Erwin007 Posted May 9, 2023 Share Posted May 9, 2023 Hi, hate to ask but after hours of trying I can't figure it out. Probably something incredible small... if(isset($_POST['login'])){ extract($_POST); $query = "SELECT * FROM users WHERE `username` = '$username' AND password ='$password'"; $result = mysqli_query($con,$query); $num_row = mysqli_num_rows($result); if( $num_row > 0){ $row = mysqli_fetch_assoc($result); $id = $row['id']; $_SESSION['$username'] = $row; $_SESSION['user'] = $username; $admin = $row['admin']; if( $admin = 1 ){ header("location:index_admin.php"); }else{ header("location:index.php"); } }else{ header("location:login.php?msg=error"); } it doesn't matter if the user has admin 1 or 0 it always goes to the index_admin.php Quote Link to comment https://forums.phpfreaks.com/topic/316279-again-some-very-needed-help/ Share on other sites More sharing options...
cyberRobot Posted May 9, 2023 Share Posted May 9, 2023 You're using the assignment operator "=". Try if( $admin == 1 ){ Quote Link to comment https://forums.phpfreaks.com/topic/316279-again-some-very-needed-help/#findComment-1608235 Share on other sites More sharing options...
cyberRobot Posted May 9, 2023 Share Posted May 9, 2023 Side note: you'll want to be extra cautious with values that can be tampered with by the users (i.e., $username and $password). The values could potentially break the query...or be used for SQL Injection Attacks. These issues can be avoided with Prepared Statements.https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php Quote Link to comment https://forums.phpfreaks.com/topic/316279-again-some-very-needed-help/#findComment-1608239 Share on other sites More sharing options...
Erwin007 Posted May 9, 2023 Author Share Posted May 9, 2023 11 minutes ago, cyberRobot said: You're using the assignment operator "=". Try if( $admin == 1 ){ HI, thanks for your reply, unfortunately it doesn't work Quote Link to comment https://forums.phpfreaks.com/topic/316279-again-some-very-needed-help/#findComment-1608240 Share on other sites More sharing options...
Erwin007 Posted May 9, 2023 Author Share Posted May 9, 2023 5 minutes ago, cyberRobot said: Side note: you'll want to be extra cautious with values that can be tampered with by the users (i.e., $username and $password). The values could potentially break the query...or be used for SQL Injection Attacks. These issues can be avoided with Prepared Statements.https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php Thanks for the advice but first I need to have it working the "vulnerable" way Quote Link to comment https://forums.phpfreaks.com/topic/316279-again-some-very-needed-help/#findComment-1608241 Share on other sites More sharing options...
cyberRobot Posted May 9, 2023 Share Posted May 9, 2023 30 minutes ago, Erwin007 said: thanks for your reply, unfortunately it doesn't work Is it still always going to index_admin.php? Have you tried outputting $admin to see if it contains the expected value? Of course, you'll need to temporarily disable the header calls so you can see the output. Also, it's always a good idea to use exit after a header call. Otherwise, the code below the header call may still execute. More information can be found here: https://www.php.net/manual/en/function.header.php //... $admin = $row['admin']; if( $admin == 1 ){ header("location:index_admin.php"); exit; }else{ header("location:index.php"); exit; } }else{ header("location:login.php?msg=error"); exit; } Quote Link to comment https://forums.phpfreaks.com/topic/316279-again-some-very-needed-help/#findComment-1608242 Share on other sites More sharing options...
mac_gyver Posted May 9, 2023 Share Posted May 9, 2023 the only redirect you should have in your post method form processing code should be upon successfully logging in and it should be to the exact same URL of the current page to cause a get request for that page. if you don't do this, anyone can use the browser's developer tools network tab to see what the submitted username and password are. if you want the user to be able to go to a different page, provide navigation links, or ever better, integrate the login system with any page that needs it. by putting the form and form processing on different pages and doing this - header("location:login.php?msg=error"), you are opening your site to a phishing attack, where someone can trick your users to enter their username/password on the phishing site, then redirect to your site and make it look like they mistyped their information. Quote Link to comment https://forums.phpfreaks.com/topic/316279-again-some-very-needed-help/#findComment-1608245 Share on other sites More sharing options...
Erwin007 Posted May 9, 2023 Author Share Posted May 9, 2023 49 minutes ago, cyberRobot said: Is it still always going to index_admin.php? Have you tried outputting $admin to see if it contains the expected value? Of course, you'll need to temporarily disable the header calls so you can see the output. Also, it's always a good idea to use exit after a header call. Otherwise, the code below the header call may still execute. More information can be found here: https://www.php.net/manual/en/function.header.php //... $admin = $row['admin']; if( $admin == 1 ){ header("location:index_admin.php"); exit; }else{ header("location:index.php"); exit; } }else{ header("location:login.php?msg=error"); exit; } I tried your suggestion but still the same result. In the table the admin is a varchar with length = 1, but I tried tinyint also with the same result. Quote Link to comment https://forums.phpfreaks.com/topic/316279-again-some-very-needed-help/#findComment-1608246 Share on other sites More sharing options...
