trying a simple login form with complicated results

[jacko_162]

I have a Login page which i want to check if the user details (username, password and activation) are valid then redirect user dependent on his/her "accessLevel" (admin, member and none)

 

Admin will be directed to "index.php"

Member will be directed to "tasks.php"

and none will be redirected to "notActive.php"

 

here is my current code which half works;

<?php
include ('connect.php');
if(isset($_POST['submit'])) {
    // Initialize a session:
session_start();

// Define $username and $password 
$username=$_POST['username']; 
$password=$_POST['password']; 

// To protect MySQL injection
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);
$sql="SELECT * FROM ecmt_members WHERE username='$username' and password='$password' AND Activation IS NULL";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);

// If result matched $username and $password, table row must be 1 row
if($count==1){

// Register $username, $password and redirect to file "index.php"
$role = mysql_fetch_array($result);
$_SESSION['username']= $username; 
$_SESSION['password']= $password;
//$_SESSION['role']= $role['accessLevel'];
 
 if($role['accessLevel'] == "admin"){
	 $_SESSION['adminuser']=$role['accessLevel'];
		header("location:index.php");
			exit();
      }
 elseif($role['accessLevel'] == "member"){
	 $_SESSION['user']=$role['accessLevel'];
		header("location:tasks.php");
			exit();
     }

else {
echo "Error: Username, Password or Access Level incorrect! Go Home, you're Drunk!!!";
}

	}
    } // End of the main Submit conditional.
?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Login Form</title>

<!-- jQUERY -->
<script src="//code.jquery.com/jquery-latest.js"></script>
<!-- Add Main CSS -->
<link rel="stylesheet" type="text/css" href="../tool/css/main.css">
<!-- Font-Awesome -->
<link href="//maxcdn.bootstrapcdn.com/font-awesome/4.2.0/css/font-awesome.min.css" rel="stylesheet">
	<style>
		body { 
			background: url(../tool/images/bg1.jpg) no-repeat center center fixed; 
			-webkit-background-size: cover;
			-moz-background-size: cover;
			-o-background-size: cover;
			background-size: cover;
		}
.exactCenter { width:auto; height:auto; position: fixed; top: 50%; left: 50%; margin-top: -200px; ; }

	</style>
</head>
<body>
<div class="exactCenter">
<div id="login-container">
<img src="../tool/images/bigLogo.png" /><br />

<form action="login.php" method="post" class="form">
  <fieldset class="group">
      <input class="input" type="text" id="username" name="username" size="25" placeholder="username"/>
<img src="../tool/images/spacer.png" width="5" height="5" />
      <input class="input" type="password" id="password" name="password" size="25" placeholder="password"/>
<img src="../tool/images/spacer.png" width="5" height="5" />
     </fieldset>    
      <input type="hidden" name="formsubmitted" value="TRUE" />
      <button type="submit" name="submit" class="btn btn-blue" ><i class="fa fa-unlock-alt"></i> Login</button>
<img src="../tool/images/spacer.png" width="5" height="5" />   
<a href="Register.php"><button type="button" class="btn btn-green" ><i class="fa fa-hand-o-up"></i> Register</button></a>
</form>

</div></div>
</body>
</html>

When i test it with admin login credentials i get the page refresh again without error, when i login with member credentials it shows tasks.php and when i try to log in with unactivated account "acivation column is not NULL" i get a page refresh also with no error.

 

Can someone help me make it work for each role and perhaps have some sort of error reporting depending on error.

 

im pulling my hair out here and this is the first time i have worked with login conditions, and im VERY confused.

Edited October 28, 2014 by jacko_162

[jacko_162]

attatched my database screenshot if it helps out.

[QuickOldCar]

You marked this as solved.

 

For one.....never store any type of passwords in a session

$_SESSION['password']= $password;

 

I usually use a 1-9 number system for user roles, 9 being admin, 1 is a user, between can specify any other abilities.

If not logged in is considered a guest.

 

I think you are complicating things more than needed, creating the following 3 sessions should be fine

$_SESSION['user_name']

$_SESSION['user_level']

$_SESSION['user_logged']

$_SESSION['user_name'] = $role['username'];

if($role['accessLevel'] == "admin") {
    $_SESSION['user_level'] = "admin";

    $_SESSION['user_logged'] = true;
header('Location: index.php');
exit();
} elseif($role['accessLevel'] == "member") {

    $_SESSION['user_level'] = "member";

    $_SESSION['user_logged'] = true;
header('Location: tasks.php');
exit();
} else {

    $_SESSION['user_level'] = "none";

    $_SESSION['user_logged'] = false;
header('Location: notActive.php');
exit();
}

I would also place session_start(); at the top

You can check if a user already logged in or not and redirect them elsewhere

session_start();
if(isset($_SESSION['user_logged']) && $_SESSION['user_logged'] == true){
header('Location: index.php');
exit();
}

You can look here a post I did the other day for a registration form that includes showing some errors.

http://forums.phpfreaks.com/topic/292078-why-wont-this-go-to-mysql-form/?do=findComment&comment=1494882

[QuickOldCar]

if this is a login shouldn't you not include "AND Activation IS NULL" to the end of your query

 

Instead in the session creation can make a check

 

Change this according to your logic

if($role['activation'] != NULL){
$_SESSION['user_logged'] = true;
}

Edited October 29, 2014 by QuickOldCar