0

I have two seperate if statements, the first if statement is not working but the second one is. The first if statement works on my other pages and I am unsure of how to properly code this as I am a beginner to PHP.

<?php 
session_start();

if($_SESSION['loggedin'] != 'true') {
    header("location:login.php"); 
} 

if ($_SESSION['admin']=='N') {
    header("location:errorpage.php");
    }
?>
doublelift2
  • 15
  • 1
  • 7
  • 3
    You probably want `else if`, otherwise you'll set the location header twice if the user is neither logged in nor an admin (and I assume not being logged in is mutually inclusive of not being an admin) – ta.speot.is Oct 19 '14 at 09:25
  • When I change to an else if statement, both statements do not work – doublelift2 Oct 19 '14 at 09:27
  • What's in `$_SESSION['loggedin']`? Have you debugged this variable? Where is it set? As a note: It's good practice to call `exit` after `header`: [Should I call exit() after calling Location: header?](http://stackoverflow.com/q/3553698/1456376). – insertusernamehere Oct 19 '14 at 09:28
  • @insertusernamehere it is defined in my login page as $_SESSION['loggedin'] = 'true'; It definitely works as the if statement works on other pages, just not this page – doublelift2 Oct 19 '14 at 09:30
  • 2
    What if you try `if( !$_SESSION['loggedin'] ) { }`? – BenM Oct 19 '14 at 09:32
  • What does `var_dump($_SESSION);` give you? – insertusernamehere Oct 19 '14 at 09:32
  • you are saying The first if statement works on my other pages , so in which page it is not working ? – Kanishka Panamaldeniya Oct 19 '14 at 09:32
  • @BenM This could be problematic, as the OP seems to use strings to define whether a user is logged in. If he uses `'false'` in contrary the result would always be the same as not empty strings always evaluate to `true´. – insertusernamehere Oct 19 '14 at 09:36
  • my var_dump result echoed returns nothing i.e '' this is because the value 'true' is assigned only if a user logs on successfully – doublelift2 Oct 19 '14 at 09:52

4 Answers4

1

What is true in your conditions? It can be bool type or string type.

If You set like this:

$_SESSION['loggedin'] = TRUE;
$_SESSION['loggedin'] = 'true';

You have got two different variable sets.

You can compare it using == or === to include variable type.

For example:

$_SESSION['test_1'] = TRUE;
$_SESSION['test_2'] = 'true';
var_dump( $_SESSION );
array(2) { ["test_1"]=> bool(true) ["test_2"]=> string(4) "true" }
trzyeM-
  • 923
  • 8
  • 10
0

$_SESSION['loggedin']?

Why don't just clear every SESSION var on logout and if the SESSION vars are set => the user is logged in. And use after the header(); an exit();

Try var_dump($_SESSION['loggedin']) and edit your question.

Or maybe your loggedin var is not a string but a boolean so you could do if(!$_SESSION['loggedin'])

Cr41s3
  • 97
  • 2
  • 11
0

Try using Boolean values rather than strings. I would also use a const for the admin variables. I would do the following;

$_SESSION['loggedin'] = true/false;
$_SESSION['admin'] = true/false;

 public class Priviledges
 {
    public CONST Admin = 0;
    public CONST User = 1;
    public CONST Contributor = 3;

    //change this to however you want to do it :)
    public static function isAdmin($val)
    { 
      if ($val == Priviledges::Admin)
      { 
        return true; 
      }
      else 
      { 
        return false; 
      }
    }
 }

then when you set the admin session variable you can go;

$_SESSION['admin'] = Priviledges::Admin;

if(!$_SESSION['loggedin']) 
{
  header("location:login.php");
  exit() 
} 
else if (!Priviledges::isAdmin($_SESSION['admin']))
{
  header("location:errorpage.php");
  exit()     
}
else
{ //do your stuff if none of these conditions are met.. }
Steve_B19
  • 538
  • 3
  • 10
0

Always add an exit() or die() after sending a "Location" HTTP header:

<?php 
session_start();

if($_SESSION['loggedin'] !== 'true') {
    header("location:login.php"); 
    exit();
} 

if ($_SESSION['admin'] === 'N') {
    header("location:errorpage.php");
    exit();
}

Check: php - Should I call exit() after calling Location: header?.

From aaronsaray blog:

Remember, just because the browser is smart enough not to show the content, doesn’t mean that this isn’t dangerous. So, it’s a little less dangerous say if this page is just showing a user search option or some information. It is much more dangerous if this is a page that executes an action. This is because the entire PHP page will execute if you don’t put a die() statement.

On other cases, if you want a condition to be evaluated only when a previous condition is false, you may use a "else if".

Community
  • 1
  • 1
Pedro Amaral Couto
  • 2,056
  • 1
  • 13
  • 15