Admin and User Login Problem

Question

urbanthistleuk 0 Newbie Poster

13 Years Ago

Good Morning,

I am recently new to php development and have come across an issue that I can't quite get my head around and need some assistance if possible.

I have been tasked to build a Task Logger in php which I have successfully done and is working fine, the current login system works well and store a session of the username that is logged in, this issue I have now come across is I want to be able to separate the log user types for example admin, user and suspended account into sections, I have added a column in my sql table called 'admin' which uses number 0,1 and 9, with 9 being an admin user. I have compiled some code after doping research into it, but when trying to log in I am getting a blank page, I am now stuck!!, I have attached my code below

<?php


session_start();


include('config.inc');
        
	     $isAdmin = mysql_query("SELECT * FROM user WHERE (username = '" . mysql_real_escape_string($_POST['username']) . "') and (password = '" . mysql_real_escape_string(md5($_POST['password'])) . "') and admin = '9'");
	     if(mysql_num_rows($result) == 1) {
	     $_SESSION['username'] = $_POST['username'];
	     header("Location: main.php?admin=1"); 
	 exit;
         $result = mysql_query("SELECT * FROM user WHERE (username = '" . mysql_real_escape_string($_POST['username']) . "') and (password = '" . mysql_real_escape_string(md5($_POST['password'])) . "') and admin = '1'");
		 if(mysql_num_rows($result) == 1) {
		 $_SESSION['username'] = $_POST['username'];
		 header("Location: main.php");
	 exit;
	     $result = mysql_query("SELECT * FROM user WHERE (username = '" . mysql_real_escape_string($_POST['username']) . "') and (password = '" . mysql_real_escape_string(md5($_POST['password'])) . "') and admin = '0'");
		 if(mysql_num_rows($result) == 1) {
		 header("Location: index.php?error=3");
	 exit;
	 } else {
		header("Location: index.php?error=1");
		}
}

?>

My old code looked like this below and would like to utilise it for my situation

<?php

session_start();

include('config.inc');

$login = mysql_query("SELECT * FROM user WHERE (username = '" . mysql_real_escape_string($_POST['username']) . "') and (password = '" . mysql_real_escape_string(md5($_POST['password'])) . "')");

if (mysql_num_rows($login) == 1) {
        
        $_SESSION['username'] = $_POST['username'];
       
        header('Location: main.php');
}
else {
      
        header('Location: index.php?error=1');
}

?>

I understand that these type of question have been asked many times before and I apologies in advance but I am unable to find anything to resolve this issue, it would be great to finally get this working!

Thanks in advance

Martin

php

5 Contributors
9 Replies
198 Views
1 Day Discussion Span
Latest Post 13 Years Ago Latest Post by vaibhav1983

binaryaddict 0 Newbie Poster

13 Years Ago

You are not differentiating between the three different results because the if-statement at #10 overspans all three possibilities. Try using a closing brace after the first exit-statement, and continuing with elseif-statements for the other two possibilities.

<?php
if($isAdmin)
{
    // Do something.
    exit;
}
elseif($isUser)
{
    // Do something.
    exit;
}
elseif($isSuspended)
{
    // Do something.
    exit;
}
else
{
    // Error ...
}
?>

cwarn23 387 Occupation: Genius

13 Years Ago

<?php


session_start();


include('config.inc');
        
$isAdmin = mysql_query("SELECT * FROM user WHERE (username = '" . mysql_real_escape_string($_POST['username']) . "') and (password = '" . mysql_real_escape_string(md5($_POST['password'])) . "') and admin = '9'");
if(mysql_num_rows($result) == 1) {
$_SESSION['username'] = $_POST['username'];
header("Location: main.php?admin=1"); 
    exit;
    }
$result = mysql_query("SELECT * FROM user WHERE (username = '" . mysql_real_escape_string($_POST['username']) . "') and (password = '" . mysql_real_escape_string(md5($_POST['password'])) . "') and admin = '1'");
    if(mysql_num_rows($result) == 1) {
	$_SESSION['username'] = $_POST['username'];
	header("Location: main.php");
    exit;
    }
$result = mysql_query("SELECT * FROM user WHERE (username = '" . mysql_real_escape_string($_POST['username']) . "') and (password = '" . mysql_real_escape_string(md5($_POST['password'])) . "') and admin = '0'");
if(mysql_num_rows($result) == 1) {
    header("Location: index.php?error=3");
    exit;
	}

header("Location: index.php?error=1");
exit;

