0

I'm doing on this project and I find it hard to find the right answer to my question. I've googled for answers but none of them worked, I also tried to alter the codes but still it's not working properly. This is how I plan my project. A user/admin will log in one log-in form then it will redirect whether the input is for admin or normal user.

I've created a table named users, a table named info. In the info table, there is username(varchar), password(varchar) and admin_level(int).

Here's my html and php script:

<form method='post' action='login.php'>
<div id='userLogIn'>User LogIn</div>
Username <input type=text name=username> </br>
Password <input type=password name=password></br>
    <input type=submit name=submit value='Log in'>
</div>

<?php
if(isset($_POST['submit']))
{
    $a = $_POST['username'];
    $b = $_POST['password'];
    include("dbconnect.php");
    $sql = "SELECT * FROM info 
                     WHERE username 
                     LIKE '$a' AND password LIKE '$b' 
                     AND admin_level LIKE 1";
    $result=mysql_query($sql);

    $count = mysql_num_rows($result);

    $rows=mysql_fetch_array($result);
    if ($count == 1) {

    if ($rows['admin_level'] == 1) {
        header ("Location:adminPage.php");
    }
    else  {
        header ("Location:userPage.php");
        }
    }
    else {
        print "<font color=red>Username/Password Combination Error</font>";
    }

}
Improve this question
4
  • Stop escaping your variables with 's! Commented Feb 18, 2014 at 16:13
  • The MySQL API is depreciated. It is highly recommended to switch to the improved MySQLi API. Commented Feb 18, 2014 at 16:15
  • I've altered my MySQL code with "SELECT * FROM info WHERE username=$a AND password=$b AND admin_level=1" Yet still not working. :( Commented Feb 18, 2014 at 16:17
  • See this post why you don't use this approach stackoverflow.com/questions/60174/… Commented Feb 18, 2014 at 16:22

4 Answers 4

Reset to default
3

  1. Don't use mysql_* functions. As you're learning from the beginning, it's the best time to start avoiding mysql_* functions. Start with PDO or mysqli_ instead

  2. To match username/password, don't use LIKE, use = instead. so instead of, $sql = "SELECT * FROM info WHERE username LIKE '$a' AND password LIKE '$b' AND admin_level LIKE 1"; write, $sql = "SELECT * FROM info WHERE username = '$a' AND password = '$b'";

  3. Fetch data from table only when there's at least 1 row. So, instead of these,

    $count = mysql_num_rows($result);

$rows=mysql_fetch_array($result);
if ($count == 1){

    if ($rows['admin_level'] == 1) {
        header ("Location:adminPage.php");
    } else  {
        header ("Location:userPage.php");
    }
}

write,

    if (mysql_num_rows($result) > 0 ){
        $rows=mysql_fetch_array($result);

        if ($rows['admin_level'] == 1) {
            header ("Location:adminPage.php");
        } else  {
            header ("Location:userPage.php");
        }
    }
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

try this 

<form method="post" action="">
<div id='userLogIn'>User LogIn</div>
Username <input type="text" name="username"> </br>
Password <input type="password" name="password"></br>
<input type="submit" name="submit" value="Log in">
</div>

<?php
include("dbconnect.php");
if(isset($_POST['submit']))
{
    $username = mysql_real_escape_string($_POST['username']);
    $user_pass = mysql_real_escape_string($_POST['password']);
    $sql = "SELECT * FROM info WHERE username='".$username."' and password='".$user_pass."'";
    $result=mysql_query($sql);
    $count = mysql_num_rows($result);
    if($count==1){
        $rows=mysql_fetch_array($result);
        if ($rows['admin_level']==1) {
            header ("Location:adminPage.php");
        }
        else{
            header ("Location:userPage.php");
        }
    }
    else{
        print "<font color=red>Username/Password Combination Error</font>";
    }
}
Improve this answer

1 Comment

Thank you to all who helped. It is really appreciated thank you. :)
0

I highly recommend you read the history of this posts before continuing to go down by this path:

Your code is liable to be broken by using simple techniques of SQL Injection - since your variables are not sanitized or filtered.

Besides making your code work, you need to understand that there is no safe and secure to do so.

Once you are aware of the consequences that possession be from a leak information from your database to a full drop from your base.

Improve this answer

2 Comments

I think MySQLi looks interesting but, can you send a link for some articles which I can understand it deeper? Thank you in advance
This article was not written in English, but has several didact examples translate.google.com.br/…
0

This is what i do: First take the input from the form and establish variables.` 

    $VerifyCredentials = AttemptSignIn($Username, $Password);
    if ($VerifyCredentials){
        //Success, store username in session
        //Mark user as signed in
        $_SESSION[Username] = $Username;
        RedirectTo("homepage.php");
        }else {
            //Failure
            $_SESSION["message"] = "Username/Password not found.";
            }
}
?>`

Here, there are some functions i made. The above function adds the username to the session for further page access (Which some pros would not recommend, for it has a slightly lesser security level), otherwise it sends a failure message.

Also always remember to use mysqli_real_escape_string() to protect against sql injection. Now i dont think you are encrypting the passwords, so i won't trouble you with that step.

Here is the attempt sign in function: I also have a table called users

global $connection; //I have a connection variable which establishes the connection.
//Test if connection was successful
if(mysqli_connect_errno()){
    die("Database connection failed: " . 
        mysqli_connect_error() . 
        " (" . mysqli_connect_errno() . ")"
        );
    }
    $SafeUsername = mysqli_real_escape_string($connection, $Username);
    $Query = "Select * ";
    $Query .= "From users ";
    $Query .= "Where username = '{$SafeUsername}' ";
    $Query .= "Limit 1";

$UserSet = mysqli_query($connection, $Query);
ConfirmQuery($UserSet);
if ($User = mysqli_fetch_assoc($UserSet)){
    return $User;
    }else {
        return null;
        }

}

function PasswordCheck($Password, $ExistingPassword) {
if ($Password === $ExistingPassword){
    return true;
    }else {
        return false;
        }
}

//First find the user
    $User = FindUsername($Username);
    if ($User){
    //User found, now compare the password
    if (PasswordCheck($Password, $User["password"])){
        //password matches
        return $User;
        }else //password does not match
        return false;
    }else {
        //User not found
        return false;
        }  
}
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.