Reputation: 5
User/Admin Log-In form Php, MySQL
I'm doing on this project and I find it hard to find the right answer to my question. I've googled for answers but none of them worked, I also tried to alter the codes but still it's not working properly. This is how I plan my project. A user/admin will log in one log-in form then it will redirect whether the input is for admin or normal user.
I've created a table named users, a table named info. In the info table, there is username(varchar), password(varchar) and admin_level(int).
Here's my html and php script:
<form method='post' action='login.php'>
<div id='userLogIn'>User LogIn</div>
Username <input type=text name=username> </br>
Password <input type=password name=password></br>
<input type=submit name=submit value='Log in'>
</div>
<?php
if(isset($_POST['submit']))
{
$a = $_POST['username'];
$b = $_POST['password'];
include("dbconnect.php");
$sql = "SELECT * FROM info
WHERE username
LIKE '$a' AND password LIKE '$b'
AND admin_level LIKE 1";
$result=mysql_query($sql);
$count = mysql_num_rows($result);
$rows=mysql_fetch_array($result);
if ($count == 1) {
if ($rows['admin_level'] == 1) {
header ("Location:adminPage.php");
}
else {
header ("Location:userPage.php");
}
}
else {
print "<font color=red>Username/Password Combination Error</font>";
}
}
Upvotes: 0
Views: 3488
Answers (4)
Reputation: 1286
This is what i do: First take the input from the form and establish variables.`
$VerifyCredentials = AttemptSignIn($Username, $Password);
if ($VerifyCredentials){
//Success, store username in session
//Mark user as signed in
$_SESSION[Username] = $Username;
RedirectTo("homepage.php");
}else {
//Failure
$_SESSION["message"] = "Username/Password not found.";
}
}
?>`
Here, there are some functions i made. The above function adds the username to the session for further page access (Which some pros would not recommend, for it has a slightly lesser security level), otherwise it sends a failure message.
Also always remember to use mysqli_real_escape_string() to protect against sql injection. Now i dont think you are encrypting the passwords, so i won't trouble you with that step.
Here is the attempt sign in function: I also have a table called users
global $connection; //I have a connection variable which establishes the connection.
//Test if connection was successful
if(mysqli_connect_errno()){
die("Database connection failed: " .
mysqli_connect_error() .
" (" . mysqli_connect_errno() . ")"
);
}
$SafeUsername = mysqli_real_escape_string($connection, $Username);
$Query = "Select * ";
$Query .= "From users ";
$Query .= "Where username = '{$SafeUsername}' ";
$Query .= "Limit 1";
$UserSet = mysqli_query($connection, $Query);
ConfirmQuery($UserSet);
if ($User = mysqli_fetch_assoc($UserSet)){
return $User;
}else {
return null;
}
}
function PasswordCheck($Password, $ExistingPassword) {
if ($Password === $ExistingPassword){
return true;
}else {
return false;
}
}
//First find the user
$User = FindUsername($Username);
if ($User){
//User found, now compare the password
if (PasswordCheck($Password, $User["password"])){
//password matches
return $User;
}else //password does not match
return false;
}else {
//User not found
return false;
}
}
Upvotes: 0
Reputation: 2170
I highly recommend you read the history of this posts before continuing to go down by this path:
Your code is liable to be broken by using simple techniques of SQL Injection - since your variables are not sanitized or filtered.
Besides making your code work, you need to understand that there is no safe and secure to do so.
Once you are aware of the consequences that possession be from a leak information from your database to a full drop from your base.
Upvotes: 0
Reputation: 746
try this
<form method="post" action="">
<div id='userLogIn'>User LogIn</div>
Username <input type="text" name="username"> </br>
Password <input type="password" name="password"></br>
<input type="submit" name="submit" value="Log in">
</div>
<?php
include("dbconnect.php");
if(isset($_POST['submit']))
{
$username = mysql_real_escape_string($_POST['username']);
$user_pass = mysql_real_escape_string($_POST['password']);
$sql = "SELECT * FROM info WHERE username='".$username."' and password='".$user_pass."'";
$result=mysql_query($sql);
$count = mysql_num_rows($result);
if($count==1){
$rows=mysql_fetch_array($result);
if ($rows['admin_level']==1) {
header ("Location:adminPage.php");
}
else{
header ("Location:userPage.php");
}
}
else{
print "<font color=red>Username/Password Combination Error</font>";
}
}
Upvotes: 0
Reputation: 4565
Don't use
mysql_*functions. As you're learning from the beginning, it's the best time to start avoidingmysql_*functions. Start with PDO or mysqli_ insteadTo match username/password, don't use
LIKE, use=instead. so instead of,$sql = "SELECT * FROM info WHERE username LIKE '$a' AND password LIKE '$b' AND admin_level LIKE 1";write,$sql = "SELECT * FROM info WHERE username = '$a' AND password = '$b'";Fetch data from table only when there's at least 1 row. So, instead of these,
$count = mysql_num_rows($result); $rows=mysql_fetch_array($result); if ($count == 1){ if ($rows['admin_level'] == 1) { header ("Location:adminPage.php"); } else { header ("Location:userPage.php"); } }
write,
if (mysql_num_rows($result) > 0 ){
$rows=mysql_fetch_array($result);
if ($rows['admin_level'] == 1) {
header ("Location:adminPage.php");
} else {
header ("Location:userPage.php");
}
}
Upvotes: 3