multilevel login

[lfc78]

Hi 

how can I create a single login form for different users. 
For example: I have two users such as ’admin’ and ’user’, so the pages accessed by them will be different. 

How should I do? I hope someone wants to help me
 here is my file

CREATE TABLE `users` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `first_name` varchar(255) DEFAULT NULL,
  `last_name` varchar(255) DEFAULT NULL,
  `email` varchar(255) DEFAULT NULL,
  `username` varchar(255) DEFAULT NULL,
  `hashed_password` varchar(255) DEFAULT NULL,
  `type` enum('admin','user') NOT NULL,     
  PRIMARY KEY (`id`),
  KEY `index_username` (`username`)
);

 login_functions.php

<?php

  function log_in_users($users) {
    session_regenerate_id();
    $_SESSION['id'] = $users['id'];
    $_SESSION['last_login'] = time();
    $_SESSION['username'] = $users['username'];
    $_SESSION['first_name'] = $users['first_name'];
    $_SESSION['type'] = $users['type'];
    return true;
  }

  function log_out_users() {
    unset($_SESSION['id']);
    unset($_SESSION['last_login']);
    unset($_SESSION['username']);
    return true;
  }

    return isset($_SESSION['id']);
  }

  function require_login() {
    if(!is_logged_in()) {
      redirect_to(url_for('login.php'));
    } else {

    }
  }

?>

query_funktion.php

<?php
function find_users_by_type($type) {
    global $db;

    $sql = "SELECT * FROM users ";
    $sql .= "WHERE type='" . db_escape($db, $type_user) . "' ";
    $sql .= "LIMIT 1";
    $result = mysqli_query($db, $sql);
    confirm_result_set($result);
    $users = mysqli_fetch_assoc($result); // find first
    mysqli_free_result($result);
    return $users; // returns an assoc. array
  }

  function find_users_by_username($username) {
    global $db;

    $sql = "SELECT * FROM users ";
    $sql .= "WHERE username='" . db_escape($db, $username) . "' ";
    $sql .= "LIMIT 1";
    $result = mysqli_query($db, $sql);
    confirm_result_set($result);
    $users = mysqli_fetch_assoc($result); // find first
    mysqli_free_result($result);
    return $users; // returns an assoc. array
  }

?>

Login.php

<?php
require_once('includes/initialize.php');

$errors = [];
$type = '';
$username = '';
$password = '';

if(is_post_request()) {

  $type = $_POST['type']
  $username = $_POST['username'] ?? '';
  $password = $_POST['password'] ?? '';

  if(is_blank($username)) {
    $errors[] = "Username cannot be blank.";
  }
  if(is_blank($password)) {
    $errors[] = "Password cannot be blank.";
  }

      $users= find_users_by_type($type_user);
    if($users) {

      if(password_verify($password, $users,['hashed_password'])) {
        log_in_users($type_user);
        redirect_to('admin/index.php');
      }
      elseif {
        log_in_users($users);
        redirect_to('index.php');
      }
      else {
        $errors[] = $login_failure_msg;
      }
     } 

  if(empty($errors)) {
    // Using one variable ensures that msg is the same
    $login_failure_msg = "Log in was unsuccessful.";

    $users = find_users_by_username($username);
    if($users) {

      if(password_verify($password, $users['hashed_password'])) {
        log_in_users($users);
        redirect_to('index.php');
      } else {
        $errors[] = $login_failure_msg;
      }

    } else {
      $errors[] = $login_failure_msg;
    }

  }

}

?>

lfc78

[benanamen]

I think you should start with re-examining your logic. There are many problems with the code. Pay particular attention to the error handling. And what the heck is is_post_request and is_blank?

[requinix]

Make all the login and logout stuff work the same for everyone. There's really no reason why it has to be different.

When they log in you can decide where to send them next based on their user type. And individual pages will check that user type to see if the user is allowed.

[ginerjm]

As Requinix said.

Use your database record to assign "values" to a user's session once he/she is authenticated.  Same login for everyone, just different responses from the logon query. Assign a token that determines if a user is logged on for all of your later scripts check for, as well as a "status" or something to identify the level of access that the user has.  Session vars would be good for this. I use a secondary table that assigns multiple values to a user (one record for each value all with the same user id).  When a user logs in the process verifies the uid and password and if successful, it returns an array of all of the assigned security values.  In my later processes I have an assigned value for each page/script and when the user attempts to access that page/script I compare the page's security value (all stored in another 'page table') to the user's array of codes to see if he/she has that one.

As for the code you posted.... Too many unknowns for us to diagnose.  Really.