-1
<?php
ob_start();
include 'connection.php';

$user_id = $_POST ['user_id'];
$username = $_POST['username'];
$password = $_POST['password'];


$query = "SELECT *  FROM Register WHERE username= '$username' AND  Password = '$password' ";

$result = mysqli_query($connection, $query) or exit("Error in the query: $query. " .     mysqli_error());



$row = mysqli_fetch_assoc($result);



if ($row ) {
$_SESSION['username'] = $username;
echo '' . $username . '';
 &&  ($row ) {
$_SESSION['user_id'] = 1;
header('Location: AdminPage.php');
}


else if ($row ) {
$_SESSION['username'] = $username;
echo '' . $username . '';
header('location:Login.php');
 && ($row ) {
$_SESSION['user_id'] = > 1;
header('Location: ProtectedPage.php');
}

?>

can you help me with what is wrong with this code im trying to make it detect what is a user and what is an admin then direct it to the correct page. please if you are here to just rant about how vulnerable my code is to sql injections i really couldn't care less as this is for a project and i do not require it to be protected

Sparky
  • 98,165
  • 25
  • 199
  • 285
LEWISC94
  • 1
  • 5

1 Answers1

1

Most likely you are looking for something like this: 

if ( $row && is_array($row) && isset($row['username']) && isset($row['user_id'])) {
  $_SESSION['username'] = $row['username'];
  $_SESSION['user_id']  = $row['user_id'];
  if ( 1==$row['user_id'] )
    header('Location: AdminPage.php');
  else
    header('Location: ProtectedPage.php');
} else {
  header('Location: Login.php');
}

This assumes that the user_id is stored inside the database and that user_id 1 indicates that this is "the" admin account.

arkascha
  • 41,620
  • 7
  • 58
  • 90
  • ok thanks so this code should work, if i wanted to add error codes into this when the password is wrong how would i do that? – LEWISC94 Apr 16 '14 at 21:21
  • ive tried your code but whats it doing is counting everything as an admin i tried an acc with user_id 2 and it took me to admin page instead of protected page any ideas – LEWISC94 Apr 16 '14 at 21:27
  • Well currently a redirection header is sent, redirecting to the `Login.php` page. You cannot combine such a header and a message. You could add a message to the url you redirect to, so something like `header('Location: Login.php?message=login%20failed!');`, but that is not really elegant. Anyways, I suggest you first get this to work, then you go on with the next steps. One thing at a time. – arkascha Apr 16 '14 at 21:28
  • The condition correctly tests for user_id 1. So if you are always redirected to page `AdminPage.php` then most likely your sql query is wrong. Try dumping the `$row` you get back from the query. – arkascha Apr 16 '14 at 21:29
  • orite i understand that but what about the other comment ive made about every user is now being redirected to adminpage – LEWISC94 Apr 16 '14 at 21:30
  • Also I see in your edited question that you accept a user_id from the client: `$user_id = $_POST ['user_id'];`. That does not make any sense, sorry. You have to rely on the user_id from the database, otherwise a client could specify whatever user_id he likes to! – arkascha Apr 16 '14 at 21:31
  • how do i dump the $row sorry im a bit of a noob with php – LEWISC94 Apr 16 '14 at 21:32
  • I suggest you start using google for such questions: "php dump variable"... Sorry, but I cannot give you an introduction into programming here... – arkascha Apr 16 '14 at 21:32