0

I am developing a website for testing with logging page with different access levels for users, the site is connected with MySQL db which have 3 columns

user | password | level(1/2)

code is filter out the particular entry from db but it didn't redirected to particular page. i tested with echo but at the $count it shows 0 . please help me to sort this out, I am going to use mysqli instead at the launching phase. 

session_start();
if($_SERVER["REQUEST_METHOD"] == "POST"){

$username = $_POST['username'];
$password = $_POST['password'];

$conn = mysql_connect('localhost','root','');
$db = mysql_select_db('udb',$conn);
$sql = "SELECT * FROM logins WHERE user ='".$username."' AND password = '".$password."'";
$result = mysql_query($sql,$conn);
echo $result;
$count = mysql_num_rows($result);


if ($count==1) {

    $_SESSION['login_user']=$username;
    while ($row = mysql_fetch_array($result)){
        if ($row['level'] == '2') {
            header("home2.php");
        } else {
            header("home1.php");
        }
    }
    }
Prabhath Wickramathilaka
  • 11
  • You are using the header function in the wrong way. Try this; `header("location: http://example.com/home2.php");` – Ugur Jun 24 '15 at 13:06
  • If you can, you should [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). They are no longer maintained and are [officially deprecated](https://wiki.php.net/rfc/mysql_deprecation). Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) [statements](http://php.net/manual/en/pdo.prepared-statements.php) instead, and consider using PDO, [it's really not hard](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard Jun 24 '15 at 13:13
  • [Your script is at risk for SQL Injection.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) – Jay Blanchard Jun 24 '15 at 13:13
  • [Don't limit passwords](http://jayblanchard.net/security_fail_passwords.html) and [use the proper methods to hash passwords with PHP](http://jayblanchard.net/proper_password_hashing_with_PHP.html). – Jay Blanchard Jun 24 '15 at 13:13
  • Ugur & Jay thanks a lot.yes i already mentioned that i used mysql_* for testing :-) , at the launching i'm going to use mysqli_* – Prabhath Wickramathilaka Jun 24 '15 at 13:54

4 Answers4

1

Your echo $result; will prevent any further redirect down in the code. It is due to the fact that redirects are managed using headers... but since you output some data ... headers can not be managed.

Scalable
  • 1,550
  • 4
  • 16
  • 29
1

no need to give connection variable in mysql_query() and in header function u forgot to pass location 

$sql = "SELECT * FROM logins WHERE user ='".$username."' AND password = '".$password."'";
$result = mysql_query($sql);
//echo $result;
$count = mysql_num_rows($result);


if ($count==1) {

    $_SESSION['login_user']=$username;
    while ($row = mysql_fetch_array($result))
     {
        if ($row['level'] == '2') 
        {
            header("location:home2.php");
        } else {
            header("location:home1.php");
        }
    }
    }
Vivek Singh
  • 2,453
  • 1
  • 14
  • 27
0

You need to use location if you want your redirects to work.

if ($row['level'] == '2') {
    header("location: home2.php");
} else {
    header("location: home1.php");
}

Your script is at risk for SQL Injection.

If you can, you should stop using mysql_* functions. They are no longer maintained and are officially deprecated. Learn about prepared statements instead, and consider using PDO, it's really not hard.

Finally, you should use the proper methods to hash passwords with PHP. The way that you're handling login is extremely insecure.

Community
  • 1
  • 1
Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
-1

Place the user and password into back ticks (apostrophe marks on the left of key 1)

Gideon Appoh
  • 678
  • 1
  • 6
  • 15