PHP Forum

**merlin** · 12:43 PM

If I have a login page that sets a cookie on the users PC and the value of the cookie is the username how would I code a query to check the user security level within the database.

For example:

I want to read the cookie and get the username from the cookie then have a query check the table (users) for the security level (level) to ensure it is greater than or equal to a particular level.

Thanks.....................

**leavethisplace** · 04-28-2005, 12:43 PM

Hi Merlin,

You seem to have asked a lot of questions which seem like you haven't really researched how you can do this. If you looked around, for example, the PHP Manual you'd be able to find this out easily, or even if you just download PHPBB and looked through the coding it would open up your understanding a little better, nothing better than learning from other people work.

But, i will help you on this one. For a start, don't use Usernames in cookies; it's a security issue. If someone managed to get hold of that cookie, they would have a username, and then they could simply try hacking that account using numerous passwords they've compiled, etc, etc. Use user id's instead, that way, it is a little more secure, plus if you change they're username, it don't matter at all! Because it simply refers to the ID, not the name.

Anyway, on to the technical stuff.

I use to functions to check users, one to see if they exist, and one to see what userlevel they have:

PHP Code:


			
function check_userexist ($userid) 

     {

    OpenDataBase("server", "user", "pass", "database");

        $query = "SELECT UserID FROM users";

        $result = mysql_query($query)

            or die("Query failed: " . mysql_error());

            

        while ( $row = mysql_fetch_array($result) ) {    

            if ($row['UserID'] == $userid) { 

                return 'TRUE'; 

                exit;

            } 

        }



        return 'FALSE';

    }



function check_userlevel ($userid)

    {

 

     OpenDataBase("host", "user", "pass", "database");

        $query = "SELECT UserID, UserLevel 

                                FROM users WHERE UserID = '$userid'";

        $result = mysql_query($query)

            or die("Query failed: " . mysql_error());

            

        while ( $row = mysql_fetch_array($result) ) {    

            if ($row['UserID'] == $userid) { 

                return $row['UserLevel']; 

                exit;

            } 

        }

        return '0';

    }

So now i suppose you want that explained!

I should say now that you'll see a function called OpenDataBase(), you won't have that function because it's one written by myself so you need to open the database yourself.

Basically, check_userexist will simply return true or false if it can find the user ID, check_userlevel will return what user level a user has by their user ID.

You should know how to grab cookies, since you know how to post them. Please remember this is an old bit of code, so there may be a better way to do it, but hopefully this makes things a bit clearer. You will need to change the code in terms of your database design.

**merlin** · 04-28-2005, 12:52 PM

Thanks, I'll give it a try and let you know.

**merlin** · 05-03-2005, 01:25 PM

Thanks for your tip "leavethisplace", it did give me a new direction to consider and I found the following to be easier to work with.

With respect to your comments in this post, I found your comments to be disrespectful, unproductive and unsolicited. These forums are setup so more experienced programmers can help out, not criticize. If you feel I don't do enough to help myself then please do not respond to my inquiries, otherwise I would appreciate if you kept your personal comments to yourself.

I use this code at the top of each page,

PHP Code:


			
ob_start();

if (!isset($_COOKIE['login'])){

    header('location: new_login\login.php');

    exit();

    }

Along with the above I use this just under the body tag,

PHP Code:


			
include('new_login\mysql_connect_login.php');



$sql = "select level from users where username = '" . $_COOKIE['login'] . "'";



$query_run = mysql_query($sql);

$query_res= mysql_fetch_array($query_run);



       if ($query_res['level'] >= "3") {

       } else {

       header('location: access_error.php');



mysql_close();

}

Thanks for your help.

**leavethisplace** · 05-03-2005, 07:32 PM

Sorry you feel that way merlin - but I did not mean my comments to be "disrespectful, unproductive and unsolicited", rather it was simply a general comment. I'm a firm believer that the best way of learning is from others (and hence why i post so much on this forum) but sometimes people become complacent.

I was simply saying try and teach yourself before you ask other people, that way, you're going to learn a lesson - you probably won't ever forget it once you figured something for yourself. But i often found that when I got help from people i would simply copy and past code and not really look at it.

If you found my comments offensive then that's your judgement to make - it's not like i was saying "urrrgh neeeeeeewbie", cause I had that when I tried asking for help, whilst I may have said a negative comment, it was intended to be constructive. I didn't just leave it at that comment, I thought I gave you some pretty indepth help - you wanna de-reail from the actual purpose of the post, fair be to you.

**merlin** · 05-04-2005, 04:39 PM

I see most of my comments were lost on you. However if you look at the code I came up with you will find that I did just what you were suggesting. Normally I do not take other peoples code just the direction they show me so I can come up with my own solution, as you can see from the difference in both my code vs. yours. It should also be noted that I thanked you for your help twice so I'm not sure why you would consider me "Complacent".

As far as I am concerned you helped me and I thank you, but this conversation is now over.

Thanks again.