Hey i am currently working on a book store for a university project. And would like to implement that only admins can access the backend of the website.
My login scripts currently allows all types of users Login .
I have two mysql tables a user table and a userType table.
Within the user table i have the following fields : userId , username , password & userTypeId.
Within the userType table i have the following fields : userTypeId & userType
The userTypeId is the foreign key between the two tables.
Here is the script for the admin_login.php page
<?php
session_start();
if (isset($_SESSION["superUser"])){
header("location: index.php");
exit();
}
?>
<?php
if (isset($_POST["username"]) &&isset ($_POST["password"])) {
$superUser = preg_replace('#[^A-Za-z0-9]#i', '', $_POST["username"]);
$password = preg_replace('#[^A-Za-z0-9]#i', '', md5($_POST["password"]));
//connect to sql data
include "../storescripts/mysql.php";
$sql= mysql_query("SELECT userID FROM user WHERE username='$superUser' AND password='$password' LIMIT 1");
//MAKE SURE USER EXISTS
$existCount = mysql_num_rows($sql); //Counts the number of rows
if($existCount==1){
while($row = mysql_fetch_array($sql)){
$userID = $row["userID"];
}
$_SESSION["userID"]= $userID;
$_SESSION["superUser"] = $superUser;
$_SESSION["password"] = $password;
header("location: index.php");
exit ();
}else {
echo("incorrect username or password");
exit();
}
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Store Admin</title>
<link href="../styles/abcMainLogin.css" rel="stylesheet" type="text/css" />
<link href="styles/abcMain.css" rel="stylesheet" type="text/image_viewer" />
<script src="http://jqueryjs.googlecode.com/files/jquery-1.2.6.min.js" type="text/javascript"></script>
<script src="popup.js" type="text/javascript"></script>
</head>
<body>
<div id="container">
<div id="header">
<img src="../Images/logo.png" width="200" height="200" /></div>
<div id="navigation">
<ul>
<li><a href="/index.php">Home</a></li>
</ul>
</div>
<div id="content-container1">
<div id="content-container2">
<div id="section-navigation">
</div>
<div id="content">
<h2> Log in </h2>
<br/>
<form id="form1" name="form1" method="post" action="admin_login.php">
<table align=center width="50%" border="0" cellspacing="0" cellpadding="10">
<tr>
<td width="80%" height="40">Username: </td>
<td width="80%"><label>
<input name="username" type="text" id="username" size maxlength="20""40" /></label>
</td>
</tr>
<tr>
<td height="40">Password: </td>
<td><label><input name="password" type="password" id="password" size="20" maxlength="64"/></label>
</td>
</tr>
<tr>
<td height="40"></td>
<td><input type="submit" name="button" id="button" value="LogIn" />
</td>
</tr>
</table>
</form>
</div>
</div>
</div>
<div id="aside">
<h3>
</h3>
</div>
<div id="footer">
Copyright © ABC Books |<a href="_admin/index.php">Admin</a>
</div>
</div>
</div>
</div>
</body>
</html>
This is the code for the redirect page on successful login
<?php
session_start();
if(!isset($_SESSION["superUser"])){
header("location:admin_login.php");
exit();
}
//be sure to check that this superUser SESSION is in the database
$superUserID = preg_replace('#[^0-9]#i','', $_SESSION["userID"]);
$superUser = preg_replace('#[^A-Za-z0-9]#i', '', $_SESSION["superUser"]);
$password = preg_replace('#[^A-Za-z0-9]#i', '', ($_SESSION["password"]));
//connect to sql data
include "../storescripts/mysql.php";
$sql= mysql_query("SELECT * FROM user WHERE userID='$superUserID' AND username='$superUser' AND password='$password' LIMIT 1");
//MAKE SURE USER EXISTS
$existCount = mysql_num_rows($sql); //Counts the number of rows
if($existCount==0){
echo "false details";
exit();
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Store Admin</title>
<link href="../styles/abcMainAdminIndex.css" rel="stylesheet" type="text/css" />
</head>
<body>
<div id="container">
<div id="header">
<img src="../Images/logo.png" width="200" height="200" /></div>
<div id="navigation">
<ul>
<li></li>
<li></li>
<li></li>
<li><a href="admin_logout.php">Logout</a></li>
<li><a href="../index.php">Store Front</a></li>
</ul>
</div>
<div id="content-container1">
<div id="content-container2">
<div id="section-navigation">
</div>
<div id="content">
<h2>
Welcome <font size="4"><i><u><?php echo $superUser; ?></u></i></font> - Select an option below
</h2>
<br />
<p><a href="book_inventory_list.php">Manage Book Inventory</a> | <a href="user.php">User</a> | <a href="author.php">Author</a> | <a href="stock.php">Stock</a><p>
<p><a href="publisher.php"> Publisher</a> | <a href="address.php">Address </a> | <a href="supplier.php">Supplier</a> | <a href="genre.php">Genre</a> | <a href="format.php">Format </a> </p>
</div>
<div id="aside">
<h3>
</h3>
</div>
</div>
</div>
</div>
<div id="footer">
Copyright © ABC Books
</div>
</body>
</html>
I hope this helps.
To sum it up i would like to only allow users to login where of course the username & password match but also the userTypeId is = 1.
Also i would like to implement a function that instead of echoing back saying "incorrect username or password" but to identify which field was incorrect.
Thank you