SELECT rank FROM members WHERE? - php

I have written an SQL query and a $_SESSION cookie called "username" basically what I am trying to do is query the database for the "logged in" users rank that is contained in the "rank" column in the "members" table of my database.
Here is my header code to check that they are actually logged in (otherwise it redirects them to the login page)
session_start();
if (!isset($_SESSION['username'])) {
header("location:login/main_login.php");
}
AND Here is what I have so far for my query but I have absolutely no clue how to proceed in only selecting the user that is logged in. Note: I am aware that the query is not completed
$result = $conn->query("SELECT rank FROM members WHERE ");
$userrank = $result->fetchAll(PDO::FETCH_OBJ);
I've also set a variable for MyRank so that I can check the users rank to display specific content. (Not sure if that really matters in terms of my query but hopefully you get the idea.)
$MyRank = $userrank[1]->rank;
EDIT: additional information.
So basically I am trying to display content based on what the users rank is in my database. IE) if they are an administrator I want to show specific html. If they are a user I want to show a different set of html. How I'm doing it currently (that isn't working) is by a php if statement like so:
if ($MyRank == "Administrator"){
echo adminpanel();
}else if ($MyRank == "User") {
echo userpanel();
}
Basically the problem I'm having is that my User or Admin panels wont display unless ALL the users in my database are "Administrator" or "User". If there is an Administrator and a User in that table it will show nothing at all.

Based on guesses:
$authUser = $_SESSION['username']; // get the logged in user from session, guess this is the username
$result = $conn->query("SELECT rank FROM members WHERE username='$authUser';");
// if its userid then userid=$authUser without single quotes
$userrank = $result->fetchAll(PDO::FETCH_OBJ);

Related

How to check if an user is an admin SECURE

I made a login function with bruteforce protection, different bot protection functions like honeypot.., input filtering, Argon2 encrypted password.
But in the end to identify the user i save the id inside a session after a successful login.
With this id until now i checked if the column "admin" has the value 1 or 0.
If this value is 1 the user can do everything.
How i could improve the security ?
How else i could check if a user is an admin ?
You should do as I will direct you
As long as you have user id in act so it's half of the way
I will assume that you have function.php which have all the functions you use in website
Also you have login function that check user account details and give access
You now need to improve that to restrict user access
First:
Create table in MySQL call it group this table will have two records or as you like so. Admin will have id 1 and members id 2 then you can make much modifications like make another column in that table called upload and set admin to yes while members to no
Second in your login function use the following
$res = mysql_query("SELECT * FROM users INNER JOIN group ON users.class=group.group_id WHERE users.enabled='yes' AND users.status = 'confirmed'") or die(mysql_error());
$row = mysql_fetch_array($res);
Users.class is the group id and users is the table users
Now you can check group credits as example if on upload page you do the following
if($row["can_upload"]=="no")
echo("admin only can upload ");
You can check credentials on group as you need also you can make much classes like admin , members, uploders, reviewers,authors and give every class special permissions as website content is viewed
On admin.php you can use
if($row["admin"]=="no")
ech("admin only can view this page ");
In both examples above Admin and can_upload is colum in group table and it's changed by user class .

MySql select statement with echo variable

I have mysql database with two tables. The primary table contains the user login details and the secondary table contains user activities. The tables are linked by the account numbers.
I have created registration page and sign in page where users register and login. Users are displayed with a home page with two buttons.
When users clicked on the button, it is supposed to run a query based on the user login credentials. The query looks like this:
$result = mysql_query("select mydate, preamount, currentdeposit,
debit, currentinterest, totalamount, status from NormalAccount where
acctnumber = '$actno'n ORDER BY mydate DESC LIMIT 5");
Because I need to filter based on the user account number, I have design a form where they will need to enter their account number again. This makes the whole process looks like double work and users are complaining about the whole process of entering information twice.
WHAT I WANT:
How do I write the query such that the query will populate the user credentials automatically so that they need not to enter their account number again before viewing their account details?
I have a session on the pages already that enables me to pull and display the user details on the page using echo such as echo acctname where it display the account name of the user in any part of the page.
I used the php with echo below to automatically display a welcome message to the users using the account name automatically. How to I integrate this code below
<?php echo $userRow['acctname']; ?>
into the WHERE clause in the main query so that it automatically populate the account name for the users so that it will filter the record based on their acctname?
I have a session on each page with this code:
<?php
ob_start();
session_start();
require_once 'dbconnect.php';
if( !isset($_SESSION['user']) ) {
header("Location: index.php");
exit;
}
$res=mysql_query("SELECT * FROM userss WHERE userId=".$_SESSION['user']);
$userRow=mysql_fetch_array($res);
?>
Thanks.
Zollyzo
I'm not entirely sure that I understand the problem, but the first time that you ask for the account number, you could store it in the $_SESSION variable the first time you receive it from the user. Then, you could just retrieve it later, even if it's on a different page.
<?php
session_start();
...
//you get the account number somehow in $actno
$_SESSION['acctNr'] = $actno
...
//later in your code, or on another page that has had session_start() run
$actno = $_SESSION['acctNr']
//use it as you would before.
If the user has logged in successfully, save their account number (and maybe other details) in a session variable. You can use that session variable for your succeeding queries so you don't need to ask the users to enter their account number again.
Basic usage: https://www.w3schools.com/php/php_sessions.asp

