Member Avatar for FakeTales

Hey i am currently working on a book store for a university project. And would like to implement that only admins can access the backend of the website.

My login scripts currently allows all types of users Login .

I have two mysql tables a user table and a userType table.

Within the user table i have the following fields : userId , username , password & userTypeId.

Within the userType table i have the following fields : userTypeId & userType

The userTypeId is the foreign key between the two tables.

Here is the script for the admin_login.php page

<?php

session_start();
if (isset($_SESSION["superUser"])){
	header("location: index.php");
	exit();
	
}
?>
<?php

if (isset($_POST["username"]) &&isset ($_POST["password"])) {
	$superUser = preg_replace('#[^A-Za-z0-9]#i', '', $_POST["username"]);
	$password = preg_replace('#[^A-Za-z0-9]#i', '', md5($_POST["password"]));

	

//connect to sql data

include "../storescripts/mysql.php";
$sql= mysql_query("SELECT userID FROM user WHERE username='$superUser'  AND password='$password' LIMIT 1");

//MAKE SURE USER EXISTS

$existCount = mysql_num_rows($sql); //Counts the number of rows 
if($existCount==1){
	while($row = mysql_fetch_array($sql)){
		$userID = $row["userID"];
}

$_SESSION["userID"]= $userID;
$_SESSION["superUser"] = $superUser;
$_SESSION["password"] = $password;




header("location: index.php");


exit ();


}else {
	
	
 	echo("incorrect username or password");
	
	
	
	exit();
}
}


?>


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Store Admin</title>
<link href="../styles/abcMainLogin.css" rel="stylesheet" type="text/css" />
<link href="styles/abcMain.css" rel="stylesheet" type="text/image_viewer" />
<script src="http://jqueryjs.googlecode.com/files/jquery-1.2.6.min.js" type="text/javascript"></script>  
<script src="popup.js" type="text/javascript"></script> 

</head>
       
<body>





<div id="container">
	<div id="header">
   
    <img src="../Images/logo.png" width="200" height="200" /></div>
	<div id="navigation">
		<ul>
			<li><a href="/index.php">Home</a></li>
	
		</ul>
	</div>
  <div id="content-container1">
		<div id="content-container2">
			<div id="section-navigation">
		
			</div>
			<div id="content">
	       <h2> Log in </h2>
       
           <br/>
  <form id="form1" name="form1" method="post" action="admin_login.php"> 
  <table align=center width="50%" border="0" cellspacing="0" cellpadding="10">
  <tr>
  <td width="80%" height="40">Username: </td>
  <td width="80%"><label>
  <input name="username" type="text" id="username" size maxlength="20""40" /></label>
 
  </td>
  </tr>
 
  <tr>
  <td height="40">Password: </td>
  <td><label><input name="password" type="password" id="password" size="20" maxlength="64"/></label>
  </td>
  </tr>
  
  <tr>
  <td height="40"></td>

  <td><input type="submit" name="button" id="button" value="LogIn"  />
  </td>
  </tr>
    </table>
      &nbsp;
    </form>
 

</div>

</div>
			</div>
			<div id="aside">
				<h3>
					
				</h3>
		
			</div>
			<div id="footer">
				Copyright © ABC Books |<a href="_admin/index.php">Admin</a>
			</div>
		</div>
	</div>
</div>

</body>
</html>

This is the code for the redirect page on successful login

<?php

session_start();
if(!isset($_SESSION["superUser"])){
	header("location:admin_login.php");
	exit();
	
	
}
 

//be sure to check that this superUser SESSION is in the database
$superUserID = preg_replace('#[^0-9]#i','', $_SESSION["userID"]);
$superUser = preg_replace('#[^A-Za-z0-9]#i', '', $_SESSION["superUser"]);
$password = preg_replace('#[^A-Za-z0-9]#i', '', ($_SESSION["password"]));

//connect to sql data

include "../storescripts/mysql.php";
$sql= mysql_query("SELECT * FROM user WHERE userID='$superUserID' AND username='$superUser' AND password='$password' LIMIT 1");

//MAKE SURE USER EXISTS


$existCount = mysql_num_rows($sql); //Counts the number of rows 
if($existCount==0){
	echo "false details";
	exit();
	
}

?>


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Store Admin</title>
<link href="../styles/abcMainAdminIndex.css" rel="stylesheet" type="text/css" />
</head>

<body>

<div id="container">
	<div id="header">
   
    <img src="../Images/logo.png" width="200" height="200" /></div>
	<div id="navigation">
		<ul>
			<li></li>
			<li></li>
			<li></li>
			<li><a href="admin_logout.php">Logout</a></li>
            <li><a href="../index.php">Store Front</a></li>
		</ul>
	</div>
  <div id="content-container1">
		<div id="content-container2">
			<div id="section-navigation">
			
			</div>
<div id="content">
				<h2>
					Welcome <font size="4"><i><u><?php echo $superUser; ?></u></i></font> - Select an option below
				</h2>
                
                <br />
                <p><a href="book_inventory_list.php">Manage Book Inventory</a> | <a href="user.php">User</a> | <a href="author.php">Author</a> | <a href="stock.php">Stock</a><p>
                <p><a href="publisher.php"> Publisher</a> | <a href="address.php">Address </a> | <a href="supplier.php">Supplier</a> | <a href="genre.php">Genre</a> | <a href="format.php">Format </a> </p>
		
			</div>
			<div id="aside">
				<h3>
					
				</h3>
		
			</div>
			
		</div>
	</div>
  
</div>
<div id="footer">
				Copyright © ABC Books 
			</div>
</body>
</html>

I hope this helps.

To sum it up i would like to only allow users to login where of course the username & password match but also the userTypeId is = 1.

Also i would like to implement a function that instead of echoing back saying "incorrect username or password" but to identify which field was incorrect.

Thank you

Why not simply add the user type to the query when looking up the username and password?

$sql= mysql_query("SELECT userID FROM user WHERE username='$superUser'  AND password='$password' AND userTypeId = 1 LIMIT 1");
Member Avatar for FakeTales

Why not simply add the user type to the query when looking up the username and password?

$sql= mysql_query("SELECT userID FROM user WHERE username='$superUser'  AND password='$password' AND userTypeId = 1 LIMIT 1");

ahh that works thank you

Great. Please mark as solved :)

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.