0

I'm setting up a web application that has multiple user roles that determine what view a specific user gets when visiting specific sections (or whether those sections are even available to them). I have a table ("users") that includes a columns for "username" and "role". I have a second table ("roles") that has columns for "role" as well as a column for each section, each having multiple possible values that drive the user experience for each role. The column I'm concerned with here is call "useradminview", but I have the same issue with all other columns.

I have no problem obtaining a given user's role when they login. But when I attempt to get the useradmin view associated with that role, my query returns the column name rather than the expected value.

I've found several posts on stackoverflow and other sites that are for the same symptom, but the queries are setup differently from what I have. Any help is greatly appreciated!

//function to get role for user - this returns the expected value
function getUserRole($username) {
    include($_SERVER["DOCUMENT_ROOT"] . "/sharedinc/db.php");
    try {
        $sql = "SELECT role FROM users WHERE username = :username";
        $s = $pdoUsers->prepare($sql);
        $s->bindValue(":username", $username);
        $s->execute();
    } catch (PDOException $e) {
        $error = "Error obtaining user role";
        include($_SERVER["DOCUMENT_ROOT"] . "/sharedinc/dboutput.php");
        exit();
    }
    $role = $s->fetch();
    return $role[0];
}

//function to check page view for that role - this returns the column name
function getPageView($role, $page) {
    include($_SERVER["DOCUMENT_ROOT"] . "/sharedinc/db.php");
    try {
        $sql = "SELECT :page FROM roles WHERE role = :role";
        $s = $pdoUsers->prepare($sql);
        $s->bindValue(":role", $role);
        $s->bindValue(":page", $page);
        $s->execute();
    } catch (PDOException $e) {
        $error = "Error obtaining pageview for role";
        include($_SERVER["DOCUMENT_ROOT"] . "/sharedinc/dboutput.php");
        exit();
    }
    $pageview = $s->fetch();
    return $pageview[0];
}

//end-goal query needs to be able to store the values as session variables
$_SESSION["username"] = $_POST["username"];
$_SESSION["role"] = getUserRole($_SESSION["username"]);
$_SESSION["useradminview"] = getPageView($_SESSION["role"], "useradminview");
nicko
  • 11
  • 3
  • 1
    Your issue is most likely with `:page`. The `getPageView` function is trying to bind a column name as parameter. That's not possible. Only values can be bound, not identifiers. So with `->bindValue(":page", …)` you'll never get the according column, but whatever literal string you had preset with `$page`. – mario Aug 30 '15 at 19:26
  • Aha! Thank you! I didn't realize that - that did the trick! – nicko Aug 30 '15 at 19:32

1 Answers1

-1

you cant put row-name via bind. change it to:

   try {
        $sql = "SELECT $page FROM roles WHERE role = :role";
        $s = $pdoUsers->prepare($sql);
        $s->bindValue(":role", $role);
        $s->execute();
    } catch (PDOException $e) {
Bernd Buffen
  • 14,525
  • 2
  • 24
  • 39