Urgent PHP help needed

I'm trying to make something that will help me update and customise my site a lot. At the moment i'm working on an admin panel.

I've got this as my config.php

<?php
ob_start();
# allows you to use cookies

$db_username = 'spiral_box';
# database username
$db_password = 'box';
# database password
$db_host = 'localhost';
# database host (usually localhost);
$db_database = 'spiral_box';
# database

$connect = mysql_connect("$db_host","$db_username","$db_password");
# connect to the database

mysql_select_db("$db_database",$connect);
# select the database

$uname = addslashes($_COOKIE['username']);
# get the username cookie
$pword = addslashes($_COOKIE['password']);
# get the password cookie

$query = "SELECT * FROM `users` WHERE username = '".$uname."' AND password = '".$pword."'";
# set a query

$online = mysql_fetch_array(mysql_query($query));
# set an array to get any stored information we want about the browsing user

include ("functions.php");
# include the functions
?> 

PHP:

I've got user levels, the default level is a user, and i've set my self to admin.

I'm trying to figure out how to make a code so if the admin is logged and level is admin it will show admin area and if not it echos you do not have the correct privileges.

I found this:

<?php
include("config.php");
if($logged[username] && $logged[level] ==admin)
echo "test";
?>

PHP:

and tried to see if i the admin or when im a user if i could see it and neither worked. the $logged isn't really for my script and i dunno what to replace it with

if you get me, thanks.

 

where do you get $logged variable?

btw, it's bad practice to save password in cookies

 

it was a snippet on a site

 

<?php include("config.php");
if($logged[username] && $logged[level] ==admin)
echo "test";?> 

Code (markup):

This won't work - you can rather use

<?php include("config.php");
$usrtmp= 'admin';
if($online["username"]==$usrtmp && $online["level"]==$usrtmp)
{echo 'test';}
?>

Code (markup):

As the previous poster said the code is not secure - you should use $_SESSION['username'] etc.

 

Thanks, but that didn't work lol

 

Probably cause the username and level are not equal to admin check your database and see

 

My username is Admin and my level is 'admin'..

hmm

 

ok

<?php include("config.php");
$usrtmp= 'admin';
$usrtmp2= 'Admin';
if($online["username"]==$usrtmp2 && $online["level"]==$usrtmp)
{echo 'test';}
?>

Code (markup):

 

It still didn't work

LOLEDIT: Sorry I wasn't logged in, thanks!

Can anyone help me fix up my system with sessions?

 

Ahh ... well then why don't you get another more suitable and secure script. I tried to find where the error is but ... Or could you post the error you get ?

 

The script is working fine now thanks I just wasn't logged in.

I've never used sessions before.

 

Not sure if I can post URL's yet but here goes : evolt.org/creating_a_login_script_with_php4_part_2 has a nice demo of such a script

 

I really want to keep my current script.

A person on MSN who helps me alot gave me this but said he is too busy to help me any more..

<?
session_id();
session_start();

if (isset($_COOKIE['user_id'])){
if (isset($_SESSION['user_id'])){
if ($_COOKIE['user_id'] == $_SESSION['user_id']){
$userConfirm = false;
$userLogin = false;
}else{
session_destroy();
setcookie('user_id', '', time() - 10, '', '.electricbeat.net');
//HACKING ATTEMPT LOG THEIR IP SO YOU CAN BAN THEIR ASS
$userLogin = true;
}
}else{
$userConfirm = true;
}
}else{
$userLogin = true;
}

if ($userLogin){
//LOGIN FORM HERE
}else{
if ($userConfirm){
//CONFIRM LOGIN FORM HERE
}else{
//LOGIN FORM HERE
}
}
?>

 

My advice is to replace addslashes with a function like this:

function sqlesc($x)
{
	 $value = $x;
	 // Stripslashes
   if (get_magic_quotes_gpc()) 
   {
       $value = stripslashes($value);
   }
   // Quote if not integer
   if (!is_numeric($value)) {
       $value = "'" . mysql_real_escape_string($value) . "'";
   }
   return $value;
}

PHP: