CODEWITHSUNDEEP
phpmysqlauthenticationlogin-scriptaccess-levels
emc
emc

Reputation: 25

Access level and Authentication (PHP/MYSQL)

I have this script working well. But I have problem on utype_id can access in other utype_id. How can I put authentication on it so that utype_id=1 cannot access to utype_id=2? The code is below.

<?php
session_start();

include('includes/connection.php');

$username=$_POST['username'];
$password=$_POST['password'];

if(!empty($username) && !empty($password))
{

    $command="select * from user WHERE  username = '".$username."' and password='".$password."'";

    $result1=mysql_query($command);
    $count=mysql_num_rows($result1);

    $utype_id = "SELECT utype_id FROM user WHERE username='$username'";
    $result2 = mysql_query($utype_id);
    $result3 = mysql_fetch_row($result2);

    if($count==0)
    {
        header("location:loginform.php?attempt=fail");
    }
    else {
        $sql="select * from user WHERE username='".$username."'";
        $result=mysql_query($sql);
        while($row=mysql_fetch_row($result)){

            $_SESSION["id"]=$row[0];
            $_SESSION["username"]=$row[5];
            $_SESSION["name"]=$row[2];

            switch($result3[0]){

            case '1':
                header("location: module1/index.php");
                break;

            case '2':
                header("location: module2/index.php");
                break;

            case '3':
                header("location:loginform.php?attempt=unauthorized");
                break;
            }
        }
    }
}
else
{
    header("location:loginform.php?attempt=null");
}
?>

Upvotes: 1

Views: 1471

Answers (1)

Nes
Nes

Reputation: 304

Follow code cut extra queries and long script 

            include('includes/connection.php');

            $username=$_POST['username'];
            $password=$_POST['password'];

            $location = 'loginform.php?attempt=null';

            if(!empty($username) && !empty($password))
            {

            $command="select * from user WHERE  username = '".$username."' and password='".$password."'";
            $result=mysql_query($command);

            $location = 'loginform.php?attempt=fail';
            if(mysql_num_rows($result) > 0 {
                $frUser = mysql_fetch_array($result, MYSQL_BOTH);
                $_SESSION["id"]=$frUser['id']; // Change the name here
                $_SESSION["username"]=$frUser['username'];// Change the name here
                $_SESSION["name"]=$frUser['name'];  // Change the name here
                $utypeId = $frUser['utype_id'];
                switch($utypeId) {
                case '1':
                    $location = 'module1/index.php';
                break;
                case '2':
                    $location = 'module2/index.php';
                break;
                case '3':
                    $location = 'loginform.php?attempt=unauthorized';
                break;
                }   
            }
            }
            header("location:".$location);
            ?>

Upvotes: 1

Related Questions