I have a table called admin_permissions with the following columns:
the last 4 columns are the different levels
I have this code which checks the permissions:
$permission_sql="SELECT * from admin_permissions where page_name = '".$_SERVER["REQUEST_URI"]."' ";
$permission_rs=mysql_query($permission_sql,$conn);
if(mysql_num_rows($permission_rs) == 0)
{
echo '<h2 align="center">An Error has occurred!</h2>';
exit();
}
else
{
$permission_result=mysql_fetch_array($permission_rs);
if($usertype_user != $permission_result["level_user"] or
$usertype_support != $permission_result["level_support"] or
$usertype_admin != $permission_result["level_admin"] or
$usertype_accounts != $permission_result["level_accounts"])
{
echo '<h2 align="center">Access Denied</h2>';
echo '<h2 align="center">Please contact your administrator quoting \'Permission Error\' and number \''.$permission_result["sequence"].'\'</h2>';
exit();
}
else
{
}
}
the $usertype_... either equal '' or 'yes' and the database results either equal '' or 'yes'
the user i am logged in as, has $permission_result["level_admin"] equal to yes so the above if statement should be false but its not, its saying its true
how can i get the above code to work
*P.S. I am not worried about SQL Injection on this particular code
please remove 'or' try with ||, for checking or condition use the symbol "||" , for checking and condition use "&&"
$permission_sql="SELECT * from admin_permissions where page_name = '".$_SERVER["REQUEST_URI"]."' ";
$permission_rs=mysql_query($permission_sql,$conn);
if(mysql_num_rows($permission_rs) == 0)
{
echo '<h2 align="center">An Error has occurred!</h2>';
exit();
}
else
{
$permission_result=mysql_fetch_array($permission_rs);
if(($usertype_user != $permission_result["level_user"]) ||
($usertype_support != $permission_result["level_support"])||
($usertype_admin != $permission_result["level_admin"])||
($usertype_accounts != $permission_result["level_accounts"]))
{
echo '<h2 align="center">Access Denied</h2>';
echo '<h2 align="center">Please contact your administrator quoting \'Permission Error\' and number \''.$permission_result["sequence"].'\'</h2>';
exit();
}
else
{
}
}
This statement
if($usertype_user != $permission_result["level_user"] or
$usertype_support != $permission_result["level_support"] or
$usertype_admin != $permission_result["level_admin"] or
$usertype_accounts != $permission_result["level_accounts"])
is true if at least one of these permissions doesn't match, it is false only if all these permissions match. In your case, at least one of user, support, admin, accounts don't match level_user, level_support, level_admin, level_accounts, so check it: you may have admin match (yes==yes or ''==''), but you might be missing something else.
You probably want something like this:
if(
($permission_result["level_user"] and $usertype_user!='yes') or
($permission_result["level_support"] and $usertype_support!='yes') or
($permission_result["level_admin"] and $usertype_admin!='yes') or
($permission_result["level_account"] and $usertype_accounts!='yes')
)
Notes
Have a look at type jugling in php: if you have " " instead of "" somewhere, it is evaluated as true
The difference between or and || or and and && is only in precedence, see the manual, doesn't matter in this case.
I'm not sure if $_SERVER["REQUEST_URI"] has to be url encoded; to be sure, you may use mysql_real_escape_string on it - or better, as the comments complain about mysql_* deprecation, mysqli_real_escape_string - or, if you don't use some exotic charset, just addslashes.