Session security


I have the following code:

if($_SESSION['memberid'] == $memberid || $_SESSION['userlevel'] == 3)

$_SESSION[‘memberid’] doesnt exist but $memberid does exist…

This part of the code $_SESSION[‘memberid’] == $memberid doesnt seen to stop people not logged in from accessing the data, but this $_SESSION[‘userlevel’] == 3 on its own does work…

Trying to make it so only the member who owns the record and the admins with userlevel 3 can access the code between the statement… Any reason it isnt working?


What does $_SESSION[‘memberid’] do if it doesnt exist?

You could try this:

if(($_SESSION['memberid'] == $memberid) || ($_SESSION['userlevel'] == 3)) 

Do you have error reporting turned on? If $_SESSION[‘memberid’] is not set, then it should be throwing a notice.

This is what I think is going on:

An unset variable equates to null and if $memberid is also not set, then you have two nulls. Two nulls are the same and equates to true, and so passes your condition.

If I’m right you should first check for the existence of $_SESSION[‘memberid’].

    ( isset($_SESSION['memberid']) && $_SESSION['memberid'] == $memberid )
    ( isset($_SESSION['userlevel]) && $_SESSION['userlevel'] == 3 )
// go ahead


Ahh yes, I see it was a non existant record when viewed so $memberid wasnt being set… hence allowing to view.

I guess it doesnt matter as the record cant be deleted as its doesnt exist in the database but i guess it should be stoped… The code above appears to have a syntax error?


I failed to close a quote on an session array key.

$_SESSION['memberid'] = 3;

    ( isset($_SESSION['memberid']) && $_SESSION['memberid'] == $memberid )
    ( isset($_SESSION['userlevel']) && $_SESSION['userlevel'] == 3 )
echo ' go ahead';

} else {

echo 'abort';


You could also go on to check whether $memberid is set.

ie If none of them are set then abort higher up.

if( !isset( <var here> ) || !isset(  ) || !isset(  ) ) {
// abort

Ahh sweet… thanks for the ideas…