can't figure it out

lorddraco98

I have a script here, and part of it changes user groups for a selected user, here's the code for it:

if ($_GET['action']=="changeusergroups")
{
dbconnect();
echo "<center><h3>Edit Usergroups</h3>";
echo "<b>User Groups Key:</b> (note: usergroups inherit all priveledges of usergroups below them)<br>";
echo "<b>User Group ID: 1/<b>- Normal Users<br>";
echo "Access: View news,reviews, and articles. Post user comments, user news, and user ratings. View All public content<br><br>";
echo "<b>User Group ID: 2</b>-  Staff Members<br>";
echo "Access: Create products and reviews, create news posts, create articles. Edit own products, reviews, news posts, and articles<br><br>";
echo "<b>User Group ID: 3</b>- Administrators<br>";
echo "Access: Edit users, delete users, validate users, edit ALL products, reviews, articles, and news. Change site settings.";
$query1= "select * from user";
$result1= mysql_query($query1)
or die(mysql_error());
echo "<table border=1 cellpadding=3>";
echo "<b><tr><td>User ID</td><td>Username</td><td>User Group ID</td><td>E-mail Address</td><td>Register Date</td><td>Change User Group</td></tr></b>";
while ($s= mysql_fetch_array($result1))
{
$userid= $s['userid'];
$username= $s['username'];
$emailaddress= $s['email'];
$usergroupid= $s['usergroupid'];
$registerdate= convertdate($s['registerdate']);
echo "<tr><td>$userid</td><td>$username</td><td>$usergroupid</td><td>$emailaddress</td><td>$registerdate</td><td><a href= 'admin.php?action=changeusergroups2&id=$userid'>Change Usergroup</a></td></tr><br>";
}
echo "</table>";
}
if ($_GET['action']=="changeusergroups2")
{
dbconnect();
$id= $_GET['id'];
echo "<table border=1 cellpadding=3>";
echo "<b><tr><td>User ID</td><td>Username</td><td>User Group ID</td><td>E-mail Address</td><td>Register Date</td><td>Change User Group</td></tr></b>";
echo "<form action= 'admin.php?action=dochangeusergroups&id=$id' method= 'post'>";
$query1= "select * from user where userid= $id";
$result1= mysql_query($query1)
or die(mysql_error());
while ($s= mysql_fetch_array($result1))
{
$username= $s['username'];
$emailaddress= $s['email'];
$usergroupid= $s['usergroupid'];
$registerdate= convertdate($s['registerdate']);
echo "<tr><td>$id</td><td>$username</td><td>$usergroupid</td><td>$emailaddress</td><td>$registerdate</td>
<td>
<select name= 'changeusergroupid'>
<option value=''> Select User Group ID
<option value=''>----------------------------------------------------
<option value= '1'> Normal User (User Group ID- 1)
<option value= '2'> Staff (User Group ID- 2)
<option value= '3'> Administrator (User Group ID- 3)
</select>
</td>
</tr><br>";
}
echo "</table>";
echo "<input type= 'submit' value= 'Change User Group'>";
echo "</form>";
}
if ($_GET['action']=="dochangeusergroups")
{
dbconnect();
$id= $_GET['id'];
$newusergroupid= $_POST['changeusergroupid'];
$query1= "update user set usergroupid= 'new$usergroupid' where userid= $id";
$result1= mysql_query($query1)
or die(mysql_error());
echo "<center>User Group Updated!<br>";
echo "Click <a href= 'index.php'> here</a> to return the the admin index.<br>";
}

at the top of the page, before all the if $_GET['action']'s are called, this is included:
session_start()
checkadminloggedin();

my function for checkadminloggedin() is:

function checkadminloggedin()
{
if ($_SESSION[usergroupid] !=3)
 {
echo "<center>You do not have permission to access this page.<br>";
echo "Click <a href= '../index.php'>here</a> to return to the main page<br>";
echo "If you are staff <a href='login.php'>click here</a> to login</center>";
die();
}
}

now for some reason, on the action=changeusergroups page, when I click "change usergroup" for any user other than myself(that i'm currently logged in as), it moves to action=chageusergroups2 and then fails to pass the admincheck.
but that shouldn't be as my $_SESSION['usergroupid'] hasn't changed.
further more, when I click loguout, it says i'm logged in as the user i was trying to change, not my username. i have no idea why

and for login.php session values are set using:

$_SESSION['userid']= $s['userid'];
$_SESSION['username']= $s['username'];
$_SESSION['usergroupid']= $s['usergroupid'];
$_SESSION['email']= $s['email'];
$_SESSION['adminauth']= $s['adminauth'];
$_SESSION['usertitle']= $s['usertitle'];
$_SESSION['usersig']= $s['usersig'];
$_SESSION['registerdate']= convertregisterdate($s['registerdate']);
$_SESSION['loggedin']= 1;

any ideas or does this not make sense or is more info needed?

lorddraco98

forgot to mention, this works on my local server but when i upload it to my website it doesn't

seby

if it works on localhost and not on the server then there is something obviously different in configurations... what version of php on both?

lorddraco98

locally i'm on 4.3.1
server is 4.3.3-dev

also, in my scripts I was using such things as $_SESSION['username']

and when i uploaded the files it was giving me parse errors.
So I had to change everything to $_SESSION[username}

maybe that has something to do with it?

Natty_Dreadlock

u changed it to $SESSION[username} or $SESSION[username] or what... do not leave out the " or ' .... I guess $_SESSION["username"] actually had to work...
there must be some different problem

kevinsequeira

first of all use the quotes $_SESSION['username'] and second debug, try this

print_r($_SESSION); and see the vlues in the array. u should find out what the problem is

reg
kevin

lorddraco98

Originally posted by Natty_Dreadlock
u changed it to $SESSION[username} or $SESSION[username] or what... do not leave out the " or ' .... I guess $SESSION["username"] actually had to work...
there must be some different problem

sorry, that was a typo.
I changed them all to $SESSION[username]

keving, when I had the quotes around username it gave me a parse error on that server for some reason.
I'll try a debug though as well as viewing the session variables

lorddraco98

I did the session variables thing and it is changing the session variables, but only 3 of them.

it's changing the $SESSION['userid'] and $SESSION['username'] and $_SESSION['usergroupid'] to whatever user I click "change usergroup" for, but keeps my e-maila address, register date, and everything else set.

but i don't have any code in there that would modify session variables

any ideas?