Determining a Users Access Privileges using Database

seanmayhew

Im trying to verify that that a user can access the users section of my site based on "user_level" assigned in my database.

It works the first time I enter the page. Because it displays all of the page based on my login. But when I click the "Edit" Button next to the users name to perfrom the part of the script if(isset($editmember)); which is in PHP_SELF this part does not work it then skips to the bottom of the script echo "You dont have the privlige";

 
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<?
include('../include/jlFunctions.php');
session_start(); 
session_checker();
if($_SESSION['user_level'] == 3):
include('../include/dbconnection.php');
?>
<html>
<head>
<title>Junior League of Daytona Beach</title>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<link href="juniorleague.css" rel="stylesheet" type="text/css">
<link href="../juniorleague.css" rel="stylesheet" type="text/css">
</head>
<body bgcolor="#CE6363" leftmargin="5" topmargin="5" marginwidth="0" marginheight="0">
<table width="550" border="0" cellpadding="1" cellspacing="0" bgcolor="#CC9933">
  <tr> 
    <td><table width="100%" border="0" cellpadding="0" cellspacing="0">
        <tr> 
          <td><table width="100%" border="0" cellpadding="0" cellspacing="0">
                <tr> 
                <td width="200" bgcolor="#EBD7AB"><div align="left">
<?
include('userheader.php');
?>
</div></td>
                <td width="49%" bgcolor="#EBD7AB"><div align="right"><img src="../images/designElements/WomenBuilding.gif" width="375" height="25"></div></td>
              </tr>
              <tr> 
                <td colspan="2" class="Author">
                  <?
     include('adminmenu.php');?></td>
              </tr>
            </table></td>
        </tr>
        <tr> 
          <td><table width="100%" border="0" cellpadding="0" cellspacing="0">
              <tr> 
                <td valign="top" bgcolor="#FFFFFF"><table width="100%" border="0" cellpadding="0" cellspacing="0">
                    <tr> 
                      <td bgcolor="#EBD7AB"><div align="center"><a href="index.php"><img src="../images/designElements/logo_sitemanagement.gif" width="375" height="75" border="0"></a></div></td>
                    </tr>
                    <tr> 
                      <td bgcolor="#CC9933"><img src="../images/designElements/spacer.gif" width="1" height="1"></td>
                    </tr>
                    <tr> 
                      <td><table width="100%" border="0" cellspacing="0" cellpadding="0">
                          <tr> 
                            <td><img src="../images/designElements/spacer.gif" width="15" height="1"></td>
                            <td valign="top"> 
 <?php
//If the user want to edit a member
if(isset($editMember)){
$editMemberDetails = @mysql_query("Select userid,username,password,first_name,last_name,email_address,info,user_level from users where username = $username");
if(!$editMemberDetails){
 echo("<p>Error performing query: ".mysql_error()."</p>");
 exit();
 }
while($memberEditRow = mysql_fetch_array($editMemberDetails)){
$userid = $memberEditRow["userid"];
$password = $memberEditRow["password"];
$username = $memberEditRow["username"];
$first_name = $memberEditRow["first_name"];
$last_name = $memberEditRow["last_name"];
$email_address = $memberEditRow["email_address"];
$info = $memberEditRow["info"];
$updateuser_level = $memberEditRow["user_level"];
?>
<form action="<?=$PHP_SELF?>" method="post" class="FormText">
<tr><td>Username:</td><td><input type="text" name="username" value="<?=$username?>"></td></tr>
<tr><td>Password:</td><td><input type="password" name="password" value="<?=$password?>"></td></tr>
<tr><td>First Name:</td><td><input type="text" name="first_name" value="<?=$first_name?>"></td></tr>
<tr><td>Last Name:</td><td><input type="text" name="last_name" value="<?=$last_name?>"></td></tr>
<tr><td>Email:</td><td><input type="text" name="email_address" value="<?=$email_address?>"></td></tr>
<tr><td>Notes:</td><td><textarea name="info"><?=$info?></textarea></td></tr>
<tr><td>User Level:</td><td><select name="updateuser_level">
          <option value=1>1</option>
             <option value=2>2</option>
             <option value=3>3</option>
             </select></td></tr>
        <input type="hidden" name="userid" value="<?=$userid?>"/>
<tr><td></td><td><input type="submit" name="updateMember" value="UPDATE"/></td></tr>
                              </form>
<?
}
}
//Update a member
if($updateMember == "UPDATE"){
$password = md5($password);
$sql = "Update users set
first_name = '$first_name',
last_name = '$last_name',
username = '$username',
password = '$password',
info = '$info',
user_level = '$updateuser_level',
userid = '$userid' where userid = '$userid'";
if(@mysql_query($sql)){
 echo ("<br><br><div align='center' class='BoldPink'>$first_name $last_name's information has been updated!</div><br><br>");
 }
 else{
  echo("<p>Error changing membership details: ".mysql_error()."</p>");
  }
 }

