2

I have a users table with this structure:

id
username
password
dealer (admin)

Now I want to check on login if the user is a dealer, the dealer can hold a value of 0 (normal user) or 1 (admin), but I have no idea how to do this (I'm new to PHP).

This is the login form:

    <form action="index.php?action=login" method="post" style="width: 50%;">
        <input type="hidden" name="login" value="true" />

<?php if ( isset( $results['errorMessage'] ) ) { ?>
        <div class="errorMessage"><?php echo $results['errorMessage'] ?></div>
<?php } ?>

        <ul>

          <li>
            <label for="username">Username</label>
            <input type="text" name="username" id="username" placeholder="Uw gebruikersnaam" required autofocus maxlength="20" />
          </li>

          <li>
            <label for="password">Password</label>
            <input type="password" name="password" id="password" placeholder="Uw wachtwoord" required maxlength="20" />
          </li>

        </ul>

        <div class="buttons">
          <input type="submit" name="login" value="Login" />
        </div>

      </form>

And this is the login function:

    function login() {

  $results = array();
  $results['pageTitle'] = "Admin Login | Gemeente Urk";

  $host = "localhost";
  $mysqluser = "root";
  $mysqlpass = "usbw";
  $db = "wagenpark";

  mysql_connect($host, $mysqluser, $mysqlpass);
  mysql_select_db($db);

  if ( isset( $_POST['login'] ) ) {

      $gebruiker = $_POST['username'];
      $wachtwoord = $_POST['password'];
      $sql = "SELECT * FROM users WHERE username='".$gebruiker."' AND password='".$wachtwoord."' LIMIT 1";
      $res = mysql_query($sql) or die (mysql_error());
      if (mysql_num_rows($res) == 1) {
          $_SESSION['username'] = $gebruiker;
          header( "Location: index.php" );

    } else {

      // Login failed: display an error message to the user
      $results['errorMessage'] = "Incorrect username or password. Please try again.";
      require( TEMPLATE_PATH . "/admin/loginForm.php" );
    }

  } else {

    // User has not posted the login form yet: display the form
    require( TEMPLATE_PATH . "/admin/loginForm.php" );
  }

}

Thanks already.

Rudie Visser
  • 570
  • 6
  • 23
  • [Your code is vulnerable to SQL injection](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – PeeHaa Feb 08 '15 at 15:02

1 Answers1

1

If I understand that right, you have a MySQL Database, where you save the Username, Id, Password and if he/she is Admin. In this part:

$res = mysql_query($sql) or die (mysql_error());
if (mysql_num_rows($res) == 1) {
      $_SESSION['username'] = $gebruiker;
      header( "Location: index.php" );

You could just get the Admin value of the result. It would propably look like this:

$res = mysql_query($sql) or die (mysql_error());
if (mysql_num_rows($res) == 1) {
      $_SESSION['username'] = $gebruiker;
      while($row = mysql_fetch_object($res))
      {
          $admin = $row->Admin;
      }
      if ($admin == 1) {Do something...}
      else {Do something if he is not Admin}
      header( "Location: index.php" );

And then you could save that into the $_SESSION.

I hop that helped, If it doesn't work, please tell me.

Max Rumpf
  • 138
  • 3
  • 10
  • Can I fetch the admin value with the result of the query? I didn't inlcude the field in the query but can I still use it? – Rudie Visser Feb 08 '15 at 15:04
  • I tried it and I get this error: Notice: Trying to get property of non-object in C:\Users\Rudie\Documents\Wagenpark\root\index.php on line 55 – Rudie Visser Feb 08 '15 at 15:07
  • Well, the query gets all Fields of your User's Row. – Max Rumpf Feb 08 '15 at 15:10
  • Just a security Tip: If you want to protect the passwords of your Users, you can use the md5() method. It generates a Hash that you can't reproduce. So if the User registers, you can save their password directly as a md5() Hash and if the log in, you turn the Password they submitted into a md5() Hash and check if the Hash of the password they submitted is the same as the one in the Database. These md5() Hashes always stay the same for the same Word. Some more on md5 Hashes: http://www.w3schools.com/php/func_string_md5.asp – Max Rumpf Feb 08 '15 at 15:23
  • Thanks, but this is just a private school project of mine, it's not going on a website. If I were doing that I'd make sure the passwords were protected :) – Rudie Visser Feb 08 '15 at 15:29
  • Okay, Good Luck :) And if you need some kind of Design-Template to let your project look better without having to design it on your own, let me know. I know of a bunch of beautiful Templates. Some examples: http://getbootstrap.com/ http://html5up.net/ http://startbootstrap.com/template-overviews/sb-admin/ – Max Rumpf Feb 08 '15 at 16:10