I have made progress but have a question

natman3

I have made some progress thought about how to do the code a bit different. and this is what i came up with. However if i login with a user that has collegiate for divisionType he still gets directed to the page for highschool does anyone know why this might be?

function set_user() {
		$_SESSION['user'] = $this->user;
		$_SESSION['pw'] = $this->user_pw;
		if (isset($_SESSION['referer']) && $_SESSION['referer'] != "") {
			$next_page = $_SESSION['referer'];
			unset($_SESSION['referer']);
		}
		// table name is " users " the field with the value of collegiate or highschool is in the field " accessLevel "
		$query = sprintf("SELECT divisionType FROM users WHERE login = '%s' AND pw = '%s'", $this->user, $this->pass);
		// Perform Query 
		$result = mysql_query($query); 

	// Check result 
	// This shows the actual query sent to MySQL, and the error. Useful for debugging. 
	if (!$result) { 
	   $message  = 'Invalid query: ' . mysql_error() . "\n"; 
	   $message .= 'Whole query: ' . $query; 
	   die($message); 
	} 

	// Use result 
     while ($row = mysql_fetch_assoc($result)) { 
	 $value = $row['divisionType'];

	}

	if (isset($high) == $value) { 
			$next_page = $this->high_page;
			header("Location: ".$next_page);
			exit();     
	} 
	else if (isset($coll) == $value) { 
			$next_page = $this->coll_page;
			header("Location: ".$next_page);
			exit();     
	} 
	else {
		//$next_page = $this->main_page;
		echo "you tried to access an illegal page";
	}
	//header("Location: ".$next_page);
	//echo "you tried to access an illegal page";
}

class Access_user {

var $table_name =  USER_TABLE; 

var $user;
var $user_pw;
var $user_full_name;
var $user_info;
var $user_email;
var $save_login = "no";
var $cookie_name = COOKIE_NAME;
var $cookie_path = COOKIE_PATH; 
var $is_cookie;

var $count_visit;

var $coll = "collegiate";
var $high = "highschool";

var $id;
var $language = "en"; 
var $the_msg;
var $login_page;
var $main_page;
var $high_page;
var $coll_page;
var $password_page;

var $webmaster_mail = WEBMASTER_MAIL;
var $webmaster_name = WEBMASTER_NAME;

function Access_user() {
	// connects to dba
	$this->connect_db();
	// login reader number of times
	$this->login_reader();
	// login page is set to login.php
	$this->login_page = LOGIN_PAGE;
	// main page is set to example.php
	$this->main_page = START_PAGE;
	// main page is set to user_high.php
	$this->high_page = HIGH_PAGE;
	// main page is set to user_coll.php
	$this->coll_page = COLL_PAGE;
	// password page resets password by using activate_password.php
	$this->password_page = ACTIVE_PASS_PAGE; 
}

mtmosier

if (isset($high) == $value) { 
    $next_page = $this->high_page;
    header("Location: ".$next_page);
    exit();     

}

The return value from isset is boolean true or false, depending on whether the variable in question has been initiliazed (exists). So assuming $high exists this compares true against $value. If $value is non-empty, non-zero, then it will automatically be converted to a "true" value, and the code in the if statement will be executed.

To be slightly clearer, the actual value of $value does not get changed in the if statement. It is only converted to boolean true or false for the purpose of comparison.

natman3

Well i have in my class many variables two of them are:

var $coll = "collegiate"; 
    var $high = "highschool";

I am wanting to check the users table field of divisionType to see if the user is listed as collegiate or highschool. if he is highschool then he gets directed to the highshcool page if he his college he gets directed to the college page. I thought that using this part of the code within my function:

if (isset($high) == $value) { 
				$next_page = $this->high_page;
				header("Location: ".$next_page);
				exit();     

		} 
		else if (isset($coll) == $value) { 
				$next_page = $this->coll_page;
				header("Location: ".$next_page);
				exit();     

		}

would enable me to check for the level or access inorder to send the user to the right page. It however does not work. I do realise that i think that the

isset() is a bool type of function that if the data inside is true it executes the code inside the if statement. I however am not sure on how to get my code to work correctly when iam login with two users one with a level of college and the other of highschool i get sent to the same page still.

mtmosier

I think the issue here is in your understanding of isset, and its relation to if statements. Isset is not needed in doing your comparison at all. It is used only to determine whether a variable has been initialized previously. For example, earlier in your code you have this:

if (isset($_SESSION['referer']) && $_SESSION['referer'] != "") {

This is actually doing two things. First it is checking whether the variable "$SESSION['referer']" was previously set. My assumption is that a previous page on this site is supposed to set this variable, but it's possible, at least theoretically, that it was not set for some reason. If the variable was set previously (isset returned 'true'), it will then check whether "$SESSION['referer']" is not equal to "" (an empty string). This second part (separated by the &&) is a different comparison, and is evaluated separately from the isset.

Techincally speaking the isset here could be skipped, but it's considered bad practice to check or use the value of a variable which is not initialized. This could, in theory, lead to security issues or logic bugs, depending on how the code is used (or changed to be used in the future).

By the way, this statement I used as an example would be the same thing if it were written like this:

if (!empty($_SESSION['referer'])) {

empty basically does an isset and checks if the variable is empty (empty string, 0, false) all in one call.

On a separate note, I didn't see where you initialized $high in this function. Perhaps you mean $this->high, which would be the property high of the class this function appears in?

natman3

Thank you very much for the information. I think i now understand what the isset does. In trying to read the php manual on the isset i found it all come together after reading your comment. Thank you again. I guess in a way i am attempting to do a comparrison and am doing it in an incorrect manor. Thanks for your help

natman3

would it be better practice to do something like this:

// table name is " users " the field with the value of collegiate or highschool is in the field " divisionType "
		$query = sprintf("SELECT divisionType FROM users WHERE login = '%s' AND pw = '%s'", $this->user, $this->pass);


if ($this->high == $value) { 
				$next_page = $this->high_page;
				header("Location: ".$next_page);
				exit();     

		}

if i am wanting to compare the value in the users table?

mtmosier

Looks good to me.

