User Level with my sessions

NZ_Kiwi

I want only people with a user level rating of 3 to enter my page..

this is what i have tried

<?php

$result = mysql_query ("SELECT * from members where username = '$_SESSION["valid_user"]');
$row = mysql_fetch_array($result);

if ($row["level"] != 1)
 {
  print "ACCESS DENIED. Only a news administrator has access to this area";

  exit();
 }



?>

my auth and session setting page

<?php
 session_start();
 // dBase file
 include "dbConfig.php";

 if ($_GET["op"] == "login")
  {
  if (!$_POST["username"] || !$_POST["password"])
   {
   Header("Location: error.php");
   }

  // Create query
  $q = "SELECT * FROM `members` "
   ."WHERE `username`='".$_POST["username"]."' "
   ."AND `password`=PASSWORD('".$_POST["password"]."') "
   ."LIMIT 1";
  // Run query
  $r = mysql_query($q);

  if ( $obj = @mysql_fetch_object($r) )
   {
   // Login O.K., create session variables
   $_SESSION["valid_id"] = $obj->id;
   $_SESSION["valid_user"] = $_POST["username"];
   $_SESSION["valid_time"] = time();




   // Redirect to member page
   Header("Location: index.php");
   }
  else
   {
   // Login not successful
   Header("Location: error.php");
   }
  }
 else
  {
  Header("Location: error.php");
  }
 ?>

this is the error i get

Parse error: parse error, expecting T_STRING' orT_VARIABLE' or `T_NUM_STRING' in /home/httpd/vhosts/mysite/httpdocs/admin/index.php on line 91

Installer

Well, counting from the top this must only be line 3:

$result = mysql_query ("SELECT * from members where username = '$_SESSION["valid_user"]');

but it should be generating the same error as the one you're getting for line 91 (wherever that is). Fix the quotes on it, then do the same for line 91 and see what happens.

Weedpacket

Just by looking at that colours that code is written in one can see the quotes have gotten screwed up.

NZ_Kiwi

OK,

full code

<?php

session_start();



if (!$_SESSION["valid_user"])

{

// User not logged in, redirect to login page

Header("Location: login.php");

}



?>
<script language="JavaScript">



<!-- This script and many more are available free online at -->

<!-- The JavaScript Source!! [url]http://javascript.internet.com[/url] -->



<!-- Begin

function popupPage() {

var page = "http://www.rugbyleaguenz.com/admin/addnews.php";

windowprops = "height=800,width=800,location=no,"

+ "scrollbars=yes,menubars=no,toolbars=no,resizable=yes";

var url="http://www.rugbyleaguenz.com/admin/addnews.php";

window.open(url, "Popup", windowprops);

}

function popupPage2() {

var page = "http://www.rugbyleaguenz.com/admin/addpics.php";

windowprops = "height=250,width=550,location=no,"

+ "scrollbars=yes,menubars=no,toolbars=no,resizable=no";

var url="http://www.rugbyleaguenz.com/admin/addpics.php";

window.open(url, "Popup2", windowprops);

}

function popupPage3() {

var page = "http://www.rugbyleaguenz.com/admin/viewpic.php";

windowprops = "height=250,width=250,location=no,"

+ "scrollbars=yes,menubars=no,toolbars=no,resizable=no";

var url="http://www.rugbyleaguenz.com/admin/viewpic.php";

window.open(url, "Popup2", windowprops);

}





//  End -->

</script>
<html>

<head>
<meta http-equiv="Content-Language" content="en-au">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Rugby League in New Zealand - Admin</title>
</head>

<body bgcolor="#000000" link="#000000" vlink="#000000" alink="#000000" topmargin="0" leftmargin="0">

<div align="center">
	<table border="0" width="765" bordercolor="#FFFFFF" bordercolorlight="#000000">
		<tr>
			<td colspan="2" bgcolor="#000000">
			<p align="center"><a href="http://www.rugbyleaguenz.com/">
			<img src="http://nz.rleague.com/new/images/nzbanner3.JPG" border="0"></a></p>
			</td>
		</tr>
		<tr>
			<td width="99%" bgcolor="#FFFFFF" colspan="2">
			<table border="0" width="100%">
				<tr>
					<td width="341"><font face="Verdana" size="1">&nbsp;Welcome <?php echo $PHP_AUTH_USER; ?></font></td>
					<td>
					<p align="right"><font face="Verdana" size="1">&nbsp;Admin Version 
					0.1</font></p>
					</td>
				</tr>
			</table>
			</td>
		</tr>
		<tr>
			<td width="25%" bgcolor="#FFFFFF" align="center" valign="top"><br>
			<font size="2" face="Verdana"><?php 



require("leftmenu.php"); 



