php if statement and comparison value

Question

<?php
error_reporting(0);
session_start();
if(!$_SESSION["login"]){
print '<script type="text/javascript">';
print 'alert("You need to login first")';
print '</script>';  echo '<meta http-equiv="REFRESH" content="0;url=home.php">';
die();
}
?>
<?php
//This is the book stuff
                ob_start();
                #error_reporting(0);
                $host="localhost"; // Host name
                include 'databaselogin.php';

                $db_name="X"; // Database name
                $tbl_name="Books"; // Table name

                // Connect to server and select databse.
                mysql_connect("$host", "$username", "$password")or die("cannot connect");
                mysql_select_db("$db_name")or die("cannot select DB");
                $id = $_GET["id"];
                $sql = 'SELECT * FROM Books WHERE `id` = '.$id.' LIMIT 1'; 
                $result=mysql_query($sql) or die(mysql_error());
                while($rows = mysql_fetch_array($result)){
?>

<?
//this is user stuff.
            ob_start();
            error_reporting(0);
            $host="localhost"; // Host name
            include 'databaselogin.php';
            $currentuser = $_SESSION["id"];
            $db_name="X"; // Database name
            $tbl_name="users"; // Table name
            $tbl_name="Books"; // Table name


/*
if ($rows['userid'] != $currentusers)
{
print '<script type="text/javascript">';
print 'alert("you dont have permissions")';
print '</script>';  echo '<meta http-equiv="REFRESH" content="0;url=home.php">';
}

*/
?>

<!doctype html>
<html lang="en">
<head>
    <meta charset="utf-8" />
    <title>Silent Generation</title>
    <link rel="stylesheet" href="styles.css" type="text/css" media="screen" />
    <link rel="stylesheet" type="text/css" href="print.css" media="print" />
    <!--[if IE]><script src="http://html5shiv.googlecode.com/svn/trunk/html5.js"></script><![endif]-->
    <!--script section-->
    <script type="text/javascript">

    </script>

    <!--end script section-->

</head>
<body>
<div id="wrapper"><!-- #wrapper -->

    <header><!-- header -->
        <h1><a href="#">Silent Generation</a></h1>
        <h2>Would it be too chezy to say silent but deadly</h2>
    </header><!-- end of header -->

    <nav><!-- top nav -->
        <div class="menu">
            <ul>
                <li><a href="home.php">Home</a></li>
                <li><a href="sell.php">Sell</a></li>
                <li><a href="buy.php">Buy</a></li>
                <li><a href="stores.php">Stores</a></li>
                <li><a href="donate.php">Donate</a></li>
                <li><a href="contact.php">Contact Us</a></li>
                <li><a href="support.php">Support</a></li>

            </ul>
        </div>
    </nav><!-- end of top nav -->

    <section id="main"><!-- #main content and sidebar area -->
            <section id="content"><!-- #content -->



                <article>
                    <form method="GET" action="editadd.php" name="add" id="add">
                Book Name: 
                <div align="center" style="margin-top:-15px;"> 
                <input type="text" name="name" id="name"  value="<?echo $rows["name"];?>"/></div>
                Author's Name: <div align="center" style="margin-top:-15px;"><input type="text" name="author" id="author"  value="<?echo $rows["author"];?>"></div>
                ISBN: <div align="center" style="margin-top:-15px;"><input type="text" name="ISBN" id="ISBN"  value="<?echo $rows["ISBN"];?>"></div>
                Edition : <div align="center" style="margin-top:-15px;"><input type="text" name="edition" id="edition"  value="<?echo $rows["edition"];?>"></div>
                Contact info:<div align="center" style="margin-top:-15px;"> <input type="text" name="contact" id="contact"  value="<?echo $rows["contact"];?>" /></div>
                Price: <div align="center" style="margin-top:-15px;"> <input type="text" name="price" id="price" / value="<?echo $rows["price"];?>"></div>
                Comments: <div align="center"><textarea id="comments" name="comments" rows="13" cols="80"  ><?echo $rows["comment"];?> </textarea></div>
                <div align="center"><input type="submit" value="Submit" style="width:660px;height:70px;"/></div>
                <input type="hidden" name="id" value="<?echo $rows["id"];?>" />
                </form>
                current user: <?echo $currentuser;?>
                posted by: <?echo $rows['userid']?>
                <?
                }
                ob_end_flush();
                if ( intval($rows['userid']) ==  intval($currentusers))
                {echo "true";}
                else
                {echo "fasle";}

