in my database i have the table called users, where i have 5 fields (id, username, email, password, user_level) - for the user_level field i have 2 options administrator and editor.
What i want to do is that when the user who is logged in have administrator in the user_level field to see all the pages from backend, and the user who have in the user_level field editor to see only some of the pages from the backend such as newsletter, or messages.
I hope you understand what i'm asking if not fell free to ask me if you need more specific details.
I tried to make a php page called access.php wher i put the following code, but not working
<?php
session_start();
$sql = $mysqli->query("SELECT user_level FROM imobiliare_users WHERE id=$id");
$user_level = $mysqli->query($sql);
echo $user_level;
if ($user_level !="administrator") {
echo "You are not the proper user type to view this page";
die();
}
?>
I need a little help. Thx in advance for helping me. :)
IN your sql, add a new column called useraccess. Then you could do,
$sql = "select user_access from imobiliare_users where email = '$email'";
$sql = mysql_fetch_array(mysql_query($sql));
if ($sql['user_access'] != 'user_level2') {
// show error about not having authorisation
}
else
{
// login/process script
}
Related
I am working on a small community page where users will be able to post news, pictures, and comment on them. The problem where I am stuck is, whenever a user posts an entry, I want of course the username to be displayed next to the entry.
I am working with multiple tables here, one that stores the user info, and some that store the entry info (news, comments, pictures).
Now whenever a user posts something, I want to get his user ID out of the table USER, so that I can INSERT a new line INTO my table (in this case) NEWS, which wants the values Text, Title and U_ID as foreign key.
I am working with sessions, and since I had no problem simply displaying the name of the login user, I tried to use that user to select "his" row from the table and put the result into a variable ($uid) which I was hoping to use in another query for the INSERT INTO. However, according to the error message I get, something is wrong with my first query. Can anyone help?
<?php
include("dbconnect.php");
session_start();
if (isset($_SESSION['user'])) {
$user = $_SESSION['user'];
$sqluser = "SELECT FROM USER USER_ID
WHERE Name = '$user'";
$userresult = $conn->query($sqluser) or die($conn->error);
while($row = $userresult->fetch_assoc()){
$uid = $row["USER_ID"];
}
} else {
header('Location: login.php');
}
if (isset($_POST["title"], $_POST["text"])) {
$title = mysqli_real_escape_string($conn, $_POST["title"]);
$text = mysqli_real_escape_string($conn, $_POST["text"]);
$sql = "INSERT INTO NEWS (Titel, Text, U_ID)
VALUES ('$title', '$text', '$uid')";
}
$conn->close();
?>
I think there is mistake in your query
$sqluser = "SELECT FROM USER USER_ID WHERE Name = '$user'";
It should be like this
$sqluser = "SELECT USER_ID FROM USER WHERE Name = '$user'";
basic email check is clear but if any user wants to update the data with same email Id then that message should not display....
if(isset($_GET['edited']))
{
$sql="SELECT * FROM user WHERE Id=".$_REQUEST['id']." ";
//echo "SELECT * FROM user WHERE Id=".$_REQUEST['id']."";
$query=mysqli_query($connect,$sql);
$user=mysqli_fetch_array($query);
$Id=$user['Id'];
$name=$user['name'];
$email=$user['email'];
$gender=$user['gender'];
$purpose=$user['purpose'];
$MobileNumber=$user['MobileNumber'];
$Status=$user['Status'];
}
Looking at the code you have provided and not really understanding what you are trying to do, have a look at this and see if it helps.
$query = "SELECT * FROM user WHERE email='$email'";
$result = mysqli_query($connect,$query);
if(mysqli_num_rows($result)>0)
{
echo 'Email is already exists!';
$sql="UPDATE user SET name='$name',email='$email',gender='$gender',purpose='$purpose',MobileNumber='$MobileNumber', Status='$Status' WHERE Id = ".$_REQUEST['txtid'];
}
else
{
if($_POST['txtid']=="0")
{
$sql = "INSERT INTO user(name,email,gender,purpose,MobileNumber) values ('$name','$email','$gender','$purpose','$MobileNumber')";
}
}
$query=mysqli_query($connect,$sql);
This is untested and I am not sure if you have provided all the code so you may need to edit it a bit before use.
The basic though is that the check for the existing email is completed, if that shows that there is an row containing that email address then you update the row with the new information. The the email address is not in the database then insert it.
Alright, so I have setup a very simple login in and sign up database, it is working perfectly.
However, one of the page I have created where users can check their acccount information (Username and Email) is not working fully.
I have a database that has four columns ID, username, email and password.
All I am doing is taking the user information from the database (Who is logged in) and displaying their username and email on the page.
The problem is that the code is logging every user within the database, I only want it to select one user (The user that is logged in.)
Code:
<?php
// SQL query
$strSQL = "SELECT * FROM users";
// Execute the query (the recordset $rs contains the result)
$rs = mysql_query($strSQL);
// Loop the recordset $rs
// Each row will be made into an array ($row) using mysql_fetch_array
while($row = mysql_fetch_array($rs)) {
// Write the value of the column FirstName (which is now in the array $row)
echo $row['email'] . "<br />";
echo $_SESSION['username'];
}
// Close the database connection
mysql_close();
?>
I'm thankful for the help !
You probably need to store the username value in a $_SESSION in your login session.
if (!isset($_SESSION)) {
session_start();
$_SESSION['id'] = the_id_of_your_logged_username;
}
Then using the value that is stored in the $_SESSION to retrieve the logged user.
session_start();
$id = $_SESSION['id'];
$query = "SELECT * FROM users WHERE id='$id'";
In these way, you can retrieve the logged user, just commonly on how users login and gets their profile directly.