?>

diafol

13 Years Ago

There looks to be a lot of repetition going on here:

mysql_query("SELECT * FROM user WHERE (username = '" . mysql_real_escape_string($_POST['username']) . "') and (password = '" . mysql_real_escape_string(md5($_POST['password'])) . "') and admin = ...");

You seem to be checking the same data 3 times. Why not just extract the admin value for an user and use that set a session and to relocate?

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

binaryaddict 0 Newbie Poster · Answer 1 · 2011-10-22T18:36:00+00:00

You should really get your condition-checking in order, and remove the exit-statements. That should at least solve your "empty page problem".
After that remove the repititions as suggested by ardav by only pulling the user-record once, and base your decision making on the admin-value of that record.

cwarn23 387 Occupation: Genius Team Colleague Featured Poster · Answer 2 · 2011-10-22T18:37:19+00:00

There looks to be a lot of repetition going on here:
mysql_query("SELECT * FROM user WHERE (username = '" . mysql_real_escape_string($_POST['username']) . "') and (password = '" . mysql_real_escape_string(md5($_POST['password'])) . "') and admin = ...");
You seem to be checking the same data 3 times. Why not just extract the admin value for an user and use that set a session and to relocate?

Indeed. It would be better remove admin from the sql and use $row=mysql_fetch_assoc($result); and check what $row equals but it's 10:30PM and I haven't had enough caffeine today so I'm really tired and am about to go to bed. But I shall leave the following code before I close my eyes not that I can't program with my eyes closed.

<?php session_start();
 
include('config.inc');

$result=mysql_query("SELECT * FROM user WHERE username = '" . mysql_real_escape_string($_POST['username']) . "' and password = '" . mysql_real_escape_string(md5($_POST['password'])) . "'");

$row=mysql_fetch_assoc($result);

if ($row['admin']==9) {
$_SESSION['username'] = $_POST['username'];
header("Location: main.php?admin=1"); 
    exit;
    } elseif ($row['admin']==1) {
    $_SESSION['username'] = $_POST['username'];
    header("Location: main.php");
    exit;
    } elseif ($row['admin']==0) {
    header("Location: index.php?error=3");
    exit;
    }

header("Location: index.php?error=1");
exit;

urbanthistleuk 0 Newbie Poster · Answer 3 · 2011-10-22T20:25:25+00:00

Hello,

Thank you all for your help and support on this issue it has been driving me crazy for some time, a special thanks to cwarn23, that code worked a dream and wasn't expected such a fast response and some code to put me in the right direction - I have made a few changes just so I can load some more pages to suit my needs, thanks again.

Apologies for being a pain just have one more question, on each page I have the below code so no one can go straight to page without having to log in, which is fine as it works, my problem is when an admin logs in, clicks on a link to log a task for example, when they click on the menu link to return, they are returned back to main.php not main.php?admin=1 I cannot update the hyperlink to go to main.php?admin=1 as this will take effect for everyone, now I believe I have to do something with the session on the page, can anyone put me in the right direction

Thanks in advanced

<?php

session_start();

if (!isset($_SESSION['username'])) {
        header('Location: index.php?error=2');
}

?>

Martin

diafol · Answer 4 · 2011-10-23T01:22:44+00:00

You must use a session. Passing thos type of data via url is v. Dangerous.

urbanthistleuk 0 Newbie Poster · Answer 5 · 2011-10-23T23:26:38+00:00

Thanks for your assistance, you have pointed me in the right direction, just got to get is all working now....

Martin

vaibhav1983 1 Junior Poster · Answer 6 · 2011-10-24T00:35:35+00:00

Set a session variable for the role, and check the variable for admin value wherever u need to give admin access. :)