[Resolved] Ignoring a if statement!?!

djdaz

IN the code below i am trying to check if a user who is logged in, and trying to delete a news post owns that post. I have tested it by posting news as djdaz, then logging on as someone else and trying to delete it, unfortuanlty the news is deleted, i cant see any errors, maybe you guys can. Heres the code.

<?php
//sessions
session_start(); 

//variables
$id = $_GET['id'];

//mysql
$dbc = mysql_connect("localhost", "", "");
mysql_select_db (djdaz);

//check for login
if (!isset($_SESSION['logged_in'])) { 
?>
	<html>
	<head>
	<title>Restricted - C&C:Oracle</title>
	<?php include($_SERVER["DOCUMENT_ROOT"].'/admin/'.'nav.php');?>
	<br>
	You must <a href="/admin/login.php">log in</a> before attempting to view this page.
	<?php include($_SERVER["DOCUMENT_ROOT"].'/admin/'.'footer.php');
}else{
	if ($_SESSION['allownews'] == "1"){
		if($_SESSION['level'] == "admin"){
			if(mysql_query("DELETE FROM staff_news WHERE id='$id'")){
				$message = "Your news has been successfully deleted";
			}else{
				$message = "There was a MySQL error during the prosessing of this script, please send the following debug information to an admin<br><br>" . mysql_error() . "</b>";
			}
		}else{
			$username_query = mysql_query("SELECT * FROM staff_news WHERE id='$id'");
			$username_array = mysql_fetch_array($username_query);

		if(!$_SESSION['username'] == $username_array['username']){
			$message = "This is not your news post.";
		}else{
			if(mysql_query("DELETE FROM staff_news WHERE id='$id'")){
				$message = "Your news has been successfully deleted";
			}else{
				$message = "There was a MySQL error during the prosessing of this script, please send the following debug information to an admin<br><br>" . mysql_error() . "</b>";
			}
		}
	}
	?>
	<html>
	<head>
	<title>News deleted - C&C:Oracle</title>
	<?php include($_SERVER["DOCUMENT_ROOT"].'/admin/'.'nav.php');?>
	<br>
	<center>
	<?php echo $message;?>
	</center>
	<?php include($_SERVER["DOCUMENT_ROOT"].'/admin/'.'footer.php');
}else{
	?>
	<html>
	<head>
	<title>Restricted - C&C:Oracle</title>
	<?php include($_SERVER["DOCUMENT_ROOT"].'/admin/'.'nav.php');?>
	<br>
	<center>	
	You do not have the permissions to post news.
	</center> 
	<?php include($_SERVER["DOCUMENT_ROOT"].'/admin/'.'footer.php');
}
}
?>

leatherback

Hi,

I am not sure. It may be: if($_SESSION['level'] == "admin")
I do not know what is registered for the level/

Perhaps it is an idea to place an echo after each query:

echo "Performing query: query1:".$query;

That way you know in which section the delete is performed, and which part of the if-sets is producing the error.

swr

Originally posted by djdaz

if(!$_SESSION['username'] == $username_array['username']){

It's an order of operations thing. You're expecting the condition to be interpreted like this:

if (!($_SESSION['username'] == $username_array['username'])) {

When really it's being interpreted like this:

if ((!$_SESSION['username']) == $username_array['username']) {

What you should type is this:

if ($_SESSION['username'] != $username_array['username']) {

djdaz

thanks, that hit the nail on the head 🙂