Search Username & Password and the verify status

[bordetaning]

Hi, I have a question is this situation possible below?

sample database table Information

ID, Username,Password,level
1       user1        Pass1     1
2       user2        Pass2     2

I want a php code i which when I login my username and password it will check 3 fields in the table, the username and password if it matches from the database and the it will check what level is the user. So if ever username and password is correct it will check if what level is the user, so if the users level is 1 it will go to level1.php page and if 2 it will go to level2.php

Hope you can help me with this problem of mine.

[scootstah]

Of course it's possible. Have you written any code? Are you stuck somewhere in particular?

[bordetaning]

Hi Guru Sir,

 

Here is my sample code below, what else do i need to add in order to check the "level" field and proceed? Many thanks.

 

 

<?php




session_start();


if(isset($_POST['log2'])){


if(!empty($_POST['use']) && !empty($_POST['pass'])){
include 'dbconfig.php';
$msg="";
$use=$_POST['use'];
$pws=$_POST['pass'];






$query="select * from admin where username='".$use."' and password=md5('".$pws."')";


$result=mysql_query($query) or die();




if(mysql_num_rows($result)==1)
{


$rs=mysql_fetch_array($result);
$_SESSION['user']=$rs["Fname"];


$use=$_SESSION['user'];
$dif=$rs["date_login"];


$query="update admin set date_login='".$time."',last_date='".$dif."' where Fname='".$use."'";


mysql_query($query) or die("ASDFSDF".mysql_error());








$host  = $_SERVER['HTTP_HOST'];
$uri   = rtrim(dirname($_SERVER['PHP_SELF']), '/\\');
$extra = 'Levelpage.php'; 




?>


<script type="text/javascript" >
window.location="<?php echo "http://$host$uri/$extra";?>";
</script>

[scootstah]

Please wrap your code in code tags.

 

You're querying your database table and returning other columns, so why are you unable to get the level column?

 

Your code is full of bad things. I'm guessing you're looking at some 12 year old PHP tutorial or something?

 

1. You are vulnerable to SQL injection. Best course of action: stop using the mysql_* API and either use mysqli_* or PDO. Example:

// create new PDO connection
$pdo = new PDO('mysql:dbname=yourdbname;host=localhost', 'user', 'password');

// prepare a query
$stmt = $pdo->prepare("select * from admin where username=:username and password=md5(:password)");
// bind parameter values
$stmt->bindValue(':username', $use);
$stmt->bindValue(':password', $pws);
// execute query
$stmt->execute();
// get results
$result = $stmt->fetch(PDO::FETCH_ASSOC); // associative array of query results

If you insist on using deprecated libraries, then you must at least escape your data before you use it in a query to prevent SQL injection.

$use = mysql_real_escape_strings($_POST['use']);
$pws = mysql_real_escape_strings($_POST['pass']);

2. Do not store passwords with MD5! MD5 has been broken for many many years. That, coupled with the fact that you're not salting the passwords, you might as well just store them plaintext and skip the function call.

 

MD5 was never meant for storing passwords, and it is not good at it. You want a slow, adaptive hashing algorithm such as bcrypt. PHP >= 5.5 has a new password_hash() function that creates secure password hashes. I recommend that you use this. If you cannot use PHP 5.5, then use ircmaxell's backwards compatibility library.

 

3. You are making a very unsafe redirect link using $_SERVER['HTTP_HOST'] and $_SERVER['PHP_SELF']. The client can manipulate these values. You can just use relative paths instead. If you must use an absolute path, then you need to either set your base URL as a constant, or sanitize the input.

 

4. You're using an undefined variable $time in your query on line 30. This tells me that you probably have NOTICE level errors turned off (or you just ignored them). I would recommend always developing with max error reporting (use error_reporting -1) to avoid code smell.

Edited February 4, 2015 by scootstah

[bordetaning]

Hi Sir Guru,

 

Thanks for clarifying a lot of things i'm just new to this and you're right I've encountered a lot of errors I was forced to develop this project for our capstone subject.

 

So for the column the column level, how do would you create a query to check for the level # and proceed with the corresponding level # page? because my lo-gin page has only the username and password field?

 

Hope to hear from you.

 

Thanks a lot.

[scootstah]

You are selecting all of the columns from your database on this line:

$rs=mysql_fetch_array($result);

So, $rs is an array containing all of the columns for the selected row. So, you would access the level column just like you have accessed the Fname column here:

$_SESSION['user']=$rs["Fname"];

From there, you can use a conditional to decide which page to use here:

$extra = 'Levelpage.php'; 

Edited February 5, 2015 by scootstah

[bordetaning]

Hi Sir Guru,

 

I do apologize I still don't get it.

 

what do you mean conditional?

so we are able to check the user level by "$rs=mysql_fetch_array($result);" , what would be the condition to use if the system has already check the the level,

 

like

 

if $rs["level"]=1;

{

$extra = 'Level1.php';

}

else if $rs["level"]=2;

{

$extra = 'Level2.php';

}

 

Please help in right flow for this to work.

Sorry again for being slow about this.

 

Many thanks

[scootstah]

You're already using conditionals in your code above, it's no different here. Did you even write that code??

 

http://php.net/manual/en/control-structures.if.php

[bordetaning]

Thanks a lot for the assistance. Appreciate it,