how to add user role in php

Question

I tried to redirect my users and admin to some certain pages but my php code is redirecting both the admin and users to the same page

if (isset($_POST['Login'])) {
    $username = $_POST['username'];
    $password = $_POST['surname'];
    $password_hash = md5($password);
    $role;
    if (!empty($username) && (!empty($password))) 
    {
    $query = "SELECT 'id' FROM users WHERE 'staffno' = '$username' AND 'password'='$password_hash'";
    $run = mysqli_query($conn, $query);

    if ($run) {
         $sql = "SELECT users.role FROM users";
          $result = mysqli_query($conn, $sql); 
          $user = mysqli_fetch_array( $result);
          //$_SESSION['admin'] = $user['admin']; 
          $_SESSION['role'] = "admin";
        if((isset($_SESSION['role']) && $_SESSION['role'] == "admin")){
            header("location: Upload.php");
        }else{
            header("location: Home.php");
        }

    }

Answer 1

Can you start by changing $password = $_POST['surname']; to $password = $_POST['password']; and see if it solve your issue.

Answer 2

Try to use this:

$_SESSION['role'] = $user['database-role-column-name']; 

Answer 3

Try

if($run){
  $_SESSION['role'] = $user['role'];
   If($user['role'] ==  'admin'){ //admin page}else{//the other page}
}

Also try limiting your result on your first query by adding

LIMIT 0, 1

Your code is now even short

Answer 4

You need to stored dynamic user role in the session

 $_SESSION['role'] = "admin";

change to

 $_SESSION['role'] = $user['Your_User_Role_coulmn_name'];

This script $user = mysqli_fetch_array( $result); will return all information about selected user, so if you are storing user role in the same table then you can store the user role value in the session. In this way your if statement will be functional as per requirement.

Also for using session you need add session_start() before using $_SESSION.

Please check the example

session_start();
      if (isset($_POST['Login'])) {
      $username = $_POST['username'];
      $password = $_POST['surname'];
      $password_hash = md5($password);
      $role;
      if (!empty($username) && (!empty($password))) 
      {
      $query = "SELECT `id` FROM users WHERE `staffno` = '$username' AND `password`='$password_hash'";
      $run = mysqli_query($conn, $query);

          if ($run) {
               $sql = "SELECT users.role FROM users";
                $result = mysqli_query($conn, $sql); 
                $user = mysqli_fetch_array( $result);
                $_SESSION['role'] = "admin"; // this approach will be always same
                $_SESSION['role'] = $user['Your_User_Role_coulmn_name']; // you need to store dynamic user role into the session
              if((isset($_SESSION['role']) && $_SESSION['role'] == "admin")){
                  header("location: Upload.php");
              }else{
                  header("location: Home.php");
              }
            }
        }

     } 

Answer 5

I'm assuming, you are session started at the top. Since, you have hardcoded $_SESSION['role'] variable

$_SESSION['role'] = "admin";

And, this always be true

if((isset($_SESSION['role']) && $_SESSION['role'] == "admin")){

You need to use instead

$_SESSION['role'] = $user['role'];