Some more dynamic checking :(

brainiac

I want to take this:

<?php
while (list($key, $val) = each($HTTP_GET_VARS)) {
if (($key == "user_id") || ($key == "user_name") || ($key == "user_email") || ($key == "user_accessright1") || ($key == "user_accessright2") || ($key == "user_accessright3") || ($key == "user_accessright4")) {
echo "Don't cheat";
exit;
}
}
?>

and make it a bit more dynamic so that if I in the future are making changes in the userdatabase that it just works all the way round with only the one adjustment made to the database, here is what I whought would have worked:

<?php
$query_user = mysql_query("SELECT * FROM user WHERE user_id=1");

I would like the above query to not depend on a user, but just read all the field names in the user table, once.

while (list($key, $val) = each($HTTP_GET_VARS)) {
while ($userarray = mysql_fetch_assoc($query_user)) {
while (list($k, $v) = each($userarray)) {
if ((isset($key)) && ($key == $k)); {
echo "Don't cheat";
exit;
}
}
}
}
?>

The problem with this code is that whenever I put any variables at all in the address bar et somehow "finds a match".
I've tried echoing it all out to see if it reaaly finds a match, the var set in the URL was action=1, I wouldn't say that "action" is the same as "user_id".
Please help

frewuill

I thinks you shouldn't query all users from table but just the one logged in, check that user against the DB, and store the access level on some table instead of use some kind of var. I would use a User's Table and a Access level's Table, so in user table you should have at least login/password/levelaccesscode fields and in levelaccess table levelaccesscode/description and then make a desition based upon the level access for each users instead of loading ALL users.. what if tomorrow you have 10.000 users.. would each user have to wait for 5 or 8 second to load the page? =)

I hope this helps.

brainiac

I don't want to query any user at all, I just want to pull out all the fieldnames in the user table from database.
The reason is that I want to make sure they don't try to cheat by passing variables in the URL, the example below is how I check for cheating now, but all the user_* are variables that is set with the fieldnames from the user table and therefore could be figured out automatically by quering the database, but how I don't know.
The reason I want to do this is that I put in new accessrights when expanding my site, to check if a user has access to that new area, if I get this to work I only need to update with a new field in the database not editing 2 documents at the same time.

<?php

what I'm using now

while (list($key, $val) = each($HTTP_GET_VARS)) {
if (($key == "user_id") || ($key == "user_name") || ($key == "user_email") || ($key == "user_accessright1") || ($key == "user_accessright2") || ($key == "user_accessright3") || ($key == "user_accessright4")) {
echo "Don't cheat";
exit;
}
}
?>

brainiac

Never mind, just me being tired, accidently put an ; after the IF.

brainiac

I got it:

$query = mysql_query("DESCRIBE table;");
while (list($key) = each($HTTP_GET_VARS)) {
while (list($field) = mysql_fetch_array($query)) {
if ((isset($key)) && ($key == $field)) {
echo "Cheater";
exit;
}
}
}