1

Firstly, please forgive me if i don't give enough info in my question, i'm new to the developer scene after just landing myself an amazing opportunity as a junior software developer role a few weeks ago.

I have a project i'm working on which is a basic CRUD management system. I have a login process and user accounts all setup but i would like certain things to require "Admin" privileges like deleting items from my inventory.

So currently everything works as is (just no admin checking)

i have made this function in my config.php (which is included on every page through the header)

function checkAdmin($conn)
{
    $id = $_SESSION['member_id'];
    $sql = "SELECT admin FROM members WHERE id = $id";
    $query = mysqli_query($conn, $sql);
    $rs = mysqli_fetch_array($query);
    $admin = $rs['admin'];
    if($admin == 1){
        return true;
    }else{
        return false;
    }
}

So my question is, how do i then pass that value "true/false" into my query. Im using jQuery/Ajax to do my queries but i understand this would be handed on my "ajax.php" page where all my queries are. my current code is:

if(isset($_GET['deleteID']))
{
    if('checkAdmin' == true){
    $id = $_GET['deleteID'];

    $sql = "DELETE FROM members WHERE id=$id";
    mysqli_query($conn, $sql);

    recordLog($conn, "Members", "Removed user #$id");

    $data = [
            'success'   =>  true
    ];
    }else{
        $data = [
                'error' =>  'Admin Privileges Required'
        ];
    }

    echo json_encode($data);
}

the actual code in itself works, without the If(checkAdmin == statement but i dont think i'm on the right lines with it.

Thanks in advance for any help :) please let me know if any more info is needed

Sam.92
  • 96
  • 10
  • Welcome to Stack Overflow! As a new user, please take the [tour] and read [ask]. Concerning your problem, you should try to extract a [mcve] from your code for posting here. That avoids the case of both too much code and too little. – Ulrich Eckhardt Mar 29 '19 at 17:38
  • Why not hide the delete button unless checkAdmin == true? – Ralph Mar 29 '19 at 18:43
  • nice suggestion @Ralph but as i'm learning to code at the moment it's probably better that i use this method as i have to link my code in other places giving me more of an understanding. I will definitely add that in at some point though :) – Sam.92 Mar 29 '19 at 18:48
  • p.s. @Ralph - hiding the buttons from non admins works a treat – Sam.92 Apr 01 '19 at 15:51

1 Answers1

1

Call the function in the if statement:

if(checkAdmin($conn) == true){

Alternately you could do:

$checkAdmin = checkAdmin($conn);
if($checkAdmin == true){

Be advised that you are at serious risk of SQL Injection. Implement this now: How can I prevent SQL injection in PHP? This is bad, bad, bad:

$id = $_GET['deleteID'];
$sql = "DELETE FROM members WHERE id=$id";
AbraCadaver
  • 78,200
  • 7
  • 66
  • 87
  • thanks for the help :) yeah this is never going to be hosted, i am learning the basics of PHP at the moment and my next set of things to look at is ways to avoid my code being broken :) thank you for the link, this will help :) – Sam.92 Mar 29 '19 at 17:39
  • 1
    Learn to do it correctly so you are practiced at it in the future. – AbraCadaver Mar 31 '19 at 21:19
  • just want to thank you again for pointing out the vulnerabilities. I am now in practice... Upvotes for you :) – Sam.92 Apr 02 '19 at 10:46