Can't get a value into an if then statement

I am trying to take a value from an mysql and do a comparison on it. The user is being transferred from another page correctly, and the value in privs is found. I can not get that value to work for the conditional branch. I am new to mysql and php. Here is the code:

<?php require_once('Connections/connections.php'); ?>

<?php
session_start();
$name = $_SESSION['name'];
echo $name;
$result = mysqli_query($connections,"SELECT `privs` FROM `users` WHERE username = '$name'");
$row = mysqli_fetch_array($result);
echo $row['privs'];
$privs = $row['privs'];
if ($row['privs'] = 0) {"../spotters/spotters.php";
}else if($row['privs'] = 1){"../nco/nco.php";
}else if($row['privs'] = 2){"../ccord/ccord.php";     
}else if($row['privs'] = 3){"../nws/nws.php";
}else if($privs == '9'){"../admin/admin.php";
}
echo "Not Found";
?>
Someone PLEASE HELP!!!

All these tests need to use “==” to compare, rather than “=”. The single “=” assigns a new value into $row[‘privs’] rather than testing the comparison.

1 Like

I tried that and it still didn’t work. I am still getting the variables correctly, and then getting the not found message.

Also, you’re not doing anything between the braces.

What is

{"../spotters/spotters.php";
}

intended to do?

1 Like

Try something like this (untested):

That is to go to that page.

The value returned as privs is an int in the table. The suggestion did not work. I tried the switch and it did not work.

“did not work” in what way? Could you post the code you have now?

You are echoing “Not Found” regardless of the result.

Simply putting a URL in quotes is not the way to redirect to a different page.

The error that I am getting is:
ka3pmw9
Warning : Undefined variable $privs in /home/ka3pmw/public_html/temp/register/linker.php on line 11
Not Found
ka3pmw is the login which is correct. 9 is the level that I am looking for in the switch and it is aint in the table and is correct. The Not Found is the fall through. the code is:

<?php require_once('Connections/connections.php'); ?>

<?php
session_start();
$name = $_SESSION['name'];
echo $name ;
$result = mysqli_query($connections,"SELECT `privs` FROM `users` WHERE username = '$name'");
$row = mysqli_fetch_array($result);
echo $row['privs'];
switch ($privs) {
case 0: $x = "../spotters/spotters.php"; break;
case 1: $x = "../nco/nco.php"; break;
case 2: $x = "../ccord/ccord.php"; break;  
case 3: $x = "../nws/nws.php"; break;
case 9: $x = "../admin/admin.php"; break; // you had '9' as a string, I'm guessing it wasnt
default: echo "Not Found";
}
echo "Not Found";
?>

Yes.

Ah. You deleted the line where you assigned $privs:

Put that back. And then of course you need to decide what you’re doing with the result (that I called $x).

Ok, My 76 year old brain isn’t working. How then do I handle my statements to go to the pages? I guess I am used to going to a page based on a menu and not a condition. BTW I have had 3/4 of a pot of coffee and I am still lost!

Well you hadn’t mentioned, that I noticed at least, that these url strings were something you were using as a navigation menu… In PHP, you use the header() function to redirect to a URL. So after the switch statement, you could do:

case 9: $x = "../admin/admin.php"; break;
default: echo "Not Found";
}
if (isset($x)) {
header ("Location: $x");
exit();
}

I think I have it working, at least it does for condition 9.
Here is my code:

<?php require_once('Connections/connections.php'); ?>

<?php
session_start();
$name = $_SESSION['name'];
echo $name ;
$result = mysqli_query($connections,"SELECT `privs` FROM `users` WHERE username = '$name'");
$row = mysqli_fetch_array($result);
echo $row['privs'];
$privs = $row['privs'];
echo $row['privs'];
switch ($privs) {
case 0: $x = header('Location: ../spotters/spotters.php'); break;
case 1: $x = header('Location: ../nco/nco.php'); break;
case 2: $x = header('Location: ../ccord/ccord.php'); break;  
case 3: $x = header('Location: ../nws/nws.php'); break;
case 9: $x = header('Location: ../admin/admin.php'); break; // you had '9' as a string, I'm guessing it wasnt
default: echo "Not Found";
}
echo "Not Found";
?>

Each page itself must test for and enforce any user permissions and access rules.

Also, every redirect needs an exit/die statement to stop php code execution. A header() statement just sends the header to the browser. It does not stop php code execution.

The simple way of doing this is to just output the correct content on a single page based on the user’s permission level. This eliminates the need to create and maintain the individual pages.

Next, you should use a prepared query when putting dynamic values into an sql query statement so that any sql special characters in a value cannot break the sql query syntax. It is a favorite hacker’s practice for user data to contain sql, javascript, php code that then gets used insecurely. If using prepared queries with the mysqli extension seems overly complicated, they are. This would be a good time to switch to the much simpler and more modern PDO extension.

Lastly, you should store the user’s id (autoincrement primary index) in the session variable to identify who the logged in user is. This will allow other user data to be edited, such as the username, and any change will take effect without needing the user to log out and back in again.

THANK YOU, it works perfectly, and I do have security on it.

I assume you have this project well underway or are dealing with an established project with user sections. I would recommend creating a DB table where the site sections can be defined so with a simple modification to your login code you have the section information and set this so session.

For example I’ll call the table privileges with the fields
id (autoincrement), privs, section, homepage

and for example the first record would have the values
1 , 0 , spotters, spotters.php

Now I don’t know what your login script looks like but you would use a JOIN query with the privileges table and use table alias to define the table fields from both tables. Something like this.

$sql = "SELECT 
  u.id
, u.password 
, p.section 
, p.homepage
FROM users u 	
	JOIN privileges p 
		ON p.privs = u.privs
WHERE u.username = ?";

After your password_verify() condition you can then set the needed values to session. For example:

$_SESSION['user_id'] = $row['id'];
$_SESSION['user_section'] = $row['section'];
$_SESSION['user_homepage'] = $row['homepage'];

You could follow this with a header to their home page. (adjust relative path from login.php).

header("location: ".$_SESSION['user_section']."/".$_SESSION['user_homepage']);
exit;

Now on every page you need to define the section. For example.

<?php
session_start(); 
$section = "spotters";

Then to make sure the user is logged in you can check if the user section is defined. If not direct back to login.

if(empty($_SESSION['user_section'])):
	header("location: ../login.php");
	exit;
endif;

You can then check if the user is in the right section by comparing the page section to the user section. Redirect if needed.

if($_SESSION['user_section'] !== $section):			 
	header("location: ../".$_SESSION['user_section']."/".$_SESSION['user_homepage']);
	exit;
endif;

This way all pages within each section will check for proper privileges and it all starts at login when these privileges are set to session. There is no need make a query for privs and do a one time homepage redirect as you have here.

Also note I would probably define those 2 checks on a single common page and then include it on individual pages.

require_once '../includes/check_permission.php';

Thanks, I appreciate your answer. I did get it working. By passing a unique variable, user, to the session, then checking the variable privs, which is controlled by an administrator or county coordinator. This unique, 0 - 9, then determines where that user will go. The username will never change, all the other fields can. This way we are able to always contact that user.
I may make your change at a later date.

1 Like