Users Falsely Banned?

[Zoey]

Okay, so on my site, I'm having trouble with users being falsely banned.  I have userlevels set up so that 10 is user and anything below that is banned, frozen, etc.  So on my page where users can add new pets (it's a Neopets.com fansite, for anyone particularily interested) to the database, I've got this code:

[code]   if($new_pet && userlevel() > 9)
  {
    if (array_key_exists("username",$_SESSION)) $owner=$_SESSION["username"];
    if (array_key_exists("userid",$_SESSION)) $ownerid=$_SESSION["userid"];
    if($today = getdate()) { $curdate = $today[year]."-".$today[mon]."-".$today[mday]." ".$today[hours].":".$today[minutes].":".$today[seconds]; }
    $result=mysql_query("INSERT INTO pet (petname,ownername,owner_id,link_url,color,species,status,submitdate,sex) VALUES ('$new_pet','$owner','$ownerid','$owner_url','$color','$species','$status','$curdate','$sex');");
    if($result)
    {
       print("\n<p><b><i>Pet $new_pet added.  Please note, you will not see your pet in the database immediately.  An admin will need to verify your pet before it is added.</i></b></p>\n");
    }
    else
    {
       print("\n<p><b><i>Add FAILED for pet $new_pet <br><br>Please check that your pet is not in the adopted<br>section before contacting a FAERIE FEEPIT admin.</i></b></p>\n");
    }
  }

else if (userlevel() <= 9) {
print ("<center>You cannot add pets after being banned from the database.");
print ("</div><div id=\"rightcontent\">");
print_right_loginbar();
print ("</div></body>");
print ("</html></center>");
exit;
}
?>

The rest of the page coded here.[/code]

So when some users are logging in while their userlevels are 10, they are finding that they have been 'banned' from the site (are getting that banned message).  However, when I log into their accounts, I am able to add pets and not get that banned message.  I have no clue why the same accounts would be banned for them and not for me.. and why users with userlevels of 10 would even ever get that error message.  I've been at this for a month, so really, any insight you can give me would be MUCHLY appriciated. Thanks.

[printf]

Where is [b]$new_pet[/b] being set? What is the userlevel() function, and what does it return?

[Zoey]

Variables are being set:

[code]<form method="POST" action="add_pet.php">
<table><tbody>
  <tr><td>Pet name:</td><td><input type="text" name="new_pet" size="50"></td></tr>
  <tr><td>Contact name:</td><td>
<?php if (array_key_exists("username",$_SESSION)) print $_SESSION["username"];
                      else print("<a href=\"user_login.php\">Log in first.</a>"); ?></td></tr>
  <tr><td>Rules Page URL:</td><td><input type="text" name="owner_url" size="50"> </td></tr>
  <tr><td>Color:</td><td><?php my_build_adv_listbox("neopets", "color", "id", "description",""); ?> </td></tr>
  <tr><td>Species:</td><td><?php my_build_adv_listbox("neopets", "species", "id", "description",""); ?> </td></tr>
  <tr><td>Sex:</td><td><?php my_build_adv_listbox("neopets", "sex", "id", "description","1"); ?> </td></tr>
  <tr><td><input type="hidden" name="status" value="8"></td></tr>
  <tr><td colspan=2 align=center><?php if (array_key_exists("username",$_SESSION)) print("<input type=\"submit\" name=\"Submit\" value=\"Add pet\">"); ?> </td></tr>
</tbody></table>
</form>
[/code]


Userlevel function: (it returns the userlevel for the user accessing the page)

[code]function userlevel() {
GLOBAL $_SESSION;
if(array_key_exists("adminflags",$_SESSION)) {
return $_SESSION["adminflags"];
}
else {return 0;};
}[/code]

[trq]

More than likely you have register globals disabled (as you should). Try...

[code=php:0]
if($_POST['new_pet'] && userlevel() > 9)
[/code]

Also, remove this line from userlevel(). $_SESSION is a superglobal.

[code=php:0]
GLOBAL $_SESSION;
[/code]

[Zoey]

Tried both.  No change.

[trq]

Are there more expressions to be valuated? I just don't see the point in an [i]if elseif[/i], with only two possible variants you should be using an [i]if else[/i].

[Zoey]

If a new pet is being added, it does the first thing, else if the person is banned it does the second thing, otherwise it just goes onto the rest of the page.  The second one is not an else because users may not be adding pets and may not be banned but still should be able to access the rest of the page.

[Zoey]

But its not an else.  The second clause should only happen under a specific set of circumstances, that are not the opposite of the circumstances called by the first if.

[trq]

Yeah sorry, I see the logic clearer now. Still, i f I where you, I'de try to put the logic a little differently. test to see if the user wants to add new pets, then if they do, check if there not banned. eg;

[code=php:0]
if (isset($_POST['new_pet'])) {
  // user has filled in the new_pet field.
  if (user_level() > 9) {
    // user permitted.
  } else {
    // user banned.
  }
}
[/code]

Sorry. I hit a wrong button and deleted my previous reply.

[Jenk]

A simpler solution is to not ban users without human action, just deny them access. The two are not the same.

[Zoey]

thorpe - I tried that and it still didn't work.

Jenk - how do you mean?

[Zoey]

*bump*?