I'm trying to use session variables to limit the access to a page. I have 3 levels of access: admin, help and tech. On pages with help or tech access admin is also allowed. I can't figure out how to write the if statement. Here is the code I have:
<?php
//Start session
session_start();
//Check whether the session variable SESS_MEMBER_ID is present or not
if(!isset($_SESSION['SESS_MEMBER_ID']) || (trim($_SESSION['SESS_MEMBER_ID']) == '')) {
header("location: fail_access.php");
exit();
}
if ((!isset($_SESSION['SESS_ACCESSLVL']) == 'admin') || (!isset($_SESSION['SESS_ACCESSLVL']) == 'help')) {
header("location: fail_access.php");
exit();
}
?>
When I have it like it is shown here it allows all levels to access the page that should be restricted to 'help' (that also includes 'admin'). Can someone point out the error of my ways?? Any help greatly appreciated. I'm very new at this an obviously don't fully understand it.
Cheers
Try:
if (
!isset($_SESSION['SESS_ACCESSLVL']) ||
!(($_SESSION['SESS_ACCESSLVL'] == 'admin') || ($_SESSION['SESS_ACCESSLVL'] == 'help'))
)
{
header("location: fail_access.php");
exit();
}
You could also try out http://php.net/manual/en/function.in-array.php
$allowedAccessLevels = array('admin', 'help');
if (
!isset($_SESSION['SESS_ACCESSLVL']) ||
!in_array($_SESSION['SESS_ACCESSLVL'], $allowedAccessLevels)
)
{
header("location: fail_access.php");
exit();
}
isset checks whether a variable or array entry is set, and returns a boolean accordingly. It does not consider or return the value in any way.
Just check that it's set, then if so, check the value.
if(isset($_SESSION['SESS_ACCESSLVL']))
{
$level = $_SESSION['SESS_ACCESSLVL'];
// Check $level
}
!isset($_SESSION['SESS_ACCESSLVL']) == 'admin'
What are you trying to do here? isset returns a boolean. You're comparing a boolean to a string. Think about that.
Try this:
(isset($_SESSION['SESS_ACCESSLVL']) && $_SESSION['SESS_ACCESSLVL']==='admin')
The isset portion isn't strictly needed because the latter condition will fail if it isn't set, but I think it throws a warning otherwise (unless you have them turned off).
isset returns true or false. You are comparing this true/false value against your access strings. In PHP, true == 'some string' is TRUE, so your code makes everyone an admin.