I am trying to create a sessions and entry to pages based on a person's "role" in the database. I thought I nailed the logic and I created the code. It worked. Problem is, it works for everyone. I wanted some help to point out why my code is logically incorrect when to me it's on point. Any help will be greatly appreciated. Here is my code. It seems to let in anyone who's role is not 'Admin' and I can pin point why:
function auth($email, $pass){
global $result;
while ($row = mysql_fetch_array($result)) {
if($email == $row["email"] && $pass == $row["password"])
{
return true;
}
}
return false;
}
function test($email, $pass){
$test1 = auth($email, $pass); <--above
if ($test1) {
get_role($email); <-- below (This is the one where I'm puzzled)
$_SESSION['email'] = true;
header('location:menupage.php');
exit;
}
else{
echo "Please enter correct username and password or <a href='register.php'>Register</a>";}
}
function get_role($email){
global $connection;
$sql="SELECT * FROM exam WHERE email= '$email'";
$result = mysql_query($sql, $connection);
confirm_query($result);
while ($row = mysql_fetch_array($result)) {
if ($row["role"] == 'Admin'){
$_SESSION['role'] = true;
}
else
$_SESSION['role'] = false;
}
}
and this is the header for the administrative page that has the session
<?php
session_start();
if(!isset($_SESSION['role']))
{ $_SESSION['msg'] = 'you are not logggedd in';
header('location: menupage.php');
exit;
}
?>
$_SESSION['role'] = false is still a variable that is set. so !isset($_SESSION['role']) will not evaluate as you expect. Use something like:
Admin page:
if($_SESSION['role'] === false){ ...