Include different file for type of user 3

[d0nny]

I have a php login section on my website and I have added a few more columns to my 'users' table to include an 'authorised' column and also a menu file column.
Basically, a user can register but they do not become active until an Admin user edits the user to 'authorised'.
The menu item is the bit that has confused me.

Basically, I list a PHP include for a menu of items when a user is logged in and I want to have two separate menu files. I want to have menu.php as the default and then menu_admin.php as the Admin menu file.

Normally, I just have this in my source which loads the menu file:

<?php include('menu.php'); ?>

But I now have this value stored in the user table (menu.php). If a user logs in and is an admin user, the user table will have this value as 'menu_admin.php' so I want to be able to include this as the include file.

Any ideas on how I can do that?
(If you can understand what I'm trying to do!)

 

[IPGuru]

something like

<?php
if ($auth>1) {
include('menu_admin.php');
}
?>

where $auth is set depending on the auth level of your user
in this case 2 or greater = admin

 

[d0nny]

Thanks IPGuru, but I'm not using auth level - its much simpler than that.
Basically, I have one type of user and I just want to include a different menu file as the auth level. Probably not the best way to do it, but it might be the simplest for my requirements.

 

[IPGuru]

so how do you identify what type of usere is requesting the page?
iether all useres get the admin menue as well or you need to identify the user type

 

[d0nny]

No, the user table (in mySQL) has a menu filed that contains the value of either 'menu.php' or 'menu_admin.php'. By default, this value is always 'menu.php' as I only ever see about 2-3 admin users, ever.
So it would be a manual change for me to add menu-admin.php as the value for a specific user in the users table.

So, depending on this value, the user would see their specific menu.

As I say, not the best way of doing it, but maybe the easiest for me!

 

[southbeach]

Then, the answer will be to include the script pointed to by the content of said field - Say $row is where you dump your query results

include ($row['php_script_name_field']);

Hope this helps!



--
SouthBeach
The good thing about not knowing is the opportunity to learn - Yours truly, 2008.

 

[IPGuru]

Be carfull with the security of the database.

Storing the file name in the database could potentialy be a security hole.
if someone changes the file name thay can posibly insert malicious code ino your site.

 

[jpadie]

@IPGuru
hopefully that wouldn't be possible due to the design.

but if it is then this would get around the problem

$permittedMenus = array('menu.php', 'menu_admin.php');
if (in_array($row['menu'], $permittedMenus)){
 include $row['menu'];
} else {
 include 'menu.php';
}

i assume that menu and menu_admin are stored outside the webroot or otherwise made inaccessible? or if not, that the actions spawned by the admin menu are tested at an auth level when used.

 

[southbeach]

@IPguru and @jpadie, very good point and alternative!



--
SouthBeach
The good thing about not knowing is the opportunity to learn - Yours truly, 2008.

 

[d0nny]

Thanks for the suggestions, and thanks IPGuru for the word of working regarding the DB.

Here's my script which doesn't work. I suspect I've screwed something up in this part somewhere...

<?php
include ('/home/blah/blah/mysql_connect.php');
$u = ($_SESSION['user']);
$querym="SELECT menu FROM users WHERE $u='user_email'";
$row= mysql_query ($querym);
include ($result['menu']);
?>

Where is this going wrong?

 

[southbeach]

You need to fetch for a record, add this line before your include command

$result = mysql_fetch_assoc($row);

Pay close attention to potential security issues as posted above!



--
SouthBeach
The good thing about not knowing is the opportunity to learn - Yours truly, 2008.

 

[d0nny]

Oh boy, this has totally lost me now.
I added the extra line ($result...) to my code but it still failed with an extra warning.

Whereas I simply had this in my page:

<?php include ('banner.php'); ?>

I've now got this:

<?php
include ('/home/blah/includes/mysql_connect.php');
$u = ($_SESSION['user']);
$querym="SELECT menu FROM users WHERE $u='user_email'";
$row= mysql_query ($querym);
$result = mysql_fetch_assoc($row);
include ($result['menu']);
?>

but this doesn't work.

Also, how would I integrate the code suggested by jpadie into this?

 

[vacunita]

It would help if you told us what the warning is.

You could also add error checking to figure out what is going on:

<?php
include ('/home/blah/includes/mysql_connect.php');
$u = ($_SESSION['user']);
$querym="SELECT menu FROM users WHERE $u='user_email'";
$row= mysql_query ($querym) [red]or die(mysql_error())[/red] ;
$result = mysql_fetch_assoc($row);
include ($result['menu']);
?>

Also I'm guessing [green]user_email[/green] in your query is a variable. If so, you either missed a $ character, or just did not copy it in your example above.

You may also want to check that rows are actually being returned.

if(mysql_num_rows($row)<1){
echo "No rows are being returned";
}

----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.

 

[jpadie]

<?php
include ('/home/blah/includes/mysql_connect.php');
session_start();
$u = isset($_SESSION['user']) ? $_SESSION['user'] : null;
if (!empty($u)){
  $querym="SELECT menu FROM users WHERE user_email='".mysql_real_escape_string($u)."'";
  $result = mysql_query ($querym) or die (mysql_error());
  $row = mysql_fetch_assoc($result);
  $permittedMenus = array('menu.php', 'menu_admin.php');
  if (!empty($row) && in_array($row['menu'], $permittedMenus)){
    include $row['menu'];
  } else {
   include 'menu.php';
  }
} else {
 include 'menu.php';
}?>

 

[southbeach]

Things to consider
1. Is $u same as 'user_email'?
2. Is field name menu valid?
3. Is table name users valid?

I see that you are placing $_SESSION['user'] to $u and yet you are comparing it to 'user_email', is this correct?

What error message are you getting? If not error message, then explain what do you mean by "it does not work".

As per using jpadie's code you would:

include ('/home/blah/includes/mysql_connect.php');
$u = ($_SESSION['user']);
//Build query string
$querym='SELECT menu FROM users WHERE `'.$u.'` =  "user_email"';

// Run query statement
$row= mysql_query ($querym);

// Fetch record from returned query
$result = mysql_fetch_assoc($row);

/* Lets make sure we protect ourselves from injections */

// Set an array element for each valid menu/script you 
// expect to use here ...
$permittedMenus = array('menu.php', 'menu_admin.php');

// Lets make sure that the menu/script name is one of those
// declared as valid on above array
if (in_array($row['menu'], $permittedMenus)){
 // menu/script name is valid
 include $row['menu'];
} else {
 // menu/script name is not valid
 // lets include our default menu/script
 include 'menu.php';
}

--
SouthBeach
The good thing about not knowing is the opportunity to learn - Yours truly, 2008.

 

[southbeach]

Sorry for the redundancy ... You guys most to posted as I was typing ...

--
SouthBeach
The good thing about not knowing is the opportunity to learn - Yours truly, 2008.

 

[d0nny]

Sorry chaps, yes, I should have copied the warnings from the page into my response.

I actually just copied the code from jpadie into my page and everything worked fine. I tested it by changing the value of the menu field in the DB and the other menu item loaded, so it seems to be recognising that value and loading it OK.

It seems that I bit off more than I could chew with this one!
But many thanks for all your help.
I do understand that there is a slight security risk with this but ultimately any hacker would need to change the value in my DB to cause any damage, and if they got into my DB, the least I would be worried about is them changing this value.

Again, this thread reminds me of what Tek-Tips rocks!