tim108 Posted February 22, 2010 Share Posted February 22, 2010 I have an issue regarding a login section of a website, when a user is registered they are given a user_permission, this is defaulted to 0 for a general user or 1 for an admin. The issue I am having is when the user logs in I want the code to check what that user permission is and if its 0 redirect the user to the userpage, and if its 1 redirect the user to the admin page At the moement whoever logs in is directed towards the user page, any help would be greatly appreciated! $query = "SELECT * FROM ecc_users WHERE user_email='$user_email' and user_password='$user_password'"; $permis = "SELECT user_permissions FROM ecc_users"; $result = mysql_query($query, $db); $result2 = mysql_query($permis, $db); if(mysql_num_rows($result)) { $user_permissions = 0; $_SESSION['loggedin'] = 1; header('Location:userpage.php'); exit(); } elseif($result2){ $user_permissions = 1; echo "<script>window.location='admin.php'</script>"; die(); } else { header('Location:login.php?error=1'); exit(); } this is the code I have for this particular section, I have worked out that there is something within the if statements that must be wrong? Quote Link to comment https://forums.phpfreaks.com/topic/192975-php-mysql-login/ Share on other sites More sharing options...
ialsoagree Posted February 22, 2010 Share Posted February 22, 2010 It doesn't appear that you've entirely worked out the logic of how to complete this task. Let me explain what your code is doing and see if you can fix it from there. A user (lets say the admin) puts in their e-mail and password (please let me know if this is not the case) and attempts to login. Lets assume their user information is correct: $query = "SELECT * FROM ecc_users WHERE user_email='$user_email' and user_password='$user_password'"; This creates the query that will find the users record. $permis = "SELECT user_permissions FROM ecc_users"; This creates a query that will get EVERY user_permissions value in ecc_users (it doesn't care whose logging in, or whether their email/password is right). $result = mysql_query($query, $db); This will return a result for anyone who has put in a correct email and password. $result2 = mysql_query($permis, $db); This will either return no results (if there are no records in the ecc_users table) or it will return ALL RECORDS from ecc_users table. if(mysql_num_rows($result)) { This if statement is ALWAYS TRUE FOR A CORRECT LOGIN. The code following it will ALWAYS EXECUTE if someone puts in a correct email/password. elseif($result2){ This elseif statement is ALWAYS TRUE WHEN A RECORD IN ecc_users EXISTS. The code following it will ALWAYS EXECUTE if ecc_users has at least 1 record. (Note, I might be wrong about $result2, $result2 might only be false if there's an SQL error, in which case, unless there is an SQL error, the elseif will ALWAYS be true, even if there are no records in ecc_users). I would suggest changing the order of your if checks. Also since user_permissions is a row in the table ecc_users, and your first query (the query saved in $query) gets ALL rows from ecc_users, there's no need for a 2nd query. You've already gotten user_permissions when you got all rows in ecc_users. Your first check should be if the user logged in correctly. You've accomplished this with if (mysql_num_rows($result)) (although I would change it to mysql_num_rows($result) > 0 but that's just me). The code executed after this if should be for users who did not login correctly, I believe that would make it: header('Location:login.php?error=1'); exit(); The 2nd part should check if their user permission is 1. To do this, you need to fetch your result after the first if statement. You code should look something like... if(mysql_num_rows($result)) { header('Location:login.php?error=1'); exit(); } $user_info = mysql_fetch_assoc($result); if ($user_info['user_permissions'] === 1) { $_SESSION['loggedin'] = 1; echo "<script>window.location='admin.php'</script>"; die(); } else { $_SESSION['loggedin'] = 1; echo "<script>window.location='admin.php'</script>"; die(); } I hope it's apparent to you that setting $user_permissions is pointless since you're immediately leaving the script anyway (and thus, the $user_permission variable never gets used before it's gone). You're also not storing who has logged in (only that they have in fact logged in). You should use your $_SESSION array to store relevant login information such as who has logged in and what their permission is. Quote Link to comment https://forums.phpfreaks.com/topic/192975-php-mysql-login/#findComment-1016293 Share on other sites More sharing options...
tim108 Posted February 22, 2010 Author Share Posted February 22, 2010 I understand what you were saying yes, however on that bit you changed having this statement below is saying that if the email and username are correct then take it to the error page if(mysql_num_rows($result)) { header('Location:login.php?error=1'); exit(); } I have edited it slightly but it is now only doing the last section $query = "SELECT * FROM ecc_users WHERE user_email='$user_email' and user_password='$user_password'"; $result = mysql_query($query, $db); if(mysql_num_rows($result)) { $_SESSION['loggedin'] = 1; } else { header('Location:login.php?error=1'); exit(); } $user_info = mysql_fetch_assoc($result); if ($user_info['user_permissions'] === 1) { $_SESSION['loggedin'] = 1; echo "<script>window.location='admin.php'</script>"; die(); } else { $_SESSION['loggedin'] = 1; echo "<script>window.location='userpage.php'</script>"; die(); } to me that looks like in theory it would work? Quote Link to comment https://forums.phpfreaks.com/topic/192975-php-mysql-login/#findComment-1016323 Share on other sites More sharing options...
tim108 Posted February 22, 2010 Author Share Posted February 22, 2010 $query = "SELECT * FROM ecc_users WHERE user_email='$user_email' and user_password='$user_password'"; $result = mysql_query($query, $db); if(mysql_num_rows($result)) { $_SESSION['loggedin'] = 1; } else { header('Location:login.php?error=1'); exit(); } $user_info = mysql_fetch_assoc($result); if ($user_info['user_permissions'] === 1) { $_SESSION['loggedin'] = 1; echo "<script>window.location='admin.php'</script>"; die(); } else { $_SESSION['loggedin'] = 1; echo "<script>window.location='userpage.php'</script>"; die(); } sorry forgot to display the code as code Quote Link to comment https://forums.phpfreaks.com/topic/192975-php-mysql-login/#findComment-1016330 Share on other sites More sharing options...
ialsoagree Posted February 22, 2010 Share Posted February 22, 2010 Yes, I screwed up my logic too! It should have been <= 0 or it should have been !(mysql_num_rows(etc.... In any event, it looks like you're on track now. Just to reiterate my warning though, you're NOT saving the user's permission or login info. There's nothing to stop a logged in user from just going to the admin page after they get directed to the user page. You should use your session variable to save the user's permissions, login name, or something to help identify them (and not just that they're logged in) and recheck their permissions on subsequent pages. Quote Link to comment https://forums.phpfreaks.com/topic/192975-php-mysql-login/#findComment-1016380 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.