Jump to content

Recommended Posts

<!DOCTYPE html>
<html>
<head>
	<style type="text/css" media="screen">
		.ss
		{
			border-width: 1px;
			border-style:solid;
			width: 100px;
			height: 100px;

	</style>
	<meta charset="utf-8">
	<meta http-equiv="X-UA-Compatible" content="IE=edge">
	<title></title>
	<link rel="stylesheet" href="">
</head>
<body>
	<form action="index.php" method="post">

	<table align="center" class="ss">
		<tr>
			<td>Name<input type="text" name="name">
</td>
		</tr>
		
		<tr>
			<td>Pass&nbsp:<input type="password" name="pass">

</td>
		</tr>
		<tr>
			<td>Email<input type="text" name="eml">
</td>
<tr>
			<td><input type="submit" name="sb">
</td>
	</table>
	
		

	</form>
	
</body>
</html>
<?php 
include "db.php";
session_start();
if(isset($_POST['sb']))
{
	
	$name=mysqli_real_escape_string($con, $_POST['eml']);
	$pass=mysqli_real_escape_string($con, $_POST['pass']);
	$usr=mysqli_real_escape_string($con,'user');
    
	$std='std';
	$type='admin';
	$qer="select * from users where eml='$name' AND pass='$pass' AND type='$type'";
	$sql=mysqli_query($con,$qer);

	$qer=" select * from users where eml='$name' AND pass='$pass' AND type='$std'";
	$sql1=mysqli_query($con,$qer);

	$qer=" select * from users where eml='$name' AND pass='$pass' AND type='$usr'";
	$sql3=mysqli_query($con,$qer);


	$fe=mysqli_fetch_array($sql);
	if(is_array($fe)) {
		$name=$name;
		$pass=$pass;

        {

	
	header("location:wel.php?msg=Scuessfull login");

	
}
echo "Admin of this site";

}

else if($fe=mysqli_fetch_array($sql1)){

	if(is_array($fe)) 
	
		$name=$name;
		$pass=$pass;
echo "Moderator of the site";
{ 
	
	
	header("location:mod.php?msg=Scuessfull login");

	
}

}

else if($fe=mysqli_fetch_array($sql3)){

	if(is_array($fe)) 
		$name=$name;
		$pass=$pass;
			$_SESSION['eml'] =true;
			header("location:sim.php?msg=Scuessfull login");
echo "Simple user this site";
}



else
{
	echo "invalid pass";
   }
       }
?>

 

Link to comment
https://forums.phpfreaks.com/topic/309655-how-to-set-session-multileve-login-php/
Share on other sites

when someone logs in, you are authenticating who they are, not what they can do or see on a web page. the only data you should store in a session variable is the user's id (auto-increment integer primary index.) you should then query on each page request to get any other user data. if you have a need to redirect upon a successful login (which is a bad design), retrieve the type value and use it to determine what url to redirect to. all of this takes only one query. you should be using php's password_hash() and password_verify() for password hashing. the post method form processing code should be before the start of the html document. if you also switch to the much simpler PDO database extension and use prepared queries, all of the database code will be simplified. 

As @mac_gyver said, when the user registers, create a hash of their password using password_hash() and store that hash value, not the plain-text value.

You then verify the password hash using password_verify() (See line 36 in the code)

That being said, my test table for the code below is ...

CREATE TABLE `sam_user` (
  `user_id` int(11) NOT NULL AUTO_INCREMENT,
  `eml` varchar(50) DEFAULT NULL,
  `pass` varchar(120) DEFAULT NULL,
  `type` varchar(10) NOT NULL DEFAULT 'user',
  PRIMARY KEY (`user_id`),
  UNIQUE KEY `idx_sam_user_eml` (`eml`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

+---------+---------------+--------------------------------------------------------------+-------+
| user_id | eml           | pass                                                         | type  |
+---------+---------------+--------------------------------------------------------------+-------+
|       1 | curly@abc.com | $2y$10$OKAmeyWZpKJcg/VgPAcx3uQr7R1KF23pPZFapmOmn0BhnWLqqVAP6 | user  |
|       2 | larry@abc.com | $2y$10$NeqCtTFo79wxGyAacPJLbeyU7Er4hPKrjwZv1G/Vr6YgHV/vnV9.6 | std   |
|       3 | mo@abc.com    | $2y$10$6TBuStg179rLeMOm2URoNuwEOseYyOIXEVTvbwq7x9G5c9Jw0Bxoi | admin |
+---------+---------------+--------------------------------------------------------------+-------+

 

This is my version of your code ...

<?php
    session_start();
    include 'db_inc.php';                            // database credentials and custom pdoConnect function
    $db = pdoConnect('test');                        // connect to DB 'test' using PDO
    
    // DEFAULT FORM VALUES
    $eml = '';
    $pass = '';
    $messages = '';
    
    // HAS FORM DATA BEEN POSTED?
    if ($_SERVER['REQUEST_METHOD'] == 'POST') {
        $post = array_map('trim', $_POST);
        $eml = $post['eml'] ?? '';
        $pass = $post['pass'] ?? '';
        
        $errors = [];
        
        if ($post['eml']=='') {
            $errors[] = 'You must enter your email address';
        }
        if ($post['pass']=='') {
            $errors[] = 'You must enter your password';
        }
        $stmt = $db->prepare("SELECT user_id
                                   , pass
                                   , type
                              FROM sam_user
                              WHERE eml = ?
                            ");
        $stmt->execute([$post['eml']]);
        $row = $stmt->fetch();
        if (!$row) {
            $errors[] = "Invalid login request";
        } else {
            if (!password_verify($post['pass'], $row['pass'])) {                //  verify the hashed password
                $errors[] = "Invalid login request";
            }
        }
        if (!$errors) {
            $_SESSION['user'] = $row['user_id'];
            $qdata = [];
            switch ($row['type']) {
                case 'admin':
                    $page = 'wel.php';
                    $qdata['msg'] = 'Administrator successfully logged in';
                    break;
                case 'std':
                    $page = 'mod.php';
                    $qdata['msg'] = 'Moderator successfully logged in';
                    break;
                default:
                    $page = 'sim.php';
                    $qdata['msg'] = 'User successfully logged in';
                    break;
            }
            $qstr = http_build_query($qdata);
            $url = "{$page}?{$qstr}";
//          header("Location: $url");                                         // uncomment in production version
            echo $url;                                                        // TESTING ONLY
            exit;
        }
        else {
            unset($_SESSION['user']);
            $messages = "<div class='errors'>" . join('<br>', $errors) . "</div>\n";
        }
    }
?>
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="content-language" content="en">
<meta charset="utf-8">
<title>Example Login</title>
<style type="text/css" media="screen">
    body  { font-family: calibri, sans-serif; font-size: 12pt; }
    header { padding: 25px; text-align: center; background-color: #2DABE1; color: #FFF;}
    label { width: 100px; height: 40px; font-weight: 600; display: inline-block; }
    fieldset { width: 300px; margin: 100px auto; padding: 20px; }
    .errors  { width: 300px; background-color: #E02222; color: #FFF; margin: 0 auto; padding: 20px;}
</style>
</head>
<body>
    <header>
        <h1>Example Login</h1>
    </header>
    <form action="" method="post">
        <fieldset>
                <label>Email</label><input type="text" name="eml" value='<?=$eml?>'><br>
                <label>Password</label><input type="password" name="pass" value='<?=$pass?>'><br>
                <label>&nbsp;</label><input type="submit" name="sb" value='Log In'>
        </fieldset>
    </form>
    <?=$messages?>
</body>
</html>
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.