Jump to content

Recommended Posts

here is a code of sign in page I want to add a role access for the student, teacher, and admin I have table name student in the database and a column role  see image attached for database

 

 

 

   include("dbconfig.php");

   session_start();

   

   if($_SERVER["REQUEST_METHOD"] == "POST") {

      // username and password sent from form 

      

      $name = mysqli_real_escape_string($con,$_POST['name']);

      $password = mysqli_real_escape_string($con,$_POST['password']);

     

      

      $sql = "SELECT user_id FROM student WHERE name = '$name' and password = '$password'";

      $result = mysqli_query($con,$sql);

      $row = mysqli_fetch_array($result,MYSQLI_ASSOC);

    //  $active = $row['active'];

      

      $count = mysqli_num_rows($result);

      

      

      if($count == 1) {

         //session_register("name");

         $_SESSION['login_user'] = $name;

         

         header("location: allstudents1.php");

      }else {

         $error = "Your Login Name or Password is invalid";

      }

   }

?>

 

post-203390-0-35675900-1485949439_thumb.jpg

I see two problems. 1 - you apparently are storing your passwords in plain text. Do Not Do That. Do some reading on the concept of hashing your password in the database and then do the same thing with the user's input before querying it.

 

2nd - what do you want to do? You want to add a role. Fine. But in what context? The only thing I can guess here is that you want to control who can access what pages in your site. Therefore when you check for a proper login, grab the role indicator from your table along with the username and save that as a session var also. Now for each page that requires a logged in user you will need to check for the username begin set and if there is a required role for that page, check the saved role value. Personally I would write a function for this code that returns a Boolean so that you can later modify/improve this code.

aside from fixing the problems in this code, you wouldn't add any role based logic to this code. the purpose of the is code is to authenticate who the user is, that has nothing to do with the user's role and what they can do on a web site. you should also store the user_id value in the session variable, not the mysqli string escaped name that was entered in the form.

 

you would add code to the 'protected' pages to retrieve the current user's role on each page request. and why would you do it this way? so that any change to the role value will take affect without requiring the user to log out and log back in.

Mac-giver makes a good point about when to check for the 'current' role status. My method would force a user to re-login as he said.

 

So - perhaps your 'security' function not only checks for a simple logged-in token, but then can also make a quick query for the role if the token is found to exist.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.