1

I'm making a website where and I need a login file to redirect administrators and clients to their respective account.

It is supposed to verify both tables and see if email corresponds to password.

Here's what I already have

<?php
include "data-base.php";
if($_SESSION){
header("location: index.php?site=perfil");
    echo "<script>window.location.href = \"index.php?site=login&erro=3\";</script>";
}
$result = mysql_query("select * from admin, clients where email='".$_POST['email']."' and password='".$_POST['password']."'");
if (mysql_num_rows($result)>0)
{
$linha = mysql_fetch_array($result);
$_SESSION['id']=$linha['id'];
if($linha['email'] = "admin") {
    header("location: admin.php?id=".$linha['id']."");
} else {
    header("location: client.php?id=".$linha['id']."");
}
} else {
echo "<script type=\"text/javascript\">alert(\"Incorrect email or password\"); window.location = 'index.php';</script>";
}
?>
user3677878
  • 11
  • 2
  • 5
    `if($linha["email"] = "admin") {` you're assigning instead of comparing. – Funk Forty Niner May 27 '14 at 00:01
  • You need an SQL JOIN look it up! – meda May 27 '14 at 00:05
  • 2
    So nobody's mentioning sql injection and deprecated APIs? – Strawberry May 27 '14 at 00:10
  • Change your database structure? Maybe add a boolean that represents that a user is an administrator. – Pakspul May 27 '14 at 12:21
  • Please be aware that the mysql extension (supplying the `mysql_` functions) has been deprecated since 2012, in favor of the mysqli and PDO extensions. It's use is highly discouraged. See http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php – Oldskool May 27 '14 at 13:06

3 Answers3

1

I think it's better to slice one query on two parts. First, try to get rows from "admin"table. If mysql_now_rows == 0, then get rows from users. If empty, show the message about wrong login&password

$q = "SELECT * FROM admin WHERE email = '".$_POST["email"]."' AND password ='".$_POST["password"]."'";
$result = mysql_query($q);
if(sizeof($result) !== 0){
    header("put admin URL here");
} else {
    $q = "SELECT * FROM clients WHERE email = '".$_POST["email"]."' AND password ='".$_POST["password"]."'";
    $result = mysql_query($q);
    if(sizeof($result) !== 0){
        header("put clients URL here");
    } else {
        print_r("wrong email&pass");
    }
}

Sorry about formatting, I'm from phone

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
Zhooravlik
  • 11
  • 2
1
"select * from admin, clients where (admin.email='".$_POST['email']."' OR
clients.email='".$_POST['email']."') AND (admin.password='".$_POST['password']."' OR
clients.password='".$_POST['password']."')";

in this question, you also can use a column to enter user type rather than using two tables. if then can run below statement.

"select * from admin_clients_table where email='".$_POST['email']."' AND
password='".$_POST['password']."'";

Since question was how to select from multiple tables, you can do as follows:

"select table1.column1, table1.column2, table2.column1, table2.column3 from table1,
 table2 where (table1.column4 = table3.column1 and table2.column2 = 'value1') or
 table3.column1 = 'value2' order by table1.id desc limit 0,100";
Janaka R Rajapaksha
  • 3,585
  • 1
  • 25
  • 28
0

There is a small error in your script.

if($linha["email"] = "admin")

should be

if($linha["email"] == "admin")

With 1 = all you do is saying $linha["email"] should become "admin" With 2 = you are comparing $linha["email"] and $linha["email"]

So in other words if $linha["email"] is the same as $linha["email"]

Hope this helps you on your way.

Also you need to change your query and join the to tables.

$result = mysql_query("SELECT * from admin, clients 
                       WHERE email='".$_POST['email']."' 
                       AND password='".$_POST['password']."'");
Coolen
  • 180
  • 2
  • 22