...

View Full Version : Display text if admin



Killermud
03-02-2009, 06:51 PM
Hello, im trying to make it so if you are logged in and you are an admin it will display a link on the main page. But whatever i do the link is always there and ive set a user with admin = 0 (none).


<?
$tbl_name="users";
$ip=$_SERVER['REMOTE_ADDR'];
$sql="SELECT * FROM $tbl_name WHERE admin ='1' AND ip ='$ip'";
$result=mysql_query($sql);
$rows=mysql_fetch_array($result);
$iptrue=$rows['ip'];
if($ip == $iptrue && $rows['admin'] = 1){
?>
<a href="/adm/index.php">Admin Control Panel</a>
<? }

Help please..

masterofollies
03-02-2009, 06:55 PM
if ($rows['admin'] == 1)
{
//Process admin coding
}
else {
//Process non-admin coding
}

oracleguy
03-02-2009, 07:09 PM
Could two users share the same IP address in your system? If so you'll need to tweak your code some.

Killermud
03-02-2009, 07:14 PM
masterofollies : Tried that still the link came up with Non-admin users.

oracleguy : yes i have 2 users in the database they have the same IP address.

masterofollies
03-02-2009, 08:02 PM
I know mine works because I've used that same coding dozens of times in administrator control panels. You aren't using a double equal on your coding.


$rows['admin'] = 1)

a single equal means "assign to" where double equal means "is equal to"

Killermud
03-02-2009, 08:13 PM
No still not working new code is


<?
$tbl_name="users";
$ip=$_SERVER['REMOTE_ADDR'];
$sql="SELECT * FROM $tbl_name WHERE admin ='1' AND ip ='$ip'";
$result=mysql_query($sql);
$rows=mysql_fetch_array($result);
$iptrue=$rows['ip'];
if($ip == $iptrue && $rows['admin'] == 1){
?>
<a href="./adm/index.php">Admin Control Panel</a>
<? }

Tried without the '$ip == $iptrue' as well still the link shows up for someone without admin.

tomws
03-02-2009, 09:10 PM
If that's the whole code, I think it's broken because your logic is flawed. Follow along...


<?
$tbl_name="users";

// get the remote ip
$ip=$_SERVER['REMOTE_ADDR'];

// get all results from the table with the admin flag set where the ip is the remote ip
$sql="SELECT * FROM $tbl_name WHERE admin ='1' AND ip ='$ip'";

// query...
$result=mysql_query($sql);
$rows=mysql_fetch_array($result);

// set to the ip from the table
$iptrue=$rows['ip'];

/* The ip/iptrue comparison is meaningless. You're comparing
the value fetched against the value you told it to fetch. */

// If the value I told it to fetch is fetched and the row has an admin flag, show the link.
if($ip == $iptrue && $rows['admin'] == 1){
?>
<a href="./adm/index.php">Admin Control Panel</a>
<? }

The weak link is that there's nothing in the query restricting it to the actual current user, unless you're relying on the IP address alone. As oracleguy implied, that could create problems.

Killermud
03-02-2009, 10:37 PM
So how can i make it identify a user if he is a admin or not?

masterofollies
03-02-2009, 11:00 PM
0 = non-admin
1 = admin

That is all you need, you don't need an ip address or anything.

Killermud
03-02-2009, 11:06 PM
Ok now i have


<?
$tbl_name="users";
$sql="SELECT * FROM $tbl_name WHERE admin='1'";
$result=mysql_query($sql);
$rows=mysql_fetch_array($result);
if($rows['admin']){
?>
<p align="center"><a href="./adm/index.php">Admin Control Panel</a></p>
<? }

Still no luck, user with admin defined as 0 still sees the link.

masterofollies
03-02-2009, 11:14 PM
Here do this.


<?php
$adminquery = ("SELECT * FROM users");
$adminrow = mysql_fetch_array($adminquery);
if($adminrow['admin'] == 1){

echo '<p align="center"><a href="./adm/index.php">Admin Control Panel</a></p>';
}
else {
echo 'No link';
}
?>

Delete your other and use that. I am assuming your admin field is a smallint. If not change it to smallint with a value of 1.

tomws
03-02-2009, 11:16 PM
Your logic is still flawed. You're selecting all rows from the table with an admin flag set and then checking whether you've selected any rows with an admin flag set. That's incorrect. You want to figure out if the current user is an admin. Your query does not contain that information.

tomws
03-02-2009, 11:19 PM
Here do this.

