php login system help...

Agenator

Member
Messages
341
Reaction score
0
Points
16
Okay so I need some help with my login system. I'm trying to get it to either redirect to the login page or a separate download page depending on what "rank" the user has in the mysql database (i set the Admin value to an int. with the default 0 (which I intend to make user value) and the admin value 1 which I can change and update in the admin page). So I wrote out this code:
PHP:
<?php

include 'config.php';
include 'opendb.php';

mysql_select_db($dbname) or die(mysql_error());

$email = $_POST['email'];
$password = $_POST['password'];
$admin = "select Admin FROM information where email='$email' and password='$password'";
$query = "select*from information where email='$email' and password='$password'";
$result = mysql_query($query);
$adminresult = mysql_query($admin);

if (mysql_num_rows($result) != 1)
{
$error = 'Bad Login';
include 'mainpage.html';

}
elseif (mysql_fetch_object($adminresult) == 1){

include "adminpage.html";

}else{



include "form.html";


}
include 'closedb.php';
?>
and no matter if the user is 1 or 0 for the Admin value in the database it will either only redirect to the admin page or the download page, ie. I set user agenator to 1 and I set user scott to 0 but they both will go to "form.html" I need to know how to fix this so that obviously the right person will get redirected to the right page, so does anyone know how to do this?
Thanks for your help
 

motogawa

Member
Messages
306
Reaction score
0
Points
16
Some simple problems can come out of certain places such as things like '$variable' the ('') quotations will not read the variable for this you can follow this of your code below!

PHP:
 <?php

include 'config.php';
include 'opendb.php';

mysql_select_db($dbname) or die(mysql_error());

$email = $_POST['email'];
$password = $_POST['password'];
$admin = "select Admin FROM information where email='".$email."' and password='".$password."'";
$query = "select*from information where email='".$email."' and password='".$password."'";
$result = mysql_query($query);
$adminresult = mysql_query($admin);

if (mysql_num_rows($result) != 1)
{
$error = 'Bad Login';
include 'mainpage.html';

}
elseif (mysql_fetch_object($adminresult) == 1){

include "adminpage.html";

}else{



include "form.html";


}
include 'closedb.php';
?>

This should fix the simple DB error but if anything else goes wrong just tell me.
 

Agenator

Member
Messages
341
Reaction score
0
Points
16
k so i tried your code but now it will only go to the admin page and not the form page lol. So can you still help me? oh and if i change the ($adminresult)==0 then it will only go to the form.html page no matter if the admin value is set to 1 or 0
 
Last edited:

motogawa

Member
Messages
306
Reaction score
0
Points
16
Maybe this would help....

Original
PHP:
elseif (mysql_fetch_object($adminresult) == 1){

include "adminpage.html";

}else{



include "form.html";


}

New
PHP:
elseif (mysql_num_rows($adminresult) == 1){

include "adminpage.html";

}else{



include "form.html";


}
 

woiwky

New Member
Messages
390
Reaction score
0
Points
0
Some simple problems can come out of certain places such as things like '$variable' the ('') quotations will not read the variable for this you can follow this of your code below!
That wouldn't be the case here since the entire string was enclosed in double quotes. So there's no need to concat the variables instead of putting them inside.

Anyway, your problem is that you're retrieving the result row as an object with mysql_fetch_object(), but then you just compare that object to 1. You would need to store it and use the Admin property of it. Like this:

PHP:
...
$adminresult = mysql_fetch_object($adminresult);
...
elseif ($adminresult->Admin) {
    include "adminpage.html";
}
However, I would suggest getting rid of the admin query all together since you already select all fields with the first query. Try this instead:

PHP:
<?php

include 'config.php';
include 'opendb.php';

mysql_select_db($dbname) or die(mysql_error());

$email = $_POST['email'];
$password = $_POST['password'];
$query = "select*from information where email='$email' and password='$password'";
$result = mysql_query($query);
$user = ($result ? mysql_fetch_object($result) : false);

if (!$user) {
    $error = 'Bad Login';
    include 'mainpage.html';
}
elseif ($user->Admin) {
    include "adminpage.html";
}
else{
    include "form.html";
}
include 'closedb.php';
?>
Also, I would recommend sanitizing $password and $email before using them in a query.
 

Agenator

Member
Messages
341
Reaction score
0
Points
16
lol im a newb at php, could you please explain what the little -> does?
btw, script works now, i used the 2nd script you listed. thanks so much !!!Im check all of the little blue tick marks for all 3 of ya)
 
Last edited:

woiwky

New Member
Messages
390
Reaction score
0
Points
0
There were only 2 of us :p

Anyway, the -> is just used to access properties or methods of an object. Since you used mysql_fetch_object(), the result row is returned as an object with all the fields as properties. Try going here if you really wanna learn about php objects:

http://www.php.net/manual/en/language.oop5.php
 
Last edited:

joeychua

New Member
Messages
21
Reaction score
0
Points
0
Instead of saving users in different tables, it would be much easier to add new column which stores the user level. It will be simpler and faster.

There is another problem with your code, make sure to check the values entered by user before placing it into to your sql statements. This is to prevent malicious user from using sql injection into your login page.

For further information, visit http://www.php.net/manual/en/security.database.sql-injection.php
 
Top