You asked about better practice, so I will make one more comment. Keep in mind this is just a best practice sort of thing, and is certainly not necessary in this case. You called the local variable for the divisionType field "$value". Best practice would be to give this variable a more meaningful name, like maybe "$division_type". (All lowercase, with an underscore, since that seems to be the naming scheme you're using for variables in this code. Doesn't matter what naming scheme you use so long as you're consistent.)

Just a reminder, if you were to decide to rename that variable, make sure you get all occurrences.

natman3

thank you for the suggestion i took it into consideration. I have however run into a small problem. When i try to login with my users i get the error "you tried to access an illegal page" I am not sure why this occurs i think its the way i have my if, else statments but am not sure do u have any suggestions? i have my code bellow:


class Access_user {

var $table_name =  USER_TABLE; 

var $user;
var $user_pw;
var $user_full_name;
var $user_info;
var $user_email;
var $save_login = "no";
var $cookie_name = COOKIE_NAME;
var $cookie_path = COOKIE_PATH; 
var $is_cookie;

var $count_visit;

var $coll = "collegiate";
var $high = "highschool";

var $id;
var $language = "en"; 
var $the_msg;
var $login_page;
var $main_page;
var $high_page;
var $coll_page;
var $password_page;

var $webmaster_mail = WEBMASTER_MAIL;
var $webmaster_name = WEBMASTER_NAME;

function Access_user() {
	// connects to dba
	$this->connect_db();
	// login reader number of times
	$this->login_reader();
	// login page is set to login.php
	$this->login_page = LOGIN_PAGE;
	// main page is set to example.php
	$this->main_page = START_PAGE;
	// main page is set to user_high.php
	$this->high_page = HIGH_PAGE;
	// main page is set to user_coll.php
	$this->coll_page = COLL_PAGE;
	// password page resets password by using activate_password.php
	$this->password_page = ACTIVE_PASS_PAGE; 
}	



function set_user() {
		$_SESSION['user'] = $this->user;
		$_SESSION['pw'] = $this->user_pw;
		if (isset($_SESSION['referer']) && $_SESSION['referer'] != "") {
			$next_page = $_SESSION['referer'];
			unset($_SESSION['referer']);
		}

	// table name is " users " the field with the value of collegiate or highschool is in the field " divisionType "
	$query = sprintf("SELECT divisionType FROM users WHERE login = '%s' AND pw = '%s'", $this->user, $this->pass);
	// Perform Query 
	$result = mysql_query($query); 

	// Check result 
	// This shows the actual query sent to MySQL, and the error. Useful for debugging. 
	if (!$result) { 
	   $message  = 'Invalid query: ' . mysql_error() . "\n"; 
	   $message .= 'Whole query: ' . $query; 
	   die($message); 
	} 

	// Use result 
     while ($row = mysql_fetch_assoc($result)) { 
	 $divisionType = $row['divisionType'];

	}

	if ($this->high == $divisionType) { 				
			$next_page = $this->high_page;
			header("Location: ".$next_page);
			exit();     
	} 
	else if ($this->coll == $divisionType) { 
			$next_page = $this->coll_page;
			header("Location: ".$next_page);
			exit();     
	} 
	else {

		echo "you tried to access an illegal page";
	}
}

mtmosier

I see nothing wrong with your if statements. I would suggest adding the following debugging code.

else {
    echo "high:  '".$this->high."'<br>\n";
    echo "coll:  '".$this->coll."'<br>\n";
    echo "divisionType: '".$divisionType."'<br>\n";
    echo "number of rows:  '".mysql_num_rows($result)."'<br>\n";
    echo "query:  '".$query."'<br>\n";

echo "you tried to access an illegal page";
}

natman3

this is what i get:

high: 'highschool'
coll: 'collegiate'
divisionType: ''
number of rows: '0'
query: 'SELECT divisionType FROM users WHERE login = 'millern' AND pw = '''
you tried to access an illegal page

which means i think that the query is not selecting the right field or row. Because divisionType: " is blank. Do you have any idea on what i need to do inorder to fix this.

mtmosier

Right, the query returned no rows, so it didn't find the result you were looking for. Looking at your sql query, and assuming you didn't remove the password for security reasons (you didn't say you did, so...), I would say your password isn't being added to it correctly.

$query = sprintf("SELECT divisionType FROM users WHERE login = '%s' AND pw = '%s'", $this->user, $this->pass);

Looking at your list of properties in the class, it's probably supposed to be user_pw instead of pass.

natman3

Your were correct but i still get this message:

high: 'highschool'
coll: 'collegiate'
divisionType: ''
number of rows: '0'
query: 'SELECT divisionType FROM users WHERE login = 'millern' AND pw = '1234''
you tried to access an illegal page

the row is till '0' and the divisionType is blank my query now reads:

// table name is " users " the field with the value of collegiate or highschool is in the field " divisionType "
		$query = sprintf("SELECT divisionType FROM users WHERE login = '%s' AND pw = '%s'", $this->user, $this->user_pw);

mtmosier

Well, the query seems correct, but it doesn't match anything in the database. Perhaps the password in the db is encrypted or hashed? If you have access to phpMyAdmin, or some other database manager, you can take a look at what data is in there. Try something like this in your db

SELECT pw FROM users WHERE login = 'millern'

natman3

Well i finaly got it to work. You were right about the password. I forgot to encrypt it with md5 before comparing it to the table. Thank you very much for all your help.