3 replies to this topic

[D3GG3RZ]

Well, I am new to using the session function and I'm getting stuck on one major thing.
I am having users log in to the site, and each user has a set "permissions" value.
The permissions are 0 for customer and 1 for admin.
I am wanting to use the session function to check the users permissions upon login and depending on what that value is depends on what is displayed on the homepage.
If they are admin I want an "Admin Panel" link but if they are a customer I want it hidden. It's the same for a lot of other things aswell.

Any help will be greatly appreciated!!!

[papabear]

can you provide us some snippet of your code? or your progress code so far?
so that I can help you correct your code and guide you through the process?

[Orjan]

The easiest part is to save the status in the $_SESSION variable, similar to $_SESSION['admin'] = true; or $_SESSION['admin'] = false;
depending on status. Then you can do something like this:

if ($_SESSION['admin']) {
  echo "Admin link";
}

I suppose you already have an active session with everything like start_session() etc?

[papabear]

say for example you have a database named DBSin that database I have a table named USERS, and in users I have a
USERNAME, PASSWORD, PERMISSION fields... and I have USERNAME = "admin", Password = "pass", PERMISSION="1"

This will be my code for that:

<?php
   session_start();

//this function will return the permission of the user

public function getPermission($username, $password) {
   try {
			 $con = new PDO("mysql:host=localhost;dbname=DBS", 'root', ''); //create the connection object
			   $con->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); //set the error mode

				 $sql = "SELECT * FROM USER WHERE username = :username and password = :password"; //this will be my sql query.. notice the :username and :password, those are named parameters

				 $stmt = $con->prepare($sql); //create a prepared statement
				 $stmt->bindValue(":username","admin",PDO::PARAM_STR); //this is where I assign the value of :username
				 $stmt->bindValue(":password","pass",PDO::PARAM_STR); //this is where I assign the value of :password
				 $stmt->execute(); //execute the query
				 $result = $stmt->fetch(); // get the result set


                $con = null; //close the connection

			    return $result['permission']; //return the permission
   }  catch (PDOException $e) {
         $con = null; //close the connection
		 echo $e->getMessage(); //if there is error go here for debugging purposes
   }
}


// this part will be our login code
try{
   $con = new PDO("mysql:host=localhost;dbname=DBS", 'root', ''); //the connection object
  $con->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION); //set the error mode

   $sql = "SELECT * FROM USER WHERE username = :username and password = :password"; //my sql query
   $stmt = $con->prepare($sql);
   $stmt->bindValue(":username","admin",PDO::PARAM_STR);
   $stmt->bindValue(":password","pass",PDO::PARAM_STR);
   $stmt->execute();
   $valid = $stmt->fetchColumn(); //see if there is record
   $con = null;
   if( $valid == false  ) {
	    echo "Invalid username/password"; //if no record
   } else {
	    $_SESSION['permission'] = getPermission("admin", "pass"); //if there is record call the getPermission function
   }
}  catch(PDOException $e) {
     $con = null;

	 echo $e->getMessage();
}
?>

I'm using PDO to connect to database because In my opinion it was for prepared statements and named parameters to avoid SQLinjection I explain the code in comments