Take a step back to the case in which you c: get a list of groups as  should loop over each group and for each group, build a SQL query.

Start out by just looping over the $groups array. You can use a for loop, but in this case there’s a better choice: for each. for each lets you loop over an array and automatically assign a variable to the current item in the array:

Think through what happens inside the loop. You want something similar to the original SOL you used to connect users to groups:

This query is actually more complex than what you need in? First, you don’t need the users table at all. That table is only part of the query to connect a username to a user _id. However, your app already has the user’s user _id, so things simplify to this:

There’s another improvement you can make, too. In the preceding query, you’d need to get the result row and see if the value is a (no membership) or 1 (membership). But, that’s an additional step. Better to just check and see whet ever there’s a result at all. In other words, you want a query that returns a result row only if there’s a match; therefore, make another change:

This query works, and it doesn’t require the table. The downside is that you’re constructing this string, over and over again. For every group, this string is recreated, and that’s wasteful.

Here’s where you rekindle your friendship with With you can construct a single string, give it an escape character or two, and insert values for each escape character into the string. The string remains unchanged; you’re modifying only the data within that string that’s variable

As a result, you can construct the query string outside of the for each, like this:

 

Then, within the for each use to supply the values to drop into the string for a particular group:

In addition to using this code assigns the current user ID-from $_COOKIE:”‘to the string assembled outside of the loop. There’s no need to feed that to because it won’t change as you loop

Allow, Deny, Redirect

With a solid query in place, it’s time to deal with the results. You can check the number of rows to know all you need: if no rows were returned, the user isn’t a member of the group indicated by $group, and your loop should continue, going to the next $group in $groups

If there is a row returned from a query, not only is the user in an allowed group, but authorize_user needs to stop. There’s no need to continue looping over $groups; just return control to the calling script so that the PHP and HTML of that script can take over

And then, the final case: all the groups have been checked, and there’s never been a result row. This is the case when the foreach loop ends. If that’s the case, it’s not okay to send control back to the calling script, because that would be letting the user “in,” and that’s exactly the opposite of what should happen. It’s also not appropriate
to redirect the user back to the sign-in page. He ts signed in, at least in most cases he just doesn’t have the right level of permissions to access the current page

So, what’s left? In the simplest case, just use handle_error one more time. You might want to build this out yourself, though. Perhaps you could redirect the user to the last page he viewed and set an error message. Or, you could build a customized page to let the user request permissions for a certain page. No matter ho~you cut it. though, you’re going to be sending him somewhere else; the current page is never shown .

It’s been a long time coming, but you can finally try this out. Ensure that you’ve got a user in U$E’!S who is a member of Administrators (through and one who’s not. The former should be able to navigate to  without any problems the latter should be kicked to the error page, as shown in Figure 14-2.