How to add role in this code using if statement ?

[AdeelZaighum]

here is a code of sign in page I want to add a role access for the student, teacher, and admin I have table name student in the database and a column role  see image attached for database

 

 

 

   include("dbconfig.php");

   session_start();

   

   if($_SERVER["REQUEST_METHOD"] == "POST") {

      // username and password sent from form 

      

      $name = mysqli_real_escape_string($con,$_POST['name']);

      $password = mysqli_real_escape_string($con,$_POST['password']);

     

      

      $sql = "SELECT user_id FROM student WHERE name = '$name' and password = '$password'";

      $result = mysqli_query($con,$sql);

      $row = mysqli_fetch_array($result,MYSQLI_ASSOC);

    //  $active = $row['active'];

      

      $count = mysqli_num_rows($result);

      

      

      if($count == 1) {

         //session_register("name");

         $_SESSION['login_user'] = $name;

         

         header("location: allstudents1.php");

      }else {

         $error = "Your Login Name or Password is invalid";

      }

   }

?>

 

[ginerjm]

I see two problems. 1 - you apparently are storing your passwords in plain text. Do Not Do That. Do some reading on the concept of hashing your password in the database and then do the same thing with the user's input before querying it.

 

2nd - what do you want to do? You want to add a role. Fine. But in what context? The only thing I can guess here is that you want to control who can access what pages in your site. Therefore when you check for a proper login, grab the role indicator from your table along with the username and save that as a session var also. Now for each page that requires a logged in user you will need to check for the username begin set and if there is a required role for that page, check the saved role value. Personally I would write a function for this code that returns a Boolean so that you can later modify/improve this code.

[mac_gyver]

aside from fixing the problems in this code, you wouldn't add any role based logic to this code. the purpose of the is code is to authenticate who the user is, that has nothing to do with the user's role and what they can do on a web site. you should also store the user_id value in the session variable, not the mysqli string escaped name that was entered in the form.

 

you would add code to the 'protected' pages to retrieve the current user's role on each page request. and why would you do it this way? so that any change to the role value will take affect without requiring the user to log out and log back in.

[ginerjm]

Mac-giver makes a good point about when to check for the 'current' role status. My method would force a user to re-login as he said.

 

So - perhaps your 'security' function not only checks for a simple logged-in token, but then can also make a quick query for the role if the token is found to exist.