Display usertype after login

General PHP Help
#1

Hello,

I want to display user type (admin/ employee) & permissionId after they login, how do I do so?

  1. user: userId, username, userpassword
    1, peterparker, 123
    2. tonystark, 123

  2. permission: permissionId, permissionName
    1, admin
    2, user

  3. permission_user: id, userId, permissionId
    1, 2, 1
    2, 1, 2

For permissionId, I have the following code:

<?php
include ("dbh.inc.php");
$userId = $_SESSION["usersid"];
$sql = "SELECT permissionId from permission_user WHERE userId = '$userId'";
$result = mysqli_query($conn, $sql);

After that, I am not too sure what syntax is to display the result. For instance, based on the dummy data provided above, we know that Tony Stark is an admin, hence I want it to display “1” which stands for admin.

Thanks.

#2

Well, first, I would put anything that has to do with a user in one row of data in the user-table.
You should have the user level and permission level in the save row as the name and password.
No need to split them all up. Unless you have some hidden reason for that?!?

When you check the username and password for logging into your site, you would retrieve the row of user data which would include the user level. You can use numbers as you showed, but, why not just use the actual data to be displays. this would save a lot of work. You would SELECT * FROM users WHERE username=… AND password=… Then, check if you have any records in the results. If you do not have any records found, then the user does not exist and display a message stating so. If a record is found, you will already have the ADMIN or USER in the user-level and you can just display it where needed.
If you need to use numerical levels, you can just keep a table of the possible text versions in an array and use them as needed. like $user_levels=array(1=>“ADMIN”, 2=>“USER”); and echo $user_levels($level); to display them. Just some thoughts to get you started thinking about it.

#3

Don’t put dynamic values directly into sql query statements (also, don’t copy variables to other variables for nothing.) Today, you know for certain what type of value is in the session variable. However, if you are doing this for real, once this code is out of your hands, someone could make changes to the application, such as logging in through a third-party api, and the value could end up being anything. You should always use external, unknown, dynamic values safely in whatever context they are being used in. In an sql context, always use a prepared query when supplying external, unknown, dynamic values to the query when it gets executed.

In your previous thread, I posted an example of querying for and retrieving the permission id, using the much simpler PDO extension, and using a prepared query. You are free to convert that example to use the mysqli extension if you desire.

Sponsor our Newsletter | Privacy Policy | Terms of Service