Jump to content

Recommended Posts

<?php

session_start();

include('server.php');


 

if(isset($_POST['login_user']))

{

    $username = mysqli_real_escape_string($conn, $_POST['username']);

    $password = mysqli_real_escape_string($conn, $_POST['password']);

 

    $login_query = "SELECT * FROM users WHERE username='$username' AND password='$password' LIMIT 1";

    $login_query_run = mysqli_query($conn, $login_query);


 

    if(mysqli_num_rows($login_query_run) > 0)

    {

        foreach($login_query_run as $data){

            $user_id = $data['id'];

            $user_username = $data['username'];

            $user_email = $data['email'];

            $role = $data['role'];

        }

 

        $_SESSION['auth'] = true;

        $_SESSION['auth_role'] = "$role";

        $_SESSION['auth_username'] = [

            'user_id'=>$user_id,

            'user_username'=>$user_username,

            'user_email'=>$user_email,

        ];

 

        if($_SESSION['auth_role'] == 'admin')

        {

            $_SESSION['message'] = "welcome to admin dashboard";

            header("location: admindashboard.php");

            exit(0);

        }

        elseif($_SESSION['auth_role'] == 'user')

        {

            $_SESSION['message'] = "welcome to dashboard";

            header("location: userdashboard.php");

            exit(0);

        }

    }

    else

    {

        $_SESSION['message'] = "Invalid email or pass";

        header("location: login2.php");

        exit(0);

    }

}

else

{

    $_SESSION['message'] = "You are not allowed";

    header("location: login2.php");

    exit(0);

}



 

?>

 

 

The user and admin roles auth is not working for the following code it just redirects to the button pressed page (ex: index.php)  

1 hour ago, eamaan said:

it just redirects to the button pressed page (ex: index.php)

i don't see a redirect in this code to index.php? could you clarify exactly what does occur? 

btw - you should only store the user id in a session variable to identify who the logged in user is, then query on each page request to get any other user information, role, or permissions. this will let you edit that information and it will take effect on the very next page request, e.g. if you promote, demote, or ban a user, you want it to take effect immediately, without requiring them to log out and back in.

you should also -

  1. use php's password_hash() and password_verify()
  2. don't use a loop to fetch at most one row of data, just directly fetch it.
  3. to allow a user to goto another page after they login, provide navigation links, or better yet, integrate the login on any page that needs it.
3 hours ago, mac_gyver said:

i don't see a redirect in this code to index.php? could you clarify exactly what does occur? 

btw - you should only store the user id in a session variable to identify who the logged in user is, then query on each page request to get any other user information, role, or permissions. this will let you edit that information and it will take effect on the very next page request, e.g. if you promote, demote, or ban a user, you want it to take effect immediately, without requiring them to log out and back in.

you should also -

  1. use php's password_hash() and password_verify()
  2. don't use a loop to fetch at most one row of data, just directly fetch it.
  3. to allow a user to goto another page after they login, provide navigation links, or better yet, integrate the login on any page that needs it.

i got this to work but now i dont know how to put user roles like admin and user and if its an admin access dashboard.php like i dont know how to provide authorization for roles. In my db there is a $role field of VARCHAR how to access it and give authorization ? ex. if role = user then go to userdashboard.php or else if role = admin go to admindashboard.php

<?php



// initializing variables

$username = "";

$email    = "";

$errors = array();



// connect to the database

$db = mysqli_connect('localhost', 'root', '', 'homerepair');



// REGISTER USER



if (isset($_POST['reg_user'])) {

  // receive all input values from the form

  $username = mysqli_real_escape_string($db, $_POST['username']);

  $email = mysqli_real_escape_string($db, $_POST['email']);

  $password_1 = mysqli_real_escape_string($db, $_POST['password_1']);

  $password_2 = mysqli_real_escape_string($db, $_POST['password_2']);



  // form validation: ensure that the form is correctly filled ...

  // by adding (array_push()) corresponding error unto $errors array

  if (empty($username)) { array_push($errors, "Username is required"); }

  if (empty($email)) { array_push($errors, "Email is required"); }

  if (empty($password_1)) { array_push($errors, "Password is required"); }

  if ($password_1 != $password_2) {

  array_push($errors, "The two passwords do not match");

  }



  // first check the database to make sure

  // a user does not already exist with the same username and/or email

  $user_check_query = "SELECT * FROM users WHERE username='$username' OR email='$email' LIMIT 1";

  $result = mysqli_query($db, $user_check_query);

  $user = mysqli_fetch_assoc($result);



  if ($user) { // if user exists

    if ($user['username'] === $username) {

      array_push($errors, "Username already exists");

    }



    if ($user['email'] === $email) {

      array_push($errors, "email already exists");

    }

  }



  // Finally, register user if there are no errors in the form

  if (count($errors) == 0) {

    $password = md5($password_1);//encrypt the password before saving in the database



    $query = "INSERT INTO users (username, email, password)

          VALUES('$username', '$email', '$password')";

    mysqli_query($db, $query);

    $_SESSION['username'] = $username;

    $_SESSION['success'] = "You are now logged in";

    header('location: index.php');

  }

}



  if (isset($_POST['login_user'])) {

    $username = mysqli_real_escape_string($db, $_POST['username']);

    $password = mysqli_real_escape_string($db, $_POST['password']);



    if (empty($username)) {

      array_push($errors, "Username is required");

    }

    if (empty($password)) {

      array_push($errors, "Password is required");

    }



    if (count($errors) == 0) {

      $password = md5($password);

      $query = "SELECT * FROM users WHERE username='$username' AND password='$password'";

      $results = mysqli_query($db, $query);

      if (mysqli_num_rows($results) == 1) {

        $_SESSION['username'] = $username;

        $_SESSION['success'] = "You are now logged in";

        header('location: index.php');

      }else {

        array_push($errors, "Wrong username/password combination");

      }

    }

  }

  ?>

<!DOCTYPE html>

<html>

<head>

  <title>Registration system PHP and MySQL</title>

  <link rel="stylesheet" type="text/css" href="user/login.css">

</head>

<body>

  <div class="header">

    <h2>Login</h2>

  </div>

   

  <form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>">

    <?php include('errors.php'); ?>

    <div class="input-group">

      <label>Username</label>

      <input type="text" name="username" >

    </div>

    <div class="input-group">

      <label>Password</label>

      <input type="password" name="password">

    </div>

    <div class="input-group">

      <button type="submit" class="btn" name="login_user">Login</button>

    </div>

    <p>

      Not yet a member? <a href="register.php">Sign up</a>

    </p>

  </form>

</body>

</html>

 

3 hours ago, eamaan said:
$query = "SELECT * FROM users WHERE username='$username' AND password='$password'";

You would just retrieve role from the users table.  If the role is user, forward to one page and if the role is admin, forward them to another.

Additionally, you would need a role check on each page to ensure that the logged in user didn't manually visit a protected page.

Just a thought:  If you are seeking a record for a user there s/b only 1 ever.  So using a limit of 1 defeats your security since you could possibly have a duplicate username and if so the limit 1 is not going to tell you that.  Drop that and do a check on record count right after the query runs.  If it is not === 1 you have another problem.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.