-3

I've got one table called books in my database. I've got users who are admin and not admins have boolean 0 assigned to them, so I have a function but I only want admins to be able to execute the function.

Therefore I need to check the database with their username and whether they are admins that is type==0 or not. I have to do this all in PDO statements. 

$sqls =$handle->prepare("SELECT type FROM 888 WHERE 888='{$_COOKIE['888']}'");
$sqls->execute();
$row  = $sqls -> fetch();


if($row['type']==0){do the function}

yet it does not show any error or anything else. Can you see and explain the problem?

Jonathan Leffler
  • 730,956
  • 141
  • 904
  • 1,278
jonny
  • 7
  • 5
  • sorry 888 is just put i didnt want to give all details sorry – jonny Apr 09 '14 at 22:19
  • You need to post something that demonstrates the problem. What I see here won't work because you've replace parts of the query with syntactically invalid numbers. For all I know the original is just as bad. –  Apr 09 '14 at 22:21
  • is 888 supposed to be both a column name and a table name? that doesn't make sense. – RobP Apr 09 '14 at 22:21
  • Possible duplicate of http://stackoverflow.com/q/22974685/1864610 –  Apr 09 '14 at 22:24
  • 2
    You have unescaped quotes in: `'{$_COOKIE['888']}'` escape the inner-most single quotes. –  Apr 09 '14 at 22:24
  • If you were good enough to have a job that required secrecy, you wouldnt be on here. – Jack M. Apr 09 '14 at 22:25
  • if telling us the table\colume name is an issue, you have real problems, don't make it hard to help you. –  Apr 09 '14 at 22:26
  • @jonny, if you solve fetching all problems tell me, surely I want to know how it works to delete them all `*` after that from my life :D Now seriously, update your question with proper title and description/content. Other visitors should understand the matter of the question as much as possible from your topic title. – Rolice Apr 09 '14 at 22:37

2 Answers2

1

This is bad. You are using a cookie (client-side) to check if a visitor has administrator rights. What's to stop anybody from just changing the cookie? Store the administrator flag value in a session (server-side) when the user logs in.

On login:

session_start();
$_SESSION['admin'] = 1; // for example

On your specific page:

session_start();
if ($_SESSION['admin'] === 1)
{
  // do the function
}

And you save yourself from doing an unnecessary database query, solving your problem in the process.

jeroen
  • 91,079
  • 21
  • 114
  • 132
  • @jonny this is good advice, because your approach is neither secure, nor optimal one (performance). Read about PHP sessions. – Rolice Apr 09 '14 at 22:43
  • ok so i did that but it says admin is undefined ??? – jonny Apr 09 '14 at 23:10
  • @jonny Hard to tell without seeing your code, but take a look here: http://stackoverflow.com/questions/8028957/how-to-fix-headers-already-sent-error-in-php/8028987#8028987 – jeroen Apr 09 '14 at 23:23
0

Use $_SESSION instead. But ... 

$mycookie = $_COOKIE['888'];
$sqls = $handle->prepare("SELECT type FROM `888` WHERE `888` = ? LIMIT 1");
$sqls->bindParam(1, $mycookie, PDO::PARAM_STR);
$row = false;
try {
    $sqls->execute();
    $row = $sqls->fetch();
}
catch (Exception $e) {
    echo $e->getMessage();
}

if ($row) {
    // may want to print_r($row) and debug...
    if($row['type']==0) {

    }
}
John
  • 417
  • 2
  • 6