SitePoint Sponsor

User Tag List

Results 1 to 6 of 6
  1. #1
    SitePoint Guru
    Join Date
    Aug 2004
    Location
    Earth
    Posts
    724
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Session security

    Hey,

    I have the following code:

    PHP Code:
    if($_SESSION['memberid'] == $memberid || $_SESSION['userlevel'] == 3
    $_SESSION['memberid'] doesnt exist but $memberid does exist..

    This part of the code $_SESSION['memberid'] == $memberid doesnt seen to stop people not logged in from accessing the data, but this $_SESSION['userlevel'] == 3 on its own does work..

    Trying to make it so only the member who owns the record and the admins with userlevel 3 can access the code between the statement.. Any reason it isnt working?


    Thanks

  2. #2
    SitePoint Addict
    Join Date
    Sep 2006
    Posts
    238
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What does $_SESSION['memberid'] do if it doesnt exist?

    You could try this:

    PHP Code:
    if(($_SESSION['memberid'] == $memberid) || ($_SESSION['userlevel'] == 3)) 

  3. #3
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    Do you have error reporting turned on? If $_SESSION['memberid'] is not set, then it should be throwing a notice.


    This is what I think is going on:

    An unset variable equates to null and if $memberid is also not set, then you have two nulls. Two nulls are the same and equates to true, and so passes your condition.

    If I'm right you should first check for the existence of $_SESSION['memberid'].
    PHP Code:
    if( 
        ( isset(
    $_SESSION['memberid']) && $_SESSION['memberid'] == $memberid )
        || 
        ( isset(
    $_SESSION['userlevel]) && $_SESSION['userlevel'] == 3 )
      ){
    // go ahead



  4. #4
    SitePoint Guru
    Join Date
    Aug 2004
    Location
    Earth
    Posts
    724
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ahh yes, I see it was a non existant record when viewed so $memberid wasnt being set.. hence allowing to view.

    I guess it doesnt matter as the record cant be deleted as its doesnt exist in the database but i guess it should be stoped.. The code above appears to have a syntax error?

    Thanks..

  5. #5
    SitePoint Wizard silver trophybronze trophy Cups's Avatar
    Join Date
    Oct 2006
    Location
    France, deep rural.
    Posts
    6,869
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    I failed to close a quote on an session array key.

    PHP Code:
    $_SESSION['memberid'] = 3;
    $memberid=23;

    if( 
        ( isset(
    $_SESSION['memberid']) && $_SESSION['memberid'] == $memberid )
        || 
        ( isset(
    $_SESSION['userlevel']) && $_SESSION['userlevel'] == )
      ){
    echo 
    ' go ahead';

    } else {

    echo 
    'abort';


    You could also go on to check whether $memberid is set.

    ie If none of them are set then abort higher up.
    PHP Code:
    if( !isset( <var here> ) || !isset(  ) || !isset(  ) ) {
    // abort


  6. #6
    SitePoint Guru
    Join Date
    Aug 2004
    Location
    Earth
    Posts
    724
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Ahh sweet.. thanks for the ideas..


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •