此特权代码有什么问题？

Question

how to check privilege in "check"php code or page ??

I using explode and in_array

after the user log in and in "check" page the code must check privilege of user if he has "dataDisplay" privilege or not ..but the code in "check" page doesn't do that

what's my wrong in "check" page code

this is my Database:

+--------------------+-------------------------------+
| username           |   user_privilege              |
|--------------------|-------------------------------|
| amal               |7gz,agt_courses,newbill        | 
|                    |                               |
+----------------------------------------------------+
|                    |                               |
| ahmed              |dataDisplay,previllige,newUsers|
+----------------------------------------------------+

first page "login" php:

<?php
ob_start();
session_start();
include '../connection/connect.php';

$username = $_POST['username'];
$password = $_POST['password'];


if($username && $password ){
    $finduser = mysqli_query($link,"SELECT * FROM LOGIN WHERE username = '".$username."' AND password = '".$password ."'") or die("error");
    if(mysqli_num_rows($finduser) !=0){
        while($row = mysqli_fetch_array($finduser)){
            $uname = $row['username'];
            $pass= $row['password '];
            $arr=explode(",",$row['user_privilege']);
        }
    }
        {
        $_SESSION['sessionname'] =$uname;
        $_SESSION['sessionpass'] =$password ;
        $_SESSION['sessionpre'] =explode(",",$row['user_previllige']);
        header ("location:../agtSite/agt2.php");
    }
} 
ob_end_flush();
?>

second page "check" php:

<?php
session_start();

$_SESSION['sessionpre']='';

$haspermission =in_array("dataDisplay",$_SESSION['sessionpre']);


if( $haspermission )
{
    header("location: agt2.php");
    }

else{header("location: ../display/display.php");}

?>

Answer 1

You forgot to add else block, a problem you could avoid if you indent your code properly. Make sure you create the session only if you find a user

if(mysqli_num_rows($finduser) !=0){
    while($row = mysqli_fetch_array($finduser)){
        $_SESSION['sessionname'] =$row['username'];
        $_SESSION['sessionpass'] = $row['password '];
        $_SESSION['sessionpre'] = explode(",",$row['user_previllige']);
        header ("location: ../check.php");
    }
}
else{
//could not find user
}

Also as the others pointed out in the comments you to prevent SQL injection .

Answer 2

1. The else that others are pointing out is a problem.

2. So is the apparent typo in user_previllige .

3. In your else block, you refer to $uname and $row['user_previllige'] , but these things only have meaning in the if block; they are undefined if you are in the else block.

4. Are you sure you are connected to the database? I see $link , but you don't include the code you used to initiate the connection in the code above.

5. As others have pointed out, this is extremely vulnerable to SQL injection .

6. Also, don't store passwords in plain text ! Salt and hash them. Assume that they will be stolen one day, and design your application so it wouldn't matter, because the salted and hashed value would be useless.