eamaan Posted May 28, 2022 Share Posted May 28, 2022 <?php session_start(); include('server.php'); if(isset($_POST['login_user'])) { $username = mysqli_real_escape_string($conn, $_POST['username']); $password = mysqli_real_escape_string($conn, $_POST['password']); $login_query = "SELECT * FROM users WHERE username='$username' AND password='$password' LIMIT 1"; $login_query_run = mysqli_query($conn, $login_query); if(mysqli_num_rows($login_query_run) > 0) { foreach($login_query_run as $data){ $user_id = $data['id']; $user_username = $data['username']; $user_email = $data['email']; $role = $data['role']; } $_SESSION['auth'] = true; $_SESSION['auth_role'] = "$role"; $_SESSION['auth_username'] = [ 'user_id'=>$user_id, 'user_username'=>$user_username, 'user_email'=>$user_email, ]; if($_SESSION['auth_role'] == 'admin') { $_SESSION['message'] = "welcome to admin dashboard"; header("location: admindashboard.php"); exit(0); } elseif($_SESSION['auth_role'] == 'user') { $_SESSION['message'] = "welcome to dashboard"; header("location: userdashboard.php"); exit(0); } } else { $_SESSION['message'] = "Invalid email or pass"; header("location: login2.php"); exit(0); } } else { $_SESSION['message'] = "You are not allowed"; header("location: login2.php"); exit(0); } ?> The user and admin roles auth is not working for the following code it just redirects to the button pressed page (ex: index.php) Quote Link to comment Share on other sites More sharing options...
mac_gyver Posted May 28, 2022 Share Posted May 28, 2022 1 hour ago, eamaan said: it just redirects to the button pressed page (ex: index.php) i don't see a redirect in this code to index.php? could you clarify exactly what does occur? btw - you should only store the user id in a session variable to identify who the logged in user is, then query on each page request to get any other user information, role, or permissions. this will let you edit that information and it will take effect on the very next page request, e.g. if you promote, demote, or ban a user, you want it to take effect immediately, without requiring them to log out and back in. you should also - use php's password_hash() and password_verify() don't use a loop to fetch at most one row of data, just directly fetch it. to allow a user to goto another page after they login, provide navigation links, or better yet, integrate the login on any page that needs it. Quote Link to comment Share on other sites More sharing options...
eamaan Posted May 28, 2022 Author Share Posted May 28, 2022 3 hours ago, mac_gyver said: i don't see a redirect in this code to index.php? could you clarify exactly what does occur? btw - you should only store the user id in a session variable to identify who the logged in user is, then query on each page request to get any other user information, role, or permissions. this will let you edit that information and it will take effect on the very next page request, e.g. if you promote, demote, or ban a user, you want it to take effect immediately, without requiring them to log out and back in. you should also - use php's password_hash() and password_verify() don't use a loop to fetch at most one row of data, just directly fetch it. to allow a user to goto another page after they login, provide navigation links, or better yet, integrate the login on any page that needs it. i got this to work but now i dont know how to put user roles like admin and user and if its an admin access dashboard.php like i dont know how to provide authorization for roles. In my db there is a $role field of VARCHAR how to access it and give authorization ? ex. if role = user then go to userdashboard.php or else if role = admin go to admindashboard.php <?php // initializing variables $username = ""; $email = ""; $errors = array(); // connect to the database $db = mysqli_connect('localhost', 'root', '', 'homerepair'); // REGISTER USER if (isset($_POST['reg_user'])) { // receive all input values from the form $username = mysqli_real_escape_string($db, $_POST['username']); $email = mysqli_real_escape_string($db, $_POST['email']); $password_1 = mysqli_real_escape_string($db, $_POST['password_1']); $password_2 = mysqli_real_escape_string($db, $_POST['password_2']); // form validation: ensure that the form is correctly filled ... // by adding (array_push()) corresponding error unto $errors array if (empty($username)) { array_push($errors, "Username is required"); } if (empty($email)) { array_push($errors, "Email is required"); } if (empty($password_1)) { array_push($errors, "Password is required"); } if ($password_1 != $password_2) { array_push($errors, "The two passwords do not match"); } // first check the database to make sure // a user does not already exist with the same username and/or email $user_check_query = "SELECT * FROM users WHERE username='$username' OR email='$email' LIMIT 1"; $result = mysqli_query($db, $user_check_query); $user = mysqli_fetch_assoc($result); if ($user) { // if user exists if ($user['username'] === $username) { array_push($errors, "Username already exists"); } if ($user['email'] === $email) { array_push($errors, "email already exists"); } } // Finally, register user if there are no errors in the form if (count($errors) == 0) { $password = md5($password_1);//encrypt the password before saving in the database $query = "INSERT INTO users (username, email, password) VALUES('$username', '$email', '$password')"; mysqli_query($db, $query); $_SESSION['username'] = $username; $_SESSION['success'] = "You are now logged in"; header('location: index.php'); } } if (isset($_POST['login_user'])) { $username = mysqli_real_escape_string($db, $_POST['username']); $password = mysqli_real_escape_string($db, $_POST['password']); if (empty($username)) { array_push($errors, "Username is required"); } if (empty($password)) { array_push($errors, "Password is required"); } if (count($errors) == 0) { $password = md5($password); $query = "SELECT * FROM users WHERE username='$username' AND password='$password'"; $results = mysqli_query($db, $query); if (mysqli_num_rows($results) == 1) { $_SESSION['username'] = $username; $_SESSION['success'] = "You are now logged in"; header('location: index.php'); }else { array_push($errors, "Wrong username/password combination"); } } } ?> <!DOCTYPE html> <html> <head> <title>Registration system PHP and MySQL</title> <link rel="stylesheet" type="text/css" href="user/login.css"> </head> <body> <div class="header"> <h2>Login</h2> </div> <form method="post" action="<?php echo $_SERVER['PHP_SELF']; ?>"> <?php include('errors.php'); ?> <div class="input-group"> <label>Username</label> <input type="text" name="username" > </div> <div class="input-group"> <label>Password</label> <input type="password" name="password"> </div> <div class="input-group"> <button type="submit" class="btn" name="login_user">Login</button> </div> <p> Not yet a member? <a href="register.php">Sign up</a> </p> </form> </body> </html> Quote Link to comment Share on other sites More sharing options...
schwim Posted May 28, 2022 Share Posted May 28, 2022 3 hours ago, eamaan said: $query = "SELECT * FROM users WHERE username='$username' AND password='$password'"; You would just retrieve role from the users table. If the role is user, forward to one page and if the role is admin, forward them to another. Additionally, you would need a role check on each page to ensure that the logged in user didn't manually visit a protected page. Quote Link to comment Share on other sites More sharing options...
ginerjm Posted May 28, 2022 Share Posted May 28, 2022 Just a thought: If you are seeking a record for a user there s/b only 1 ever. So using a limit of 1 defeats your security since you could possibly have a duplicate username and if so the limit 1 is not going to tell you that. Drop that and do a check on record count right after the query runs. If it is not === 1 you have another problem. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.