tags:

views:

66

answers:

1
Q: 

PHP array vs mysql query

Hello, I am working on an authorization script that checks for user name, password and access level (roles). It works fine as long as there is only one role to check.

I would like to learn how I can put the roles into an array and have the database check if any of them are present in the database for the logged in user. Right now it only check for one role.

Question: How do I construct and array for the allowed roles and then have the query check if any of them are a match? 

<?php
// allowed roles  
$allowedRoles = 'role1';  

// needs to be like:  
$allowedRoles = array('role1','role2','role3','etc.');

//------------------------------------------------------------  
// instantiate sessions  
//------------------------------------------------------------  
if (!isset($_SESSION)) {  
  session_start();  
}  

//------------------------------------------------------------  
// define auth variables  
//------------------------------------------------------------  
$first_pass = 0; // sessions  
$second_pass = 0; // password  
$third_pass = 0; // role  

//------------------------------------------------------------  
// check if sessions exist and are valid  
//------------------------------------------------------------  
if(!empty($_SESSION['UserName']) && !empty($_SESSION['Password']) && !empty($_SESSION['LoggedIn']) && $_SESSION['LoggedIn'] == 1)  
{  
    // FIRST PASS OK!  
    $first_pass = 1;  
    echo 'PASSED: 1st ';  
}  

if($first_pass == 1)  
{  
    //------------------------------------------------------------  
    // include db connection  
    //------------------------------------------------------------  
    require_once('../../connections/mysql.php');  

    // set variables
    $session_un = $_SESSION['UserName'];
    $session_pw = $_SESSION['Password'];

    // DB QUERY: check username SESSION credential against db
    // ------------------------------------------------------------------
    $session_auth = mysqli_query($conn, "SELECT UserId, UserName, Password FROM users WHERE UserName = '$session_un' AND IsApproved = 1 AND IsLockedOut = 0 LIMIT 1")
    or die($dataaccess_error);
    // ------------------------------------------------------------------

    if(mysqli_num_rows($session_auth) == 1)
    {
        $row = mysqli_fetch_array($session_auth);
        $auth_UserId = $row['UserId'];
        $auth_Password = sha1(sha1($row['Password']));

        // if passwords match
        if($auth_Password == $session_pw)
        {
            // SECOND PASS OK!
            $second_pass = 1;
            echo 'PASSED: 2nd ';

            if($second_pass == 1)
            {
                // DB QUERY: check ROLE credentials in db
                // ------------------------------------------------------------------
                $auth_roles = mysqli_query($conn, "SELECT UserId, RoleId, RoleName FROM users_in_roles WHERE UserId IN ($auth_UserId) AND RoleName IN ('$allowedRoles')")
                or die($dataaccess_error);
                // ------------------------------------------------------------------

                if(mysqli_num_rows($auth_roles) > 0)
                {
                    // THIRD PASS OK!
                    $third_pass = 1;
                    echo 'PASSED: 3rd ';
                }
                else
                {
                    // redirect back to login page
                    header('Location: ../../login.php');
                }
            }
        }
    }
}

?>

Thank you!

+3  A: 

You're almost there. You just need to convert your list of allowed roles from an array into a string:

$allowedRoles = "'" . implode("', '", $allowedRoles) . "'";

$auth_roles = mysqli_query($conn, "SELECT UserId, RoleId, RoleName FROM users_in_roles WHERE UserId IN ($auth_UserId) AND RoleName IN ($allowedRoles)")
meagar  2010-10-17 00:54:28
You need to wrap your `implode` with rtrim like `rtrim(implode(...), ',')`. Otherwise, you'll have trailing commas, and MySQL errors.
Chris Henry  2010-10-17 01:55:21
@Chris `implode` only inserts the 'glue' text *between* elements, not before/after. The solution works as posted.
meagar  2010-10-17 01:59:57
@meagar, Thanks so much! This is exactly what I wanted to learn to do. I had to look up what implode is and I'm glad I did.
Scott W.  2010-10-17 02:23:41

related questions

IDE suggestions: Eclipse IDE vs. Zend Studio ( confused )
MySQL/Apache Error in PHP MySQL query
Lightweight IDE for Linux
What PHP framework would you choose for a new application and why?
Why is my ternary expression not working?
How can I get at the matches when using preg_replace in PHP?
Mechanisms for tracking DB schema changes
Wordpress theme development offline tools
Using object property as default for method property
How can I get the authenticated user name under Apache using plain HTTP authentication and PHP?
Make XAMPP/Apache serve file outside of htdocs
How do you debug PHP scripts?
PHP Variables passed by value or by reference?
Best way to implement unit testing in PHP
Connect PHP to an AS/400
Best way to access Exchange using PHP?
PHP Session Security
How do I access a remote form in php?
What's the best way to generate a tag cloud from an array? (using h1 through h6 for sizing)
Apache/PHP: error_log per Virtual Host?
How do I track file downloads with apache/PHP
How would you access Object properties from within an object method?
Flat File Databases in PHP
Best way to allow plugins for a PHP application
Latest information on PHP upcoming releases