Foser Posted June 28, 2007 Share Posted June 28, 2007 <?php session_start(); if ($_SESSION['LOGGEDIN'] == !TRUE){ echo "You must be logged in to view this page. You can login <a href=\"index.php\">here</a>"; exit; } //Logout Button if (isset($_POST['logout'])){ session_destroy(); header("Location: index.php");} ?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Registration Form</title> <style type="text/css"> <!-- body,td,th { color: #000000; font-family: Verdana, Arial, Helvetica, sans-serif; } body { background-color: #CCCCCC; } a:link { color: #000000; } a:visited { color: #000000; } .style4 { font-size: 10px } --> </style> <table width="128" height="145" border="1" align="center" cellpadding="0" cellspacing="0" bordercolor="#000000" bgcolor="#666666"> <tr> <th width="198" scope="col">Control Panel</th> </tr> <tr> <td height="20"><form id="form1" name="form1" method="post" action="<?PHP echo $_SERVER['PHP_SELF']; ?>"> <label> <div align="center"> <input type="submit" name="logout" id="logout" value="logout" /> </div> <div align="center"></div> <div align="center"></div> </form> </td> </tr> <tr> <td height="20"> </td> </tr> <tr> <td height="20"> </td> </tr> <tr> <td height="63"> </td> </tr> </table> <p align="center"><?php //Admin panel $admin = $_SESSION['RIGHTS']; if ($admin == admin){ echo "<a href=\"admin/main.php\" class=\"style4\">Admin Control Panel</a></p>";} ?> this is my account script. and even though the $_SESSION['rights'] does not == admin it echos the link. could anyone help? this is my login script: <?php session_start(); if ($_SESSION['LOGGEDIN']){ header("Location: account.php");} ?> CSS DATA </head> <body> <form id="form1" name="form1" method="post" action="<?php echo $_SERVER['PHP_SELF'] ?>"> <label></label> <table width="202" border="1" align="center" cellpadding="0" cellspacing="0" bordercolor="#000000" bgcolor="#666666"> <tr> <th width="198" scope="col">Login System</th> </tr> <tr> <td height="63">Username: <input name="username" type="text" id="username" size="33" /> Password:<br /> <label> <input name="password" type="password" id="password" size="33" /> <input name="submit" type="submit" id="submit" value="Submit" /> <a href="register.php">Register here!</a></label></td> </tr> </table> <div align="center"> </div> </form> <div align="center"> <?php require("config.php"); if (isset($_POST['submit'])){ $user = mysql_real_escape_string($_POST['username']); $pw = md5(sha1(md5(md5($_POST['password'])))); $result = mysql_query("SELECT * FROM user_info WHERE username = '$user' and password = '$pw'"); if (mysql_num_rows($result) > 0) { $rights = mysql_query("SELECT rights FROM user_info WHERE username = '$user'"); $_SESSION['RIGHTS'] = $rights; $_SESSION['LOGGEDIN'] = TRUE; $_SESSION['UNAME'] = $user; if ($_SESSION['LOGGEDIN']){ header("Location: account.php");exit;}} else{ echo "You have typed in an incorrect password or/and username."; }} ?> Quote Link to comment Share on other sites More sharing options...
phpknight Posted June 28, 2007 Share Posted June 28, 2007 You probably should do a string compare and put double quotes around admin. Or, if you mean a variable, you need a $. That plain admin looks suspect. Quote Link to comment Share on other sites More sharing options...
JasonLewis Posted June 28, 2007 Share Posted June 28, 2007 just a note for you... getting the variable $rights like this: $rights = mysql_query("SELECT rights FROM user_info WHERE username = '$user'"); will return a mysql resource #. try running it like this instead: $rights = mysql_result(mysql_query("SELECT rights FROM user_info WHERE username = '$user'"),0); Quote Link to comment Share on other sites More sharing options...
Foser Posted June 28, 2007 Author Share Posted June 28, 2007 Still does not work. I changed admin to user which is the only other variable when you register and executes if you are an admin user. I also tried if ($_SESSION['RIGHTS'] != user and still does not work! Quote Link to comment Share on other sites More sharing options...
Foser Posted June 28, 2007 Author Share Posted June 28, 2007 just a note for you... getting the variable $rights like this: $rights = mysql_query("SELECT rights FROM user_info WHERE username = '$user'"); will return a mysql resource #. try running it like this instead: $rights = mysql_result(mysql_query("SELECT rights FROM user_info WHERE username = '$user'"),0); why the ,0); what does that mean? Quote Link to comment Share on other sites More sharing options...
Foser Posted June 28, 2007 Author Share Posted June 28, 2007 alright it works, although still comfused about the 0,) Quote Link to comment Share on other sites More sharing options...
HuggieBear Posted June 28, 2007 Share Posted June 28, 2007 '0' is the column offset, if it's confusing then the following would be better... <?php if (isset($_POST['submit'])){ $user = mysql_real_escape_string($_POST['username']); $pw = md5(sha1(md5(md5($_POST['password'])))); $sql = "SELECT * FROM user_info WHERE username = '$user' AND password = '$pw'"; $result = mysql_query($sql); if (mysql_num_rows($result) == 1){ $row = mysql_fetch_array($result, MYSQL_ASSOC); $_SESSION['RIGHTS'] = $row['rights']; $_SESSION['LOGGEDIN'] = TRUE; $_SESSION['UNAME'] = $user; if ($_SESSION['LOGGEDIN']){ header("Location: account.php"); exit; } else { echo "You have typed in an incorrect password or/and username."; } } Regards Huggie Quote Link to comment Share on other sites More sharing options...
Illusion Posted June 28, 2007 Share Posted June 28, 2007 if ($_SESSION['LOGGEDIN']){ $_SESSION['UNAME'] = $user; $_SESSION['RIGHTS'] = $row['rights']; header("Location: account.php"); exit; good practice, isn't it? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.