control php page by different user level logged in (not working)

Question

Basically I try to make this code to navigate in a different php page.. Thi is verify_user.php

$con = mysqli_connect("localhost", "root", "****", "myDB");
if (!$con){
    die("Connection to database failed: " . mysqli_connect_error());
}

$uname=$_POST['u_name'];
$pass=$_POST['pass'];

$qry = mysqli_query($con, "SELECT * FROM login WHERE user='$uname'");

if(!$qry){
    die("Query Failed: ". mysql_error());
} else {
    $row = mysqli_fetch_array($qry);

        if($_POST['u_name'] == $row["user"] && $_POST['pass'] == $row["password"]) {
            if ($_POST['u_name'] = "admin") {
                session_start();
                $_SESSION['name'] = $_POST['u_name'];
                header("Location:admin_panel.php");
            } else {    
                session_start();
                $_SESSION['name']=$_POST['u_name'];
                header("Location:main.php");
            }       
        } else {
            header("Location:main.php?id=Worng ID / Password!");
        }
    }
    ?>

From this code as we can see, if the user is admin, it should go to admin_panel.php. And if the user is not admin, its should go to main.php. For further explanation; thi is my admin_panel.php

<?php
session_start();
if(isset($_SESSION['name'])){
   if(!$_SESSION['name']=='admin'){
?>



<!-- HTMML CODE -->



<?php
   }
   else
      header("Location:index.php?id=Only for admin.");
}
else
{
header("Location:index.php?id=Only for admin.");
}
?>

But its not working...

Two else? A header after the content? Read the docs first of all! And where's your question? Which code is not working? — idmean, Nov 09 '13 at 10:43
$_POST['u_name'] = "admin" must be $_POST['u_name'] == "admin" — Alireza, Nov 09 '13 at 10:43
@wumm when i log into the system, it keeps staying in login page — Alieym, Nov 09 '13 at 10:46
Are you really sure there is no output before the `header()` (even a white space is an output!) — idmean, Nov 09 '13 at 10:48
@wumm yes, but in my original code (before i decide to add admin page), only have if and else -- that one is working very well — Alieym, Nov 09 '13 at 10:53
if($_POST['u_name'] == $row["user"] && $_POST['pass'] == $row["password"]) { session_start(); $_SESSION['name']=$_POST['u_name']; $uname = $_POST['u_name']; header("Location:main.php"); } else { header("Location:main.php?id=Password / ID Wrong."); } — Alieym, Nov 09 '13 at 10:55
header("Location:index.php?id=" . urlencode('Only for admin')); — Developerium, Nov 09 '13 at 10:55
Are you seeing any error messages? Try turning them on with `error_reporting(E_ALL);` in the first line of your code. — idmean, Nov 09 '13 at 10:57
@wumm where should i put that code? and where can i see that error message? — Alieym, Nov 09 '13 at 11:14
Put it in the admin login code in the first line. The error messages should appear on your site, if you open it in the browser. — idmean, Nov 09 '13 at 11:33
[How can I prevent SQL injection in PHP?](http://stackoverflow.com/q/60174/53114) — Gumbo, Nov 09 '13 at 11:52

Tom Tom · Accepted Answer · 2013-11-11T14:22:03.460

Change

if ($_POST['u_name'] = "admin") {

To

if ($_POST['u_name'] == "admin") {

Change

 if(!$_SESSION['name']=='admin'){

To

 if($_SESSION['name']=='admin'){

In fact you could change

<?php
session_start();
if(isset($_SESSION['name'])){
   if(!$_SESSION['name']=='admin'){
?>



<!-- HTMML CODE -->



<?php
   }
   else
      header("Location:index.php?id=Only for admin.");
}
else
{
header("Location:index.php?id=Only for admin.");
}
?>

To

<?php
session_start();
if(isset($_SESSION['name']) && $_SESSION['name'] == 'admin'){
?>



<!-- HTMML CODE -->



<?php
}
else
{
header("Location:index.php?id=Only for admin.");
}
?>

Also, this really isn't great

header("Location:index.php?id=Only for admin.");

You shouldn't have spaces in an url

And BTW this code would be vulnerable to SQL injections.

control php page by different user level logged in (not working)

1 Answers1