I'm trying to rank my users from 1 or 7. If the logged in user has Rank 7, say "you are staff". If not, do something else. But if I for example give user 1 rank 7, nothing happens. And then if I give user 2 rank 7, both gets the message saying you are staff.
I've been struggling with this for 3 days now without finding out the problem. What I want the website to do is to find out if the logged in user has rank 7 (Not if any others but only the logged in has rank 7), and if someone else on my database has rank 7 and not you, you're not supposed to get the "you are staff" message. I have a database called GamesNet, a table called members, and my user ids are called memberID and I have a couple of other columns called username, password, email and Rank.
That's an ok setup, right? Here's my code:
$stmt = $db->prepare('SELECT Rank, memberID from members where memberID');
$stmt->bindParam(7,$memberID, PDO::PARAM_INT);
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);
if($result['Rank'] == 7){
echo "You are a staff member.";
}else{
echo "Hello you are not a staff.";
}
?>
EDIT:
user.php:
<?php
include('password.php');
class User extends Password{
private $_db;
function __construct($db){
parent::__construct();
$this->_db = $db;
}
private function get_user_hash($username){
try {
$stmt = $this->_db->prepare('SELECT password, username, memberID FROM members WHERE username = :username AND active="Yes" ');
$stmt->execute(array('username' => $username));
return $stmt->fetch();
} catch(PDOException $e) {
echo '<p class="bg-danger">'.$e->getMessage().'</p>';
}
}
public function login($username,$password){
$row = $this->get_user_hash($username);
if($this->password_verify($password,$row['password']) == 1){
$_SESSION['loggedin'] = true;
$_SESSION['username'] = $row['username'];
$_SESSION['memberID'] = $row['memberID'];
return true;
}
}
public function logout(){
session_destroy();
}
public function is_logged_in(){
if(isset($_SESSION['loggedin']) && $_SESSION['loggedin'] == true){
return true;
}
}
}
?>
Memberpage.php
<?php require('includes/config.php');
$memberID = user;
$stmt = $db->prepare('select rank, memberid from members');
$stmt->execute();
while ($result = $stmt->fetch(PDO::FETCH_ASSOC)) {
if ($result['rank'] == 7) {
echo "You are a staff member.";
} else {
echo "Hello you are not a staff.";
//When i run this code, it tells me im not staff, even tho i am rank 7.
}
}
//if not logged in redirect to login page
if(!$user->is_logged_in()){ header('Location: login.php'); }
//define page title
$title = 'Members Page';
//include header template
require('layout/header.php');
?>
<div class="container">
<div class="row">
<div class="col-xs-12 col-sm-8 col-md-6 col-sm-offset-2 col-md-offset-3">
<h2>Member only page - Welcome <?php echo $_SESSION['username']; ?></h2>
<p><a href='logout.php'>Logout</a></p>
<hr>
</div>
</div>
</div>
<?php
/*
$stmt = $db->prepare('select Rank, memberID from members');
$stmt->execute();
while ($result = $stmt->fetch(PDO::FETCH_ASSOC)) {
if ($result['Rank'] == 7) {
echo "You are a staff member.";
echo $result['Rank'];
} else {
echo "Hello you are not a staff.";
}
}
*/
//When i run this code, it works. But it gives me the messages for all registrered users.
?>
login.php
<?php
//include config
require_once('includes/config.php');
//check if already logged in move to home page
if( $user->is_logged_in() ){ header('Location: index.php'); }
//process login form if submitted
if(isset($_POST['submit'])){
$username = $_POST['username'];
$password = $_POST['password'];
if($user->login($username,$password)){
$_SESSION['username'] = $username;
header('Location: memberpage.php');
exit;
} else {
$error[] = 'Wrong username or password or your account has not been activated.';
}
}//end if submit
//define page title
$title = 'Login';
//include header template
require('layout/header.php');
?>
<div class="container">
<div class="row">
<div class="col-xs-12 col-sm-8 col-md-6 col-sm-offset-2 col-md-offset-3">
<form role="form" method="post" action="" autocomplete="off">
<h2>Please Login</h2>
<p><a href='./'>Back to home page</a></p>
<hr>
<?php
//check for any errors
if(isset($error)){
foreach($error as $error){
echo '<p class="bg-danger">'.$error.'</p>';
}
}
if(isset($_GET['action'])){
//check the action
switch ($_GET['action']) {
case 'active':
echo "<h2 class='bg-success'>Your account is now active you may now log in.</h2>";
break;
case 'reset':
echo "<h2 class='bg-success'>Please check your inbox for a reset link.</h2>";
break;
case 'resetAccount':
echo "<h2 class='bg-success'>Password changed, you may now login.</h2>";
break;
}
}
?>
<div class="form-group">
<input type="text" name="username" id="username" class="form-control input-lg" placeholder="User Name" value="<?php if(isset($error)){ echo $_POST['username']; } ?>" tabindex="1">
</div>
<div class="form-group">
<input type="password" name="password" id="password" class="form-control input-lg" placeholder="Password" tabindex="3">
</div>
<div class="row">
<div class="col-xs-9 col-sm-9 col-md-9">
<a href='reset.php'>Forgot your Password?</a>
</div>
</div>
<hr>
<div class="row">
<div class="col-xs-6 col-md-6"><input type="submit" name="submit" value="Login" class="btn btn-primary btn-block btn-lg" tabindex="5"></div>
</div>
</form>
</div>
</div>
</div>
<?php
//include header template
require('layout/footer.php');
?>
The where clause in the select statement is missing a parameter marker, e.g.
SELECT Rank, memberID from members where memberID = ?
and then bindParam must use 1 not 7, because it is the first and only parameter marker
$stmt->bindParam(1,$memberID, PDO::PARAM_INT);
You can also skip bindParam and pass the memberId as an array to execute
$stmt->execute(array($memberId));
To process just one user
$memberID = 1234;
$stmt = $db->prepare('select rank, memberid from members where memberid = ?');
$stmt->execute(array($memberID));
$result = $stmt->fetch(PDO::FETCH_ASSOC);
if ($result['rank'] == 7) {
echo "You are a staff member.";
} else {
echo "Hello you are not a staff.";
}
To fetch all users
$stmt = $db->prepare('select rank, memberid from members');
$stmt->execute();
while ($result = $stmt->fetch(PDO::FETCH_ASSOC)) {
if ($result['rank'] == 7) {
echo "You are a staff member.";
} else {
echo "Hello you are not a staff.";
}
}
You already have $_SESSION['memberID'] in function login. So you could use it
$stmt = $db->prepare('select rank, memberid from members where memberid = ?');
$stmt->execute(array($_SESSION['memberID']));
and have the needed data.
Better yet, you could extend function get_user_hash with
// user.php, function get_user_hash()
$stmt = $this->_db->prepare('SELECT password, username, memberID, Rank FROM members WHERE username = :username AND active="Yes" ');
This would provide rank in one go, and avoid the additional database round trip. You could then save rank in function login
// user.php, function login()
// ...
$_SESSION['loggedin'] = true;
$_SESSION['username'] = $row['username'];
$_SESSION['memberID'] = $row['memberID'];
$_SESSION['Rank'] = $row['Rank'];
Now you can just check for
// Memberpage.php
if ($_SESSION['Rank'] == 7) {
echo "You are a staff member.";
} else {
echo "Hello you are not a staff.";
}
without doing another SQL query.