[Hiyall]

Hey all!
I am currently working on a cms system with a ranking system, so what I have to make is something that can verify what user is logged in.
Let's say that my db goes like this:

name | rank|
Brian| 1 |
Alex | 2 |

So I want everyone with rank = 1 to see this:
Hallo, you're rank 1!
and everyone with rank = 2 to see this:
Hallo, you're not rank 1!

So far I have made this code:

// Connects to your Database 
require_once('connectvars2.php');

 $get = mysql_query("SELECT * FROM login WHERE name = '$name'");
 while ($row = mysql_fetch_assoc($get))
{
   $rank = $row['rank'];
}

  if ($_SESSION['rank']=="1") {
 echo 'You are rank 1!';
 }

This post does not really give me anything except that it doesn't post out that I'm rank 1.
Even though I am logged in with a name with rank 1.

Any ideas what can be the problem?
Thanks in advance!

[CTphpnwb]

First, do not use deprecated mysql functions. Here's a great PDO tutorial.

Now for your question. I'd treat the user as an object:

<?php
class myuser {
	protected $rank;
	protected $loggedin;
	
	function __construct() {
		$this->rank = 0; // 
		$this->loggedin = false;
	}

	function login() {
		// code to determine who the user is and set their rank accordingly
	}
	
	function get_rank() {
		return $this->rank;
	}

	function is_logged_in() {
		return $this->loggedin;
	}

}

session_start();
if(isset($_SESSION['myuser'])) {
	$theuser = $_SESSION['myuser'];
} else {
	$theuser = new myuser();
}


if($theuser->is_logged_in()) {
	show_page($theuser->get_rank());
} else {
	show_page("login");
}

funciont show_page($page) {
	switch($page) {
		case 1:
			require "page1.php";
		break;
		case 2:
			require "page2.php";
		break;
		default:
			require "login.php";
		break;
	}
}

This post has been edited by CTphpnwb: 05 October 2012 - 04:28 PM

[CTphpnwb]

Oh, and session variables have nothing to do with databases. It appears that your session variable is never set.

[Hiyall]

Thanks for the fast answer.
Is it really nessesary to include so much code for such a simple thing?
I was thinking something very simple like:
1. getting the information from the database, and check what the users value inside the "column" is.
2. If the users rank is <3 (Show this content) else don't.

If you get me?
The information stored in the rank column in the database is set when the user gets registered

Thanks again!

[CTphpnwb]

Yes, that part would go in login() method for myuser. I'm trying to show you how to organize things so that you don't have problems when your simple site grows. Let's face it, the site will grow or die, but it won't remain that simple.

[Hiyall]

Ah yeah, but this is a part of a small cms system that wont be out public but that i am gonna use when i get any customers on my website. I make website for private people or small companies in Denmark. This seem very useful to me in the future, ill make sure to bookmark this. But right now, i dont think I have enough experience to make this work. I don't really understand it ;( I've read the link though and its a great guide. But i should stick to something more simple in the beginning .
Thanks for showing me this, I'm sure gonna use it someday
but for now, its too complicated

[Hiyall]

Okay I think I fixed it on my noobie way:

// Connects to your Database 
require_once('connectvars2.php');

$email = $_SESSION['email'];

 $get = mysql_query("SELECT * FROM login WHERE email = '$email'");
 while ($row = mysql_fetch_assoc($get))
{
   $rank = $row['rank'];
}

  if ($rank == 1) {
 echo 'You are rank 1! You can now see this!';
}

This may not be the most efficient way, the most secure way or anything but it will work for now.
Thank you very much CTphpnwb.

I will use your way whenever I need to make another big site with logins and ranks

[CTphpnwb]

I hope your site is on an intranet that is closely monitored. If not then it's just a matter of time before it's defaced.

[Hiyall]

You wont be able to get anywhere near this code unless you have a login.
The login can only be created if you have a user already which the master of the website will have.
If he chooses to employ people to his company, he can register their accounts too with a rank that determines what they are allowed to do on the cms system. I don't think any employee would screw this up.

[Jstall]

Hi,

Couple of suggestions. First, why are you selecting everything from the database when you are only looking for one field? Querying for data that you will never use is just unnecessary overhead, you should try to get in the habit of only fetching what you need.

Second why are you using a while loop when your query is only returning one record?

[JackOfAllTrades]

Hiyall, on 06 October 2012 - 09:13 AM, said:

You wont be able to get anywhere near this code unless you have a login.
The login can only be created if you have a user already which the master of the website will have.
If he chooses to employ people to his company, he can register their accounts too with a rank that determines what they are allowed to do on the cms system. I don't think any employee would screw this up.

Perhaps you should spend some time searching Google for "SQL Injection".

[Hiyall]

Yeah but how will you perform an sql injection without a "form"? Like don't you have to write code inside the form in order to make an sql injection?
This is all about who can see what rank etc. But maybe you can use other forms for that or what?

[CTphpnwb]

You don't need to use the same html to attack a site. Once you see where a form's action is and what html variables are being sent you can use your own form. Even better, you can set up cURL to run through a series of attacks until one works. In fact, many attacks are automated.