allow only specified users to access a page

Question

I'm having issues with making a page where only band members can access their own band pages.

Each band in my band table has four columns $bandm1 $bandm2 $bandm3 and $bandm4.

I tried to make a script that drew the session username, and then drew the band_id from the url, and that was successful. but when i tried:

the script didn't work. is it a problem with my AND/OR statements?

EDIT: here's my full code:

        $user = $_SESSION['user_name'];
    $get_user = "
select * 
  from users 
 where user_name = '$user'
"; 
    $run_user = mysqli_query($con,$get_user);
    $row=mysqli_fetch_array($run_user);

    $user_name = $row['user_name'];

if(isset($_GET['band_id'])) {
$band_id = mysqli_real_escape_string($con, $_GET['band_id']);
if (ctype_alnum($band_id)){
    $q =  "SELECT * FROM bands WHERE band_id = '$band_id' ";

$r = mysqli_query($con, $q);
if($r){
while($row=mysqli_fetch_array($r)){
            $band_id = $row['band_id'];
            $band_name = $row['band_name'];
        }
}

}
?>

FROM bands 
WHERE band_id = '$band_id' 
      and (bandm1 = $user_name) OR (bandm2 = $user_name) 
          OR (bandm3 = $user_name) OR (bandm4 = $user_name)

it works, BUT when i replace the select with: SELECT * FROM bands WHERE band_id = '$band_id' and (bandm1 = $user_name) OR (bandm2 = $user_name) OR (bandm3 = $user_name) OR (bandm4 = $user_name)";

it stops working

Your query is probably failing because of lack of quotes around user names. It's also open to injection attacks. Using prepared statements would resolve both of these issues. — Greg Schmidt, Apr 29 '20 at 20:28
Please don't create schemas like this. Enumerated columns are the sign of a bad schema. Create a bandmembers table and associate the band memberds to the band_id. e.g. how would you handle `dave grohl` with current schema and `nirvana` and `foo fighter` entries? Also `the script didn't work` is not descriptive enough. Are you getting an error, too much access, not enough access, etc. — user3783243, Apr 29 '20 at 20:31
Your code is vulnerable to **sql injection** use always **prepared statements** see https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php — nbk, Apr 29 '20 at 20:35
@user3783243 my system currently has a page where users who are in a band can see a list of bands the are included in, if their username is included in any of the four columbs, then the band which that column belonged to id displayed with a link to the "edit band info" page. — emo_programmer, Apr 29 '20 at 20:47
@Strawberry "and (bandm1 = $user_name) OR (bandm2 = $user_name) OR (bandm3 = $user_name) OR (bandm4 = $user_name)" bandm1 bandm2 bandm3 and band4 are the for collumns — emo_programmer, Apr 29 '20 at 21:03
@Strawberry sorry i read that wrong, there are 4 because i allow four band members per band currently — emo_programmer, Apr 29 '20 at 21:15
@Strawberry do you have any sugestions for doing so? i'm open to a rework of my program — emo_programmer, Apr 29 '20 at 21:17
Well, I'd have a table of band members: (band_id, member_id), with a row for each member. — Strawberry, Apr 29 '20 at 21:19
@Strawberry i'll start working on that! how would i allow users to add other users to the specific bands though? — emo_programmer, Apr 29 '20 at 21:28
When a new band member is added add them to the band members table with the band id. The number of band members will be almost limitless. — user3783243, Apr 30 '20 at 00:23
@user3783243 thats an awessome! i'll get working on a way for users to get added to the band members list. it seams like a field in the create a band page would be a pain — emo_programmer, Apr 30 '20 at 00:27

Jay · Accepted Answer · 2020-04-29T21:40:54.790

-2

Try adding parentheses to your query:

SELECT * FROM bands WHERE band_id = '$band_id' and ( (bandm1 = $user_name) OR (bandm2 = $user_name) OR (bandm3 = $user_name) OR (bandm4 = $user_name) )

Edit :

You probably need some quotes around these variables, not sure how your script is built, but something like this :

$query = "SELECT * FROM bands WHERE band_id = '".$band_id."' and ( bandm1 = '".$user_name."' OR bandm2 = '".$user_name."' OR bandm3 = '".$user_name."' OR bandm4 = '".$user_name."' )";

edited Apr 29 '20 at 21:40

answered Apr 29 '20 at 20:28

Jay

26
4

your answer i vulnerable to sqöl injection see https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – nbk Apr 29 '20 at 20:34
i tried this with the quotations and the brackets and it led to the same problem where, it will not display the quesried info, i updated my initial post to include the full code, and the circumstance where it woks without the AND statement – emo_programmer Apr 29 '20 at 20:43
in bandm1, bandm2 etc.. are you storing the username or the userid ? – Jay Apr 29 '20 at 20:48
@Jay i'm storing usernames, primarily so its easier for users to add a username to the list and also because thats what my user session is based on – emo_programmer Apr 29 '20 at 20:51
I'm just trying to understand what this script is doing. so this is a 'band's page' ? Let's say it's ACDC's. In your database, ACDC has members listed as bandm1= 'john', bandm2='david' etc.. so you are checking if $user_name belongs to this band, otherwise they will not be allowed on this page, right ? Maybe you are doing tests logged in as a user that does not belong in this particular band ? Which would explain that your query does not return anything. – Jay Apr 29 '20 at 21:06
thats exactly right! but im doing tests from a user that is band member. i have another page which uses the same "if bandm1 =username ect... " script to check what bands the logged in user is a member of, and that works perfectly, but for whatever reason using that to verify user isn't working – emo_programmer Apr 29 '20 at 21:10
$q = "SELECT * FROM bands WHERE band_id = '".$band_id."' and ( bandm1 = '".$user_name."' OR bandm2 = '".$user_name."' OR bandm3 = '".$user_name."' OR bandm4 = '".$user_name."' )"; this does not return any error when you run the script? – Jay Apr 29 '20 at 21:42
@jay there are no error msgs except when i try to call information it says undefined variable – emo_programmer Apr 30 '20 at 00:18

allow only specified users to access a page

1 Answers1