                ?>
                </article>


                    <pre>









                            </pre>







            </section><!-- end of #content -->

        <aside id="sidebar"><!-- sidebar -->
        <?php
        error_reporting(0);
        session_start();
        if(!$_SESSION["login"]){
        ?>
                <h3>Login</h3>
              <form method="post" ACTION="login.php">
            E-mail
            <input type="text" id="myusername" name="myusername" />
            <br/>
            <br/>
            Password    <input type="password" id="mypassword" name="mypassword" />
            <br/>
            <br/>
            <INPUT TYPE="submit" VALUE="Submit" />
            <br/>
            <input TYPE="button" VALUE="Password?"onclick="javascript:document.location='lostpass.php'; return false; "/>
            </form> 
            <pre>
            </pre>
                <h3>Register</h3>
                    <form method="post" action="register.php" name="register" id="register">Name <br/><input type="text" id="name" name="name" ><br/>
                    Email <br/> <input type="text" id="email" name="email"><br/>
                    School <br/> <select name="school" id="school">
                            <option value='Sierra College'>Sierra College</option>
                            <option value='American River'>American River</option>
                            <option value='UC Davis'>UC Davis</option>
                            <option value='UCLA'>UCLA</option>
                            <option value='UCSD'>UCSD</option>
                            </select><br/>
                    Password <br/> <input type="password" id="password" name="password"><br/>
                    Conform Password <br/> <input type="password" id="password2" name="password2"><br/>

                    <br/>
                    <input type="submit" value="Submit">
                    <input type="reset" value="Clear">
                    </form>                         
<?}else{?>
<h3>Welcome</h3> <?php echo $_SESSION["username1"] ?>

<a href="logout.php">Logout</a>
<?}
?>
                <h3>Connect With Us</h3>
                    <ul>
                        <li><a href="#">Twitter</a></li>
                        <li><a href="#">Facebook</a></li>
                    </ul>

        </aside><!-- end of sidebar -->

    </section><!-- end of #main content and sidebar-->

        <footer>
        <section id="footer-area">

            <section id="footer-outer-block">


                    <aside class="footer-segment">
                            <h4>Joubin Jabbari</h4>
                                <p>&copy; 2011 <a href="#">Silentgen.com</a> 
                                presents a site by a student for students. 
                                </p>
                    </aside><!-- end of #fourth footer segment -->

            </section><!-- end of footer-outer-block -->

        </section><!-- end of footer-area -->
    </footer>

</div><!-- #wrapper -->
<!-- Free template created by http://freehtml5templates.com -->
</body>
</html>

The above is my entire code.... the fist few blocks of php is all you need to look at. All I want to is to make sure that the person is trying to edit this post is the person that has posted it. otherwise, they need to be rerouted else where.

Your code `$id = $_GET["id"];$sql = 'SELECT * FROM Books WHERE id = '.$id.' LIMIT 1';` is very prone to sql injections, see http://stackoverflow.com/questions/1683843/is-sql-injection-a-risk-today — konsolenfreddy, Jun 06 '11 at 07:33

Craig White · Accepted Answer · 2011-06-06T07:20:59.017

0

~~hmm... perhaps trying if ( intval($rows['userid']) == intva($currentusers))~~

Ok, you were using the wrong variable name. It is meant to by $currentuser not $currentusers.

if ( $rows['userid'] == $currentuser)
    echo "true";
else
    echo "false";

edited Jun 06 '11 at 07:20

answered Jun 06 '11 at 07:12

Craig White

13,492
4
23
36

So, basically what im trying to do is, find out if the person that is loged in is the person that posted the comment. – nick Jun 06 '11 at 07:15
Ok, i noticed in you new new changes that you are defining `$currentuser = $_SESSION["id"];` But `$currentusers` isn't ever defined. – Craig White Jun 06 '11 at 07:23
ok. that will fix it on a grammer lever. But still. Its returning true even when $currentuser is returning a 2 and $rows['userid'] is returning a 1 – nick Jun 06 '11 at 16:46

Jon · Answer 2 · 2011-06-06T07:25:03.460

0

Nothing is wrong with your conditional statement, so it must be an issue with what is being stored in $currentusers and $rows['userid']. Can you provide more code specific to the values being assigned to those two variables?

EDIT: You have a typo in your code. You're comparing to "$currentusers" instead of "$currentuser". Try this:

if ( intval($rows['userid']) ==  intval($currentuser))
{echo "true";}
else
{echo "fasle";}

edited Jun 06 '11 at 07:25

answered Jun 06 '11 at 07:15

Jon

2,502
4
21
23

Actually. the intval stuff worked. I was just putting it in the wrong area. After i flushed my cookies.... Thanks guys – nick Jun 06 '11 at 16:55

score 0 · Answer 3 · answered Jun 06 '11 at 07:15

based on your variable name your $currentusers is an array of users, if so you can check if a value exists in it with in_array($value,$array);

if not, you have named your variable in a bad manner =D, maybe it's a type problem. cast both of them to int values with intval function

if(inval($rows['userid']) == intval($currentusers))

php if statement and comparison value

3 Answers3