Your SQL query should look something like this...
"SELECT * FROM users WHERE ID = '$user_id'"
Remember to fix any SQL vulnerabilities
$user_id = mysql_real_escape_string($user_id);
I am trying to let users to create a book detail in a table called books. However there are two types of users which are admin and users. Admin are saved as type = 1 and users are saved as type = 0 in a user table in the database as boolean.
The user has to log into the system to update the book account. The detail of the user is saved as username in COOKIES.
Therefore I want to command computer that let only admin to upload book table relating to the COOKIES username and check the username is related to admin, if username is user don't let it create.
Users
id | name | type
1 | abc | 1
2 | xyz | 0
I am trying to do such as
$_COOKIE['username'];
$result = 'SELECT type FROM users WHERE type = 1';
$res = mysql_query($result);
if ($res){
//let admin to enter the details
} else {
//you are not an admin,
}
Your SQL query will always return 1. You want something along the lines of
$username = $_COOKIE['username'];
$res = mysql_query("SELECT type FROM users WHERE name='$username'");
Then check if the type is 1 or 0.
$row = $mysql_fetch_assoc($res);
if ($row['type'] == 1){
//You are an admin
} else {
//You are not an admin
}
It doesn't matter if you use cookies or sessions. You need to pass some sort of user information, whether it's the user's id or username, into your SQL query to check that specific user's credentials.
Now, suppose you have a php file called upload.php which handles the book upload. Now, in the file check if the session variable $_SESSION["type"] has a value of 1 i.e, the logged -in-user is an admin. Also, I would advise against using mysql_* syntax anymore since its deprecated. Take a look at mysqli. I have written my answer using mysqli.
//This code goes in upload.php file
$mysqli = mysqli_connect(HOST, USER, PASS, DBNAME);
$username = $_COOKIE["username"];
$stmt = $mysqli->prepare("SELECT type FROM users WHERE username=?");
if($stmt){
$stmt->bind_param("s", $username);
$stmt->execute;
$stmt->bind_result($type);
$stmt->fetch();
$stmt->close();
}
//Now check for type
if( $type == 1){
//Add upload code here
}
else{
//Not admin access denied
}
$mysqli->close();
I have a problem, I can not prevent a logged in user to delete post by others users?
In my code now, I can delete all users posts, but I want to be able to only delete my posts (the logged
in user posts).
Can somebody help me in the right direction on how to do that?
<div class="deletebtn">Delete post</div>
$id=$_GET['id'];
$sql="DELETE FROM shouts WHERE id='$id'";
$result=mysql_query($sql);
if($result)
{
echo('<div class="deletedpost">You have deleted a post. Tillbaka till Bloggen</div>');
}
else
{
echo "Something went wrong";
}
mysql_close();
Im using a href in one file, linking to another file where a use Sql code.
you can do this via session
check if user is logged in or not. if logged in then delete the post
if(isset($_SESSION['user']))
{
//delete post
}
Store userId in your table and update your delete query like this...
$sql="DELETE FROM shouts WHERE id='$id' and userId = '$_SESSION[user]'";
Check whether the logged in user is the owner for the particular post before deleting.
Write a select query with post id and owner id. If it returns true allow him to delete the post otherwise do not allow.
Don't you have a $_SESSION['id'] of sorts?
And you do have that user id associated in shouts table, so you know who's shout is it right?
DELETE FROM shouts WHERE id='$id' AND user_id='$_SESSION['id']'
You should treatthe inputs though.
use this kind of query, here it will delete only logged in user's post.
$sql="DELETE FROM shouts WHERE id='$id' and user_id = '$loggedin_session_id'";
I would suggest that upon the user signing up, you assign them a unique id (or let the database do it with auto increment) and save it in the database. Then, whenever they log in, you can pull that user_id from the database and store it in a session variable. When shouts are created, you store the user_id of the person who created the shout alongside the shout itself in the shouts table of the database. When a user attempts to delete a shout, you first check to make sure that that shout belongs to them before allowing them to delete it.
An example:
<?php
//when user logs in
$email = 'example#example.com';
$password = 'default';
$sql = "SELECT id FROM user_table WHERE email = '$email' AND password = '$password'";
$result = mysql_query($sql);
$row = mysql_fetch_row($result);
$_SESSION['user_id'] = $row['id'] //'id' is the user's id; assign it to the session variable
//user creates the shout
$user_id = $_SESSION['user_id']; //get the user_id from the logged-in user
$shout = $_POST['shout'];
$sql = "INSERT INTO shout_table (user_id, shout) VALUES ('$user_id','$shout')"; //store user id alongside the shout for future queries
mysql_query($sql);
//user about to delete the shout
$id = $_GET['id'];
$user_id = $_SESSION['user_id'];
//the sql to check in the shout_table to see if the shout they are deleting belongs to them
$sql = "SELECT * FROM shout_table WHERE user_id = '$user_id' AND id = '$id'";
$result = mysql_query($sql);
$row = mysql_fetch_row($result);
if ($row)
{
//everything is alright; this user can delete the shout, so prepare the DELETE query to do so
}
else
{
//the user is not allowed to delete the shout because it's not theirs; tell them so with an echo or whatever you're using for error handling
}
?>
The example above is rife with SQL injections. Validate and sanitize, of course. As well, mysql_query functions will be deprecated as of PHP 5.5, so get in the hang of using mysqli_query functions instead. Better yet, see if you can use PDO. :)