<snip>

This doesn't look useful for anything but a single-user system since it selects all and assumes that the first row selected is an admin.

(Forgot to actually run the query, too.)

Killermud
03-02-2009, 11:29 PM
thats what I thought and as said it still presents the link to non admin users.

So how is it possible?

tomws
03-03-2009, 12:02 AM
I don't know what you're doing for your login system. I'm guessing you may not be using one since you were looking at using IP addresses. Assuming you actually do have a login system and you check before (or alongside) the query that the user is logged in, the query itself might resemble:


$query = "SELECT user FROM users WHERE user='$thisUserName' AND admin='1'";

This is highly dependent upon your actual implementation, of course, but the idea is that it checks whether the current user is an admin. mysql_query() would fetch the result, assign it to a variable with mysql_fetch_array(), and then use mysql_num_rows() to test whether there are any rows in the result. If so, admin. Else, not admin.

For a positive result, meaning the user is an admin, the mysql_num_rows should be only 1 since your user ID ("user" in my example) should be unique in any users table. For a negative result, meaning the user is not admin, 0 is returned. Remember to check for errors for all of the functions, too. Check the man pages for results on error conditions.

http://us3.php.net/mysql_query
http://us3.php.net/mysql_fetch_array
http://us3.php.net/mysql_num_rows

Killermud
03-03-2009, 12:09 AM
Ok thanks, thats where i have trouble identifying the user. As i dont how to make the php page identify the person viewing to the user.

I do have a login system here is my login page :


<?php

/**
* @author Killermud
* @copyright 2009
*/

require './connect.php';
if(!$con)
{
die('Could not connect: ' . mysql_error());
}



session_start(); // Starts the session.
if ($_SESSION['logged'] == 1) { // User is already logged in.
header("Location: index.php"); // Goes to main page.
exit(); // Stops the rest of the script.
} else {
if (!isset($_POST['submit'])) { // The form has not been submitted.
echo "<form action=\"login.php\" method=\"POST\">";
echo "<table>";
echo "<tr>";
echo "<td colspan=\"2\">Login:</td>";
echo "</tr>";
echo "<tr>";
echo "<td width=\"50%\">Username:</td><td width=\"50%\"><input name=\"username\" size=\"18\" type=\"text\" />";
echo "</tr>";
echo "<tr>";
echo "<td width=\"50%\">Password:</td><td width=\"50%\"><input name=\"password\" size=\"18\" type=\"password\" />";
echo "</tr>";
echo "<tr>";
echo "<td colspan=\"2\"><input type=\"submit\" name=\"submit\" value=\"submit\"</td>";
echo "</tr>";
echo "</table>";
echo "</form>";
} else {
$username = form($_POST['username']);
$password = md5($_POST['password']); // Encrypts the password.

$q = mysql_query("SELECT * FROM `users` WHERE username = '$username' AND password = '$password' AND active IS NULL") or die (mysql_error()); // mySQL query
$r = mysql_num_rows($q); // Checks to see if anything is in the db.
if ($r == 1) { // There is something in the db. The username/password match up.
$_SESSION['logged'] = 1; // Sets the session.
header("Location: main_forum.php"); // Goes to main page.
exit(); // Stops the rest of the script.
} else { // Invalid username/password.
exit("Incorrect username/password!"); // Stops the script with an error message.
}
}
}
?>
<a href="./register.php">Register</a>

tomws
03-03-2009, 12:17 AM
Ok, you have the base part for checking whether the user is logged in...


if ($_SESSION['logged'] == 1)

That's a start. But I don't see any other session variables being set. If that's the case, you might want to modify the login script to add in a user id, username, whatever. If you chose to do that, you could add it into this if statement:


if ($r == 1) {
$_SESSION['username']=$username; // new code saves username to the session variable

Now, on any other page, you have to use the session_start() function at the top (before header are sent) in order to access the session variable. If you're unfamiliar with that requirement, search the forums, check the man page, and Google around. There are plenty of explanations.


