User/Admin Log-In form Php, MySQL

Question

I'm doing on this project and I find it hard to find the right answer to my question. I've googled for answers but none of them worked, I also tried to alter the codes but still it's not working properly. This is how I plan my project. A user/admin will log in one log-in form then it will redirect whether the input is for admin or normal user.

I've created a table named users, a table named info. In the info table, there is username(varchar), password(varchar) and admin_level(int).

Here's my html and php script:

<form method='post' action='login.php'>
<div id='userLogIn'>User LogIn</div>
Username <input type=text name=username> </br>
Password <input type=password name=password></br>
    <input type=submit name=submit value='Log in'>
</div>

<?php
if(isset($_POST['submit']))
{
    $a = $_POST['username'];
    $b = $_POST['password'];
    include("dbconnect.php");
    $sql = "SELECT * FROM info 
                     WHERE username 
                     LIKE '$a' AND password LIKE '$b' 
                     AND admin_level LIKE 1";
    $result=mysql_query($sql);

    $count = mysql_num_rows($result);

    $rows=mysql_fetch_array($result);
    if ($count == 1) {

    if ($rows['admin_level'] == 1) {
        header ("Location:adminPage.php");
    }
    else  {
        header ("Location:userPage.php");
        }
    }
    else {
        print "<font color=red>Username/Password Combination Error</font>";
    }

}

The MySQL API is depreciated. It is highly recommended to switch to the improved MySQLi API. — OllyBarca, Feb 18 '14 at 16:15
I've altered my MySQL code with "SELECT * FROM info WHERE username=$a AND password=$b AND admin_level=1" Yet still not working. :( — user3324227, Feb 18 '14 at 16:17
See this post why you don't use this approach http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1 — Ragen Dazs, Feb 18 '14 at 16:22

score 3 · Accepted Answer · answered Feb 18 '14 at 16:16

Don't use mysql_* functions. As you're learning from the beginning, it's the best time to start avoiding mysql_* functions. Start with PDO or mysqli_ instead
To match username/password, don't use LIKE, use = instead. so instead of, $sql = "SELECT * FROM info WHERE username LIKE '$a' AND password LIKE '$b' AND admin_level LIKE 1"; write, $sql = "SELECT * FROM info WHERE username = '$a' AND password = '$b'";

Fetch data from table only when there's at least 1 row. So, instead of these,

$count = mysql_num_rows($result);

$rows=mysql_fetch_array($result);
if ($count == 1){

    if ($rows['admin_level'] == 1) {
        header ("Location:adminPage.php");
    } else  {
        header ("Location:userPage.php");
    }
}

write,

    if (mysql_num_rows($result) > 0 ){
        $rows=mysql_fetch_array($result);

        if ($rows['admin_level'] == 1) {
            header ("Location:adminPage.php");
        } else  {
            header ("Location:userPage.php");
        }
    }

Akhil Sidharth · Answer 2 · 2014-02-18T16:27:50.813

try this

<form method="post" action="">
<div id='userLogIn'>User LogIn</div>
Username <input type="text" name="username"> </br>
Password <input type="password" name="password"></br>
<input type="submit" name="submit" value="Log in">
</div>

<?php
include("dbconnect.php");
if(isset($_POST['submit']))
{
    $username = mysql_real_escape_string($_POST['username']);
    $user_pass = mysql_real_escape_string($_POST['password']);
    $sql = "SELECT * FROM info WHERE username='".$username."' and password='".$user_pass."'";
    $result=mysql_query($sql);
    $count = mysql_num_rows($result);
    if($count==1){
        $rows=mysql_fetch_array($result);
        if ($rows['admin_level']==1) {
            header ("Location:adminPage.php");
        }
        else{
            header ("Location:userPage.php");
        }
    }
    else{
        print "<font color=red>Username/Password Combination Error</font>";
    }
}

Thank you to all who helped. It is really appreciated thank you. :) — user3324227, Feb 18 '14 at 16:26

score 0 · Answer 3 · edited May 23 '17 at 12:28

0

I highly recommend you read the history of this posts before continuing to go down by this path:

Your code is liable to be broken by using simple techniques of SQL Injection - since your variables are not sanitized or filtered.

Besides making your code work, you need to understand that there is no safe and secure to do so.

Once you are aware of the consequences that possession be from a leak information from your database to a full drop from your base.

edited May 23 '17 at 12:28

Community

1
1

answered Feb 18 '14 at 16:29

Ragen Dazs

2,115
3
28
56

I think MySQLi looks interesting but, can you send a link for some articles which I can understand it deeper? Thank you in advance – user3324227 Feb 18 '14 at 16:35
This article was not written in English, but has several didact examples http://translate.google.com.br/translate?sl=pt&tl=en&js=n&prev=_t&hl=pt-BR&ie=UTF-8&u=http%3A%2F%2Fwww.vivaolinux.com.br%2Fartigo%2FTratamento-de-dados-fornecidos-pelo-usuario-projetando-sistemas-com-mais-seguranca%2F%3Fpagina%3D5&act=url – Ragen Dazs Feb 18 '14 at 16:49

score 0 · Answer 4 · answered Feb 18 '14 at 16:32

This is what i do: First take the input from the form and establish variables.`

    $VerifyCredentials = AttemptSignIn($Username, $Password);
    if ($VerifyCredentials){
        //Success, store username in session
        //Mark user as signed in
        $_SESSION[Username] = $Username;
        RedirectTo("homepage.php");
        }else {
            //Failure
            $_SESSION["message"] = "Username/Password not found.";
            }
}
?>`

Here, there are some functions i made. The above function adds the username to the session for further page access (Which some pros would not recommend, for it has a slightly lesser security level), otherwise it sends a failure message.

Also always remember to use mysqli_real_escape_string() to protect against sql injection. Now i dont think you are encrypting the passwords, so i won't trouble you with that step.

Here is the attempt sign in function: I also have a table called users

global $connection; //I have a connection variable which establishes the connection.
//Test if connection was successful
if(mysqli_connect_errno()){
    die("Database connection failed: " . 
        mysqli_connect_error() . 
        " (" . mysqli_connect_errno() . ")"
        );
    }
    $SafeUsername = mysqli_real_escape_string($connection, $Username);
    $Query = "Select * ";
    $Query .= "From users ";
    $Query .= "Where username = '{$SafeUsername}' ";
    $Query .= "Limit 1";

$UserSet = mysqli_query($connection, $Query);
ConfirmQuery($UserSet);
if ($User = mysqli_fetch_assoc($UserSet)){
    return $User;
    }else {
        return null;
        }

}

function PasswordCheck($Password, $ExistingPassword) {
if ($Password === $ExistingPassword){
    return true;
    }else {
        return false;
        }
}

//First find the user
    $User = FindUsername($Username);
    if ($User){
    //User found, now compare the password
    if (PasswordCheck($Password, $User["password"])){
        //password matches
        return $User;
        }else //password does not match
        return false;
    }else {
        //User not found
        return false;
        }  
}

User/Admin Log-In form Php, MySQL

4 Answers4