0

Hey all,

This website is a directory and the problem is authenticating users to edit a server, even after they've logged in. The idea is to stop any SQL mix-ups due to my weak code (I'm learning PHP).

When they click 'Edit' next to the server after logging in they are directed to "update-server.php?server=$server_id".

When they arrive at "update-server.php" this code runs:

    //This session value is created at login
    $username = $_SESSION['valid'];

    //This is written to the URL
    $server_id = $_GET['server'];

    //See if a server exists with this ID and Username
    $query_server = "SELECT id FROM servers WHERE id='".$server_id."' AND `administrator`='".$username."'";
    $result=mysql_query($query_server);
    $auth_check=mysql_num_rows($result);

    // If a row is found where id and username match show form
    if ($auth_check == 1) {

    // FORM HERE

    }else{

    //Take user back to their account
    header('location: account.php');

    }

Now heres the problem. I've purposely added servers under the account that don't below to me and servers that do. However they both send me back to account.php?

Any ideas? :)

Thanks in advance!

3
Contributors
5
Replies
7
Views
4 Years
Discussion Span
Last Post by mmcdonald
-1

following line

update-server.php?server=$server_id

it should be like this when u click in address bar

update-server.php?server=12

it must be some number or value and not variable name

Votes + Comments
What i've done works fine but thanks for the reply....
1

Hey, why not try mysql_affected_rows()?

E.g.

    //This session value is created at login
    $username = $_SESSION['valid'];

    //This is written to the URL
    $server_id = $_GET['server'];

    //See if a server exists with this ID and Username
    $query_server = "SELECT id FROM servers WHERE id='".$server_id."' AND `administrator`='".$username."'";
    $result=mysql_query($query_server);

    if(mysql_affected_rows() == 1)
    {
       // redirect for Yes
    }else{
      // redirect for no, take users back to their account
    }

Some people may not agree with the mysql_affected_rows but I've always used it, and, would for this. Also, $server_id, I would run validations (is_numeric etc..) before I passed it into a query.

Hope this helps :)

Votes + Comments
Thanks :) I'll give this a shot now, didnt work :(
0

Could you just var_dump($server_id) and $username, make sure they are not returning NULL. Thanks :)!

0

Resolved it. Was an error ina account.php where a num_row was expected to be resourse :P thanks all!

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.