[SOLVED] If Statement which always executes whatever it considers.

Foser · June 28, 2007

<?php session_start();
if ($_SESSION['LOGGEDIN'] == !TRUE){ 
echo "You must be logged in to view this page. You can login <a href=\"index.php\">here</a>"; exit; }
//Logout Button	
if (isset($_POST['logout'])){
session_destroy();
header("Location: index.php");}
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Registration Form</title>
<style type="text/css">
<!--
body,td,th {
color: #000000;
font-family: Verdana, Arial, Helvetica, sans-serif;
}
body {
background-color: #CCCCCC;
}
a:link {
color: #000000;
}
a:visited {
color: #000000;
}
.style4 {
font-size: 10px
}
-->
</style>



<table width="128" height="145" border="1" align="center" cellpadding="0" cellspacing="0" bordercolor="#000000" bgcolor="#666666">
  <tr>
    <th width="198" scope="col">Control Panel</th>
  </tr>
  <tr>
    <td height="20"><form id="form1" name="form1" method="post" action="<?PHP echo $_SERVER['PHP_SELF']; ?>">
      <label>
      <div align="center">
        <input type="submit" name="logout" id="logout" value="logout" />
      </div>
      <div align="center"></div>
      <div align="center"></div>
    </form>    </td>
  </tr>
  <tr>
    <td height="20"> </td>
  </tr>
  <tr>
    <td height="20"> </td>
  </tr>
  <tr>
    <td height="63"> </td>
  </tr>
</table>


<p align="center"><?php
//Admin panel
$admin = $_SESSION['RIGHTS'];
if ($admin == admin){
echo "<a href=\"admin/main.php\" class=\"style4\">Admin Control Panel</a></p>";}
?>

this is my account script. and even though the $_SESSION['rights'] does not == admin it echos the link. could anyone help?

this is my login script:

<?php
session_start();
if ($_SESSION['LOGGEDIN']){
header("Location: account.php");} ?>

CSS DATA
</head>

<body>
<form id="form1" name="form1" method="post" action="<?php echo $_SERVER['PHP_SELF'] ?>">
  <label></label>
  <table width="202" border="1" align="center" cellpadding="0" cellspacing="0" bordercolor="#000000" bgcolor="#666666">
    <tr>
      <th width="198" scope="col">Login System</th>
    </tr>
    <tr>
      <td height="63">Username:
        <input name="username" type="text" id="username" size="33" />
        Password:<br />
        <label>
        <input name="password" type="password" id="password" size="33" />
        <input name="submit" type="submit" id="submit" value="Submit" />
        <a href="register.php">Register here!</a></label></td>
    </tr>
  </table>
  <div align="center">
  
</div>
</form>
    <div align="center">
      
      
      <?php
require("config.php");

if (isset($_POST['submit'])){
$user = mysql_real_escape_string($_POST['username']);
$pw = md5(sha1(md5(md5($_POST['password']))));
$result = mysql_query("SELECT * FROM user_info WHERE username = '$user' and password = '$pw'");
if (mysql_num_rows($result) > 0) {
$rights = mysql_query("SELECT rights FROM user_info WHERE username = '$user'");
$_SESSION['RIGHTS'] = $rights;
$_SESSION['LOGGEDIN'] = TRUE;
$_SESSION['UNAME'] = $user;

if ($_SESSION['LOGGEDIN']){
header("Location: account.php");exit;}}

else{
echo "You have typed in an incorrect password or/and username."; }}


?>

phpknight · June 28, 2007

You probably should do a string compare and put double quotes around admin. Or, if you mean a variable, you need a $. That plain admin looks suspect.

JasonLewis · June 28, 2007

just a note for you... getting the variable $rights like this:

$rights = mysql_query("SELECT rights FROM user_info WHERE username = '$user'");

will return a mysql resource #. try running it like this instead:

$rights = mysql_result(mysql_query("SELECT rights FROM user_info WHERE username = '$user'"),0);

Foser · June 28, 2007

Still does not work.

I changed admin to user which is the only other variable when you register and executes if you are an admin user.

I also tried

if ($_SESSION['RIGHTS'] != user

and still does not work!

Foser · June 28, 2007

just a note for you... getting the variable $rights like this:
$rights = mysql_query("SELECT rights FROM user_info WHERE username = '$user'");
will return a mysql resource #. try running it like this instead:
$rights = mysql_result(mysql_query("SELECT rights FROM user_info WHERE username = '$user'"),0);

why the ,0); what does that mean?

Foser · June 28, 2007

alright it works, although still comfused about the 0,)

HuggieBear · June 28, 2007

'0' is the column offset, if it's confusing then the following would be better...

<?php
if (isset($_POST['submit'])){
   $user = mysql_real_escape_string($_POST['username']);
   $pw = md5(sha1(md5(md5($_POST['password']))));
   $sql = "SELECT * FROM user_info WHERE username = '$user' AND password = '$pw'";
   $result = mysql_query($sql);
   if (mysql_num_rows($result) == 1){
      $row = mysql_fetch_array($result, MYSQL_ASSOC);
      $_SESSION['RIGHTS'] = $row['rights'];
      $_SESSION['LOGGEDIN'] = TRUE;
      $_SESSION['UNAME'] = $user;
      
      if ($_SESSION['LOGGEDIN']){
      header("Location: account.php");
      exit;
   }
   else {
      echo "You have typed in an incorrect password or/and username.";
   }
}

Regards

Huggie

Illusion · June 28, 2007

if ($_SESSION['LOGGEDIN']){
$_SESSION['UNAME'] = $user;
$_SESSION['RIGHTS'] = $row['rights'];

      header("Location: account.php");
      exit;

good practice, isn't it?

Sign In

[SOLVED] If Statement which always executes whatever it considers.

Recommended Posts

Foser

Link to comment

Share on other sites

phpknight

Link to comment

Share on other sites

JasonLewis

Link to comment

Share on other sites

Foser

Link to comment

Share on other sites

Foser

Link to comment

Share on other sites

Foser

Link to comment

Share on other sites

HuggieBear

Link to comment

Share on other sites

Illusion

Link to comment

Share on other sites

Join the conversation

Browse

Activity

Important Information