//Request all of the Members and assign Variables
$memberResult = @mysql_query("Select * from users");
if(!$memberResult){
 echo("<p>Error performing query: ".mysql_error()."</p>");
 exit();
 }
echo ("<div align='center'><table width = '475' cellpadding='3'>");
echo ("<tr><td colspan='5'><div align='right'><a href='$PHP_SELF?addMember=1'>New Member</a></div></td></tr>");
echo ("<tr class='BoldPink' bgcolor='#EBD7AB'><td width='135'><div align='center'>Member</div></td><td><div align='center'>Name</div></td></td><td><div align='center'>Notes</div></td><td width='25'><div align='center'>Level</div></td><td width='110'><div align='center'>Tools</div></td></tr>");
$alternate = "2"; 
while($memberrow = mysql_fetch_array($memberResult)){
$userid = $memberrow["userid"];
$username = $memberrow["username"];
$email_address = $memberrow["email_address"];
$first_name = $memberrow["first_name"];
$last_name = $memberrow["last_name"];
$info = $memberrow["info"];
$user_level = $memberrow["user_level"];
if ($alternate == "1") { 
$color = "#ffffff"; 
$alternate = "2"; 
} 
else { 
$color = "#eeeeee"; 
$alternate = "1"; 
} 
echo ("<tr class='chartText' bgcolor=$color>");
echo("<td width='100'>&nbsp;&nbsp;<a href='mailto:$email_address' class='BoldHeader'>$username</a></td>");
echo("<td width='100'>$first_name $last_name</a></td>");
echo ("<td width='110'>$info</td><td width='25'><div align='center'>$user_level</div></td>");
echo ("<td width='110' align='center'><a href='$PHP_SELF?editMember=$username'><img src='../images/designElements/buttons/edit.gif' width='30' height='30' border='0'></a>&nbsp;");
echo ("<a href='mailto:$email_address'><img src='../images/designElements/buttons/email.gif' width='30' height='30' border='0'></a>&nbsp;");
echo ("<a href='$PHP_SELF?deleteMemberTest=$userid&first_name=$first_name&last_name=$last_name'><img src='../images/designElements/buttons/delete.gif' width='30' height='30' border='0'></a></td>");
echo ("</tr>");
}
echo ("</table></div><br>");
echo ("<td width='30'><img src='../images/designElements/spacer.gif' width='30' height='1'></td>");
?>
</td>
                          </tr>
                        </table></td>
                    </tr>
                  </table></td>
              </tr>
            </table></td>
        </tr>
        <tr> 
          <td bgcolor="#CC9933"><img src="../images/designElements/spacer.gif" width="1" height="1"></td>
        </tr>
        <tr><td colspan="3">
        </td></tr>
      </table></td>
  </tr>
</table>
</body>
</html>
<?
else:
echo "You dont have the privlige";
endif;
?>

Thanks!

stolzyboy

instead of

<?=$PHP_SELF?>

use

<? echo $_SERVER['PHP_SELF']; ?>

and make sure $editmember is the name of your field/button

and that register_globals is on if you are using just a $

if not use $_POST['editmember']

eduac

sorry for the stupid question, but, what the $_SESSION do, in this case?

stolzyboy

that's how you call your session variables with register_globals = Off

eduac

so sorry dude, i typed $SESSION but in the truth i must have typed $SERVER...sorry.

stolzyboy

ok, well that's how you grab server variables with register_globals = Off