Deleting user posts, restrict delete to author of post

So right now, I've got a working PHP script that can delete posts from my network. But right now, everyone is able to delete everyones posts if they are logged in. I want restrict this to the authors of the posts, so they are only able to delete their own posts. How can I do this?
This is how my delete.php it looks like:
<?php
session_start();
if (empty($_SESSION['user_id'])) {
header('Location: index.php');
exit;
}
$user_id = $_SESSION['user_id'];
include "connect.php";
if(isset($_GET['id'], $user_id))
{
mysqli_query($GLOBALS["___mysqli_ston"], "DELETE FROM posts WHERE id=".$_GET['id']);
mysqli_query($GLOBALS["___mysqli_ston"], "UPDATE users SET posts = posts - 1 WHERE id='$user_id' ");
header("location: index.php");
}
mysqli_connect();
?>
In the main page where the posts are being displayed, the button is displayed like this:
Delete
It finds the postid itself. I have two tables, users and posts. Both has the column user_id, so the post table does get same user_id as in users_id.
First, your code is not safe!
Keep in mind that everyone can mess with your system when not escaping user input! You should read more about here
As you are checking already by the session if the deleting user is logged in, you now have to fetch the data from the deleting post (look for the post with the given post id in $_GET['id'] (ESCAPE IT!!!)) in table "posts". As you said, your table "posts" contains the field "user_id" and if you get this value you can simply compare it by the id given by $_SESSION["user_id"]

Get logged in memberID from database

I have two tables (blog_members and blog_posts) which are related 1 to many, 1 member to many posts. Therefore, in order to be able to relate the two I had to make one field in blog_posts named memberID and set up the relation between this field and the one from blog_members.
Now, I'm trying to make a script to add posts into the database. The thing is, now I have the field memberID in blog_posts which needs to be the same with the one from blog_members in order to be related. So, I'm trying to get the current logged in memberID from the blog_members so I can introduce it into the blog_posts.
I know this can be done with an input where you can type your ID but it doesn't feel right, I want this to be in the back, not to be seen.
Short story:
$memberID = get current logged in memberID from blog_members;
//insert into database
$sql="INSERT INTO blog_posts (memberID, postTitle,postDesc,postCont,postDate) VALUES('$memberID',$postTitle','$postDesc','$postCont','$postDate')";
$result=mysqli_query($link,$sql);
if($result){
echo '<p>Added successfully!</p>';
}else {
echo "Error: ".$sql."<br>".mysqli_error($link);
}
Normally you would store the ID of the logged in user in a session:
$_SESSION['login_userid'] = // THE USER ID OBTAINED FROM LOGIN
Now it will be stored in the browser as $_SESSION['login_userid'] and you can just put this to the top of your code:
$memberID = $_SESSION['login_userid'];
On every page where you use sessions you must run session_start() before the first line of HTML code. If you are not sure how to create your own login system, have a look at this tutorial.
Note: memberID is not unique in the blog_posts table, as one user can create many posts. You should probably create a primary key blogpostID as well.

Move details from one table to another one when confirmation is done [sql]

I'v got a registeration code which inserts user details into the table that I chose.
The problem is that I added a "confirm code" to the user, so every account is needed to verify his user through his mail. After the confirmation is done, the Column "confirmation" changes to "confirmed". If the user does not verify his account, the confirm code will stay in the "confirmation" Column.
The problem is that I made a table in html, which uses the DB in order to show the active users.
I don't want that the not-confirmed users will appear in the tbale, so I tried to add some conditions:
$cu = mysql_query("SELECT * FROM `users` where uname='$uname' && confirmation='confirmed'");
$cu = mysql_fetch_array($cu);
and another one :
$select2 = mysql_query("SELECT * FROM `users` WHERE uname='$uname' && confirmation='confirmed'");
It's working.. but only half way. I mean, when the not-confirmed user tries to log in, it shows him a blank page. It's ok, cuz I don't want the non-confirmed users will log in.
But... the confirmed users still see the not-cofirmed users in the active users table..
It's like the table doesn't even checks if the user is confirmed or not, it's just shows him either way.
So I thought about a way in which users will move to another table, called "hold", which will consist of all the non-confirmed users. Then, every user who will verify his account, the sql will recognize it and when the confirmation columm is changed to "confirmed", it's going to move the user to the "users" table, so his name will appear in the active user table.
How can I do it? How can I "make" the sql table to auto recongize if the user is confirmed or not, and move him to another table..
or.. if is there any way to "hide" the not-confirmed users from the active users table, it's also fine.
Thanks alot :)
Basically either you need to setup a cron which check if the user is not confirmed then move to hold tabe or write a trigger in mysql whenever any user got confirmed.
You can get the last result and insert after the last result.
See this example:
$sql = mysql_query("
INSERT INTO tabel_name(col1, col2,col3) values('foo','bar','some');
INSERT INTO table_name2(col,col2) SELECT col2,col3 FROM tabel_name
ORDER BY id DESC LIMIT 1;
");

Categories