Getting value from database field and check if the same as variable in PHP?

Question

I would like to get the usergroup from my database, and then check if it is 2 (which would mean its an Admin). I currently have this code as setup:

Login.php

<?php

            //process login form if submitted
            if(isset($_POST['submited'])){

            $username = trim($_POST['username']);
            $password = trim($_POST['password']);

                if($user->login($username,$password)){ 

                //logged in return to index page
                $_SESSION['login'] = "$username";
                header('Location: index.php');
                exit;


            } else {
                $message = '<p class="error">Wrong username or password</p>';
        }

        }//end if submit

        if(isset($message)) { echo $message; }
    ?>
 <div class="lockscreen-credentials">   <form class="form-signin" role="form" method="post" action="">
            <input type="text" class="form-control" name="username" placeholder="Username" required autofocus>
            <div class="input-group">
                    <input type="password" class="form-control" placeholder="password" name="password" required/>
                    <div class="input-group-btn">
                        <button class="btn btn-flat" name="submited"><i class="fa fa-arrow-right text-muted"></i></button>
                    </div>
                </div></form>
            </div><!-- /.lockscreen credentials -->

And this is the class that is called (class.user.php):

public function login($username,$password){ 

    $hashed = $this->get_user_hash($username);

    *$st = $this->_db->prepare('SELECT userGroup FROM users WHERE username = :username');
    $st->execute(array('userGroup' => 2));

    $rows = $st->fetch();

    if($st = 2) {
        $_SESSION['loggedin'] = true;
        return true;
    }*  
}

public function logout(){
    session_destroy();
}

As you can see the code, within the stars (*), is where I am trying to check whether the field's value is 2. If so I want it to log in. If not, i want it to redirect. My error is:

Fatal error: Uncaught exception 'PDOException' with message 'SQLSTATE[HY093]: Invalid parameter number: parameter was not defined' in D:*****\classes\class.user.php:42 Stack trace: #0 D:******\classes\class.user.php(42): PDOStatement->execute(Array) #1 D:*******\login.php(43): User->login('demo', 'demo') #2 {main} thrown in D:*******\classes\class.user.php on line 42

Answer 1

Try this:

$st = $this->_db->prepare('SELECT 1 
                            FROM users 
                            WHERE username = :username AND userGroup = 2');
$st->execute(array(':username' => $username));
$row = $st->fetch();

if ($row) {
    $_SESSION['loggedin'] = true;
    return true;
}

You can do the userGroup test in the query, rather than in PHP.

Answer 2

There are several problems here.

$st = $this->_db->prepare('SELECT userGroup FROM users WHERE username = :username');
$st->execute(array('userGroup' => 2));

In the call to execute() you need to specify a value for the placeholder you defined in the call to prepare(). So you should be doing something like

$st = $this->_db->prepare('SELECT userGroup FROM users WHERE username = :username');
$st->execute(array(':username' => $username));

Then, further down, you do:

if($st = 2) {

Firstly, the return from execute() is going to be a boolean - you need to actually fetch the row(s) from the result set. Also, = is an assignment operator not a comparison operator. You need to use either === or ==. Ideally, you would do:

$group = (int) $st->fetchColumn();
if ($group === 2) {

Answer 3

Assign the correct value in WHERE clause

  $st = $this->_db->prepare('SELECT userGroup FROM users WHERE username = :username');
  $st->execute(array('username' => "some user name"));

 $rows = $st->fetch();

if($rows['userGroup'] == 2) {
    $_SESSION['loggedin'] = true;
    return true;
}