mypassword2']) && ($cadmin2=="4" || $cadmin2=="3"))