Erwin007 Posted May 10, 2023 Author Share Posted May 10, 2023 it looks like $admin does not have the value 1 (or whatever I put in the database) What am I doing wrong? It's driving me absolutely (more) nuts. Quote Link to comment https://forums.phpfreaks.com/topic/316279-again-some-very-needed-help/#findComment-1608281 Share on other sites More sharing options...
cyberRobot Posted May 11, 2023 Share Posted May 11, 2023 Is "admin" the column name in the database table "users"? Have you tried outputting $row to see if it contains the expected values? For example, you could add the bottom two lines after the $row assignment. $row = mysqli_fetch_assoc($result); print '<pre>' . print_r($row, true) . '</pre>'; //<-- debug code exit; //end script to avoid header() from executing 1 Quote Link to comment https://forums.phpfreaks.com/topic/316279-again-some-very-needed-help/#findComment-1608297 Share on other sites More sharing options...
gizmola Posted May 11, 2023 Share Posted May 11, 2023 Just to be clear, you implemented the fix for the bug that cyberRobot provided? if( $admin == 1 ){ So at this point your entire question has changed! Now you are always going to index.php rather than admin_index.php? A few general comments, and things I noticed: The correct valid form of the location header is: header("Location: index.php"); Notice "Location" not 'location' and the space between the colon and the url. MDN is a good place to verify these types of things: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Location These small details often aren't a problem, until they are, and something doesn't work right, and you can't figure out why. In general, you are at the point, where you need to verify your assumptions one step at a time, with debugging output, using var_dump(), die("something...), or something like what @cyberRobot provided in your last message. The other option is to get xdebug working, so you can step through your code. Setting it up can be difficult for some people, depending on your development environment and IDE being used, but it is often a tremendous aid to developers who are learning. If you want to let us know what your development environment is (os, php setup, code editor etc) we might be able to locate some resources or tutorials to help you with the setup. This code appears to be wrong: $_SESSION['$username'] = $row; $_SESSION['user'] = $username; First you have $username, which is an odd key, and makes me wonder what you are trying to do there. It also looks like these assignments are mixed up. I would assume what you really want is: $_SESSION['username'] = $username; $_SESSION['user'] = $row; Last but not least, I would strongly urge you to start looking at how to employ functions, to make your code more manageable and DRY. Look at how many places you are doing a header location! Consider this simple function: function redirect($url): void { header("Location: $url"); exit; } You might notice that whenever you redirect using the location header, you can not trust the browser to perform the redirect, so you should always exit() so that no additional code will be run. Putting it in a function, helps insure you don't forget. With this function, your code would become: if (isset($_POST['login'])) { extract($_POST); $query = "SELECT * FROM users WHERE `username` = '$username' AND password ='$password'"; $result = mysqli_query($con,$query); $num_row = mysqli_num_rows($result); if( $num_row > 0){ $row = mysqli_fetch_assoc($result); $id = $row['id']; $_SESSION['user'] = $row; $_SESSION['username'] = $username; $admin = $row['admin']; if( $admin = 1 ){ redirect("index_admin.php"); } else { redirect("location:index.php"); } } else { redirect("login.php?msg=error"); } This is more of a best practice recommendation, but when you have code like this, that has a functional flow that ends/exits/returns, it is best practice not to employ nested if then else blocks when you can avoid them. Your code can be rewritten this way: if (isset($_POST['login'])) { extract($_POST); $query = "SELECT * FROM `users` WHERE `username` = '$username' AND `password` ='$password'"; $result = mysqli_query($con,$query); $num_row = mysqli_num_rows($result); if ($num_row < 1) { redirect("login.php?msg=error"); } $row = mysqli_fetch_assoc($result); $id = $row['id']; $_SESSION['user'] = $row; $_SESSION['username'] = $username; $admin = $row['admin']; if ($admin = 1) { redirect("index_admin.php"); } redirect("location:index.php"); Quote Link to comment https://forums.phpfreaks.com/topic/316279-again-some-very-needed-help/#findComment-1608303 Share on other sites More sharing options...
dadaji7710 Posted May 15, 2023 Share Posted May 15, 2023 You can search within the comments of a particular post by clicking on the search icon in the header whenever you’re on a post. On the desktop site, this search bar is by the comments section, below the comment box. Quote Link to comment https://forums.phpfreaks.com/topic/316279-again-some-very-needed-help/#findComment-1608400 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.