Jump to content

Login based on access control - cleanup code..??


azukah

Recommended Posts

this code works but wondering if there's an easier/cleaner way. the code redirect to 2 pages based on the user_role and if credentials r wrong it sends u back to the same login screen with a msg.

 

 

<?php 
if (!isset($_SESSION)) { session_start();}
require_once('config.php');
$now=time();
$message= $_GET['message'];
if (isset($_POST['user_email'])) {
  	$user_email=$_POST['user_email'];
  	$user_pw=$_POST['user_pw'];
mysql_select_db($database, $makeconnection);

  	$admin="SELECT * 
  		FROM tbl_users 
  		WHERE user_email='$user_email' 
  		AND user_role='1'
  		AND user_pw='$user_pw'"; 
  	
  	$client="SELECT * 
  		FROM tbl_users 
  		WHERE user_email='$user_email' 
  		AND user_role='6'
  		AND user_pw='$user_pw'"; 

  	//check that at least one row was returned
$adminresult=mysql_query($admin);
$admincount = mysql_num_rows($adminresult);

$clientresult=mysql_query($client);
$clientcount = mysql_num_rows($clientresult);

//if found, start session & redirect
if($admincount> 0){
$_SESSION['session_user_email'] =  $user_email; 
$_SESSION['session_start'] = time();
header( "Location: index.php" );
}
else if($clientcount> 0){
$_SESSION['session_user_email'] =  $user_email; 
$_SESSION['session_start'] = time();
header( "Location: test.php" );

//wrong credentials redirect
  	} else {
	header("Location: login.php?message=loginfailed");
  	}
}
?>

Link to comment
Share on other sites

you can greatly simplify that with something like this:

 

<?php 
session_start();
require_once('config.php');
if (isset($_POST['user_email']) && isset($_POST['user_pw'])) {
  	$user_email = trim($_POST['user_email']);
  	$user_pw = trim($_POST['user_pw']);
mysql_select_db($database, $makeconnection);

  	$q="select * from `tbl_users`	where `user_email` = '$user_email' and `user_pw` = '$user_pw' order by `user_role`"; 
	while($r==mysql_fetch_assoc($q)){
		$_SESSION['session_user_email'] =  $user_email; 
	$_SESSION['session_start'] = time();
		if($r['user_role']=='1'){
			header( "Location: index.php" );
			exit();
		}else{
			header( "Location: test.php" );
			exit();
		}
	}
  	//wrong credentials redirect
header("Location: login.php?message=loginfailed");
}
?>

 

but you still have some security issues there, suggest you read a bit about mysql_real_escape_string() .

 

on the first line, what you're saying is basically: "If a $_SESSION variable does not exist, then don't start session" why?

In simple terms, in any page you want to use $_SESSION variables (getting or setting) you need to have session_start() at the top before any output.

Get the irony? $_SESSION never exists before you start the session.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.