EDIT: Forgot to address the original query modification. That would turn into something like this:

$query = "SELECT username FROM users WHERE username='{$_SESSION['username']}' AND admin='1'";

Killermud
03-03-2009, 12:31 AM
Ok ive added those in but it wont work comes up with this error :

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in c:\domains\opjeplaats.nl\wwwroot\darkness\webtemp\main_forum.php on line 62

my code is :


<?
$tbl_name="users";
$sql="SELECT username FROM users WHERE username='{$_SESSION['username']}' AND admin='1'";
$result=mysql_query($sql);
$rows=mysql_fetch_array($result);
$result2=mysql_num_rows($sql);
if($result2 == 1){
?>
<p align="center"><a href="./adm/index.php">Admin Control Panel</a></p>
<? }

and i have started the session.

sea4me
03-03-2009, 12:43 AM
Try:


<?
$tbl_name="users";
$sql="SELECT username FROM users WHERE username='{$_SESSION['username']}' AND admin='1'";
$result=mysql_query($sql);
$rows=mysql_fetch_array($result);
$result2=mysql_num_rows($result);
if($result2 == 1){
?>
<p align="center"><a href="./adm/index.php">Admin Control Panel</a></p>
<? }

tomws
03-03-2009, 12:45 AM
mysql_num_rows() is run on the result of the query, not the query string itself. And I don't know why I told you to use mysql_fetch_array(). It's not necessary for how I've explained to do this. My mistake. Modify your code like this:

$tbl_name="users";
$sql="SELECT username FROM users WHERE username='{$_SESSION['username']}' AND admin='1'";
$result=mysql_query($sql);
/* remove this line
$rows=mysql_fetch_array($result); */
/* change these lines
$result2=mysql_num_rows($sql);
if($result2 == 1){*/
$num_rows=mysql_num_rows($result);
if($num_rows == 1){


EDIT: sea4me's code is the same, but with the mysql_fetch_array still in place. Useful if you need to use some info from the query.

sea4me
03-03-2009, 12:45 AM
BTW, This isn't needed...


$rows=mysql_fetch_array($result);

EDIT: tomws also meant this but he beat me by a sec.

tomws
03-03-2009, 12:50 AM
Ha! It gets confusing when people are posting at the same time and don't know it. :D

masterofollies
03-03-2009, 01:18 AM
You can use an id + admin. Since id has to be unique, I don't trust using usernames.

sea4me
03-03-2009, 06:32 AM
Ha! It gets confusing when people are posting at the same time and don't know it. :D

Yes indeed it is :)

Killermud
03-03-2009, 05:44 PM
Yay, works now :)

Thanks for the help Tomws.

Final code :


<?
$tbl_name="users";
$sql="SELECT username FROM users WHERE username='{$_SESSION['username']}' AND admin='1'";
$result=mysql_query($sql);
$result2=mysql_num_rows($result);
if($result2 == 1){
$num_rows=mysql_num_rows($result);
if($num_rows == 1){
?>
<p align="center"><a href="./adm/index.php">Admin Control Panel</a></p>
<? }
}

sea4me
03-04-2009, 01:54 AM
Yay, works now :)

Thanks for the help Tomws.

Final code :


<?
$tbl_name="users";
$sql="SELECT username FROM users WHERE username='{$_SESSION['username']}' AND admin='1'";
$result=mysql_query($sql);
$result2=mysql_num_rows($result);
if($result2 == 1){
$num_rows=mysql_num_rows($result);
if($num_rows == 1){
?>
<p align="center"><a href="./adm/index.php">Admin Control Panel</a></p>
<? }
}

Why is there 2 mysql_num_rows?
You only need 1:

<?
$tbl_name="users";
$sql="SELECT username FROM users WHERE username='{$_SESSION['username']}' AND admin='1'";
$result=mysql_query($sql);
$num_rows=mysql_num_rows($result);
if($num_rows == 1){
?>
<p align="center"><a href="./adm/index.php">Admin Control Panel</a></p>
<? }



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum