CODEWITHSUNDEEP
phparrayssession
littleK
littleK

Reputation: 20123

PHP in_array not working

I am using the PHP in_array() function in order to authenticate (with sessions) if a user can access a particular page. For some reason, it is not working...

PHP PAGE

session_start();
require_once('../scripts/functions.php'); 
$role_auth = @$_SESSION['role_auth'];
access($role_auth, array(0,1,2,3,4));

access FUNCTION

function access($role_auth, $array){

if(!(in_array($role_auth, $array))){ 
   header("Location: ../index.html");
}
}

If I insert print statements in the function, I can see that all of the correct values are being passed into the function. The problem is, if the function is called without a session variable set, for some reason it is considered as being in the array, and it authenticates.

Any ideas?

Upvotes: 0

Views: 5944

Answers (4)

Noah Medling
Noah Medling

Reputation: 4669

In php, the number zero is considered equal to most non-numeric things, for example:

null   == 0
false  == 0
""     == 0
"asdf" == 0

You probably need to make sure that $_SESSION actually contains the 'role_auth' key beforehand and convert it to the appropriate type, also passing the $strict parameter to in_array, thus guaranteeing a type check as well as a value check (=== vs. ==). Removing zero from your array might also be a good idea.

Upvotes: 3

Jason
Jason

Reputation: 2049

you may want to enable strict type checks by using:

in_array($role_auth, $array, true)

as what is likely happening is that $role_auth is being eval'd as false and that could match 0 in your in_array statement.

what you SHOULD be doing is this:

session_start(); 
require_once('../scripts/functions.php'); 
$role_auth = (isset($_SESSION['role_auth']))?$_SESSION['role_auth']:-1; 
access($role_auth, array(0,1,2,3,4));

or something similiar. nothing good ever comes of using the @ operator

Upvotes: 10

Tom Ritter
Tom Ritter

Reputation: 101330

 $role_auth = @$_SESSION['role_auth'];

The @ sign is suppressing any warnings you might get here, like index is not in array. How about something like this instead:

 if(isset($_SESSION['role_auth']))
    $role_auth = $_SESSION['role_auth'];
 else
    $role_auth = -1;//(or whatever an invalid role is)

Upvotes: 3

Cfreak
Cfreak

Reputation: 19309

I would check to see if $_SESSION['role_auth'] is actually set (with isset) instead of using @ to suppress warnings (which is bad practice IMHO)

I think what's happening is that false == 0 ... so in_array returns true when nothing is in $role_auth because it sees it as 0 and 0 is in your array

Upvotes: 3

Related Questions