-1

So I'm trying to write a temp way to login to the admin panel using an if else statement while I read up on PDO. If someone could tell me where the error lies here it would be much appreciated.

I've updated my code after looking around a little bit, but I still have the issue of nothing showing up where my code belongs and pulling the information it should.

<?php
        $admin    = $_SESSION['admin_login'];
        $con=mysql_connect("$server","$user","$pass");
        if
        (!$con)
        {
            die('Could not Connect' .mysql_error());
            }
        mysql_select_db($webdb, $con);
            $result=mysql_query("SELECT * FROM permissions WHERE username= '$admin' ");
            $row = mysql_fetch_assoc($result);
            if ($row['permissions']=="3")
                {
                    echo 'Admin Panel';
                }
                elseif ($row['permissions']=="1")
                {
                    echo 'include acp_error.php';
                }

                    ?>

Is what I've updated to; Does anyone see any issue here?

4

1 回答 1

2

mysql_query returns a statement HANDLE, not the value(s)/row(s) you're trying to select. YOu need to FETCH a row of data to be able to get the values you need to compare.

$result = mysql_query(...) or die(mysql_error());
$row = mysql_fetch_assoc($result);
if ($row['somefield'] == 3) { 
    ...
}

Please note that things like

"$webdb"

are pointless cargo-cult programming. A simple

$webdb

is all that's needed for such things. There is not point in creating a new string, whose sole contents are the contents of a variable - just use the variable itself.

As well, note that you're vulnerable to SQL injection via that $_SESSION value you're using in the query. If that's a text value, and contains user-supplied data, your server is trivial to pwn.

于 2012-10-07T01:16:28.503 回答