?> </b>
			<p></p>
			<p>&nbsp;</p>
			</font></td>
			<td width="74%" bgcolor="#FFFFFF" align="left" valign="top"><?php



mysql_connect (localhost, user, pass);



mysql_select_db (table);

?>

<?php
$result2 = mysql_query ("SELECT * from members where username = '$_SESSION["valid_user"]');
$row = mysql_fetch_array($result2);

if ($row["level"] != 1)
{
	print "ACCESS DENIED. Only a news administrator has access to this area";

	exit();
}
?>


<?php



$result = mysql_query ("SELECT * From news order by id desc");



?> <font face="Verdana" size="2"><b>Select a news item to edit.</b> <?php



while ($row = mysql_fetch_array($result)) {



?>
			<table border="0" cellpadding="0" cellspacing="0" style="border-collapse: collapse" bordercolor="#111111" width="100%" id="AutoNumber1">
				<tr>
					<td width="42%"><font face="Verdana" size="2">-
					<a style="text-decoration: none" href="newsedit.php?id=<?php echo $row["id"]; ?>">
					<?php echo $row["header"]; ?></a></font></td>
				</tr>
			</table>
			<?php



}



?>
			<p></p>
			</font></td>
		</tr>
	</table>
</div>

</body>

</html>

error:

Parse error: parse error, expecting T_STRING' orT_VARIABLE' or `T_NUM_STRING' in /home/httpd/vhosts/site.com/httpdocs/admin/index.php on line 139

sneakyimp

c'mon kiwi! they gave you the answer...this line:

$result2 = mysql_query ("SELECT * from members where username = '$_SESSION["valid_user"]');

cannnot possibly work. LOOK AT IT. figure it out.

NZ_Kiwi

Originally posted by sneakyimp
c'mon kiwi! they gave you the answer...this line:
$result2 = mysql_query ("SELECT * from members where username = '$_SESSION["valid_user"]'); 
cannnot possibly work. LOOK AT IT. figure it out. [/B]

i only know the very basics of PHP!! and sessions are very new to me.... can you spell it out?

sneakyimp

okok.

if you are defining a string in PHP and you start it with double quotes (") then the next double quote mark you find is interpreted by PHP to be the END of that string. that means that if you want to define a string with quotes in it, you are going to have to 'escape' them with a backslash. like this:

$my_string = "Here is how you \"escape\" quotes to get them in a string";
echo $my_string;

in your code, your string is all mangled...

$result2 = mysql_query ("SELECT * from members where username = '$_SESSION["valid_user"]');

you start with a double quote, then you have double quotes inside in your reference to your session variable which ends your string and starts a new one and then you fail to terminate the string you originally tried to start at all.

in general, if i'm referring to an associative array like $_SESSION["valid_user"] in a string, i don't try to use PHPs very handy string behavior...i explicitly concatenate it--OR assign it to an innocuous temporary string variable first.. helps me avoid all the quote confusion.

either of these should work:

$result2 = mysql_query ("SELECT * from members where username = '" . $_SESSION["valid_user"] . "';");

// OR
$tmp_valid_user = $_SESSION["valid_user"];
$result2 = mysql_query ("SELECT * from members where username = '$tmp_valid_user';");

it's critical to learn how to find syntax errors. your code won't run if there's a single one in there. i didn't scan your code...there could be others.

NZ_Kiwi

Originally posted by sneakyimp
okok.

if you are defining a string in PHP and you start it with double quotes (") then the next double quote mark you find is interpreted by PHP to be the END of that string. that means that if you want to define a string with quotes in it, you are going to have to 'escape' them with a backslash. like this:
$my_string = "Here is how you \"escape\" quotes to get them in a string";
echo $my_string;
in your code, your string is all mangled...
$result2 = mysql_query ("SELECT * from members where username = '$_SESSION["valid_user"]');
you start with a double quote, then you have double quotes inside in your reference to your session variable which ends your string and starts a new one and then you fail to terminate the string you originally tried to start at all.

in general, if i'm referring to an associative array like $_SESSION["valid_user"] in a string, i don't try to use PHPs very handy string behavior...i explicitly concatenate it--OR assign it to an innocuous temporary string variable first.. helps me avoid all the quote confusion.

either of these should work:
$result2 = mysql_query ("SELECT * from members where username = '" . $_SESSION["valid_user"] . "';");

// OR
$tmp_valid_user = $_SESSION["valid_user"];
$result2 = mysql_query ("SELECT * from members where username = '$tmp_valid_user';");
it's critical to learn how to find syntax errors. your code won't run if there's a single one in there. i didn't scan your code...there could be others. [/B]

very good. nice and clear. thanks very very much