1

I wrote the code of a registration form and a logging in form using php.But every time i run this code it says invalid username when it is invalid or it says your account isn;t approved bu admin yet.Can someone please show me how to make possible the admin approval for the user when he logs in.I want my user to be approved by the admin.Notice that the admin must log in in the same form with the user.Here is my registration form:

Here is my login form:

<html >
<head>
<title></title>
</head>




<body>
<?php
print ("<form action='logincontroltest.php' method='post'>
    <p>Username
        <input type='text' name='username' />
    </p>
    <p>Password
        <input type='password' name='password' >
        <p/>
    <input type='submit' value='Log In'/>
</form>");

if( !($database=mysql_connect("localhost","root",""))||!(mysql_select_db("st_login",$database))  )
   print("Could not connect");
if(isset($_POST['username'])&&isset($_POST['password']) )
{
    $username=$_POST['username'];
    $password=$_POST['password'];


    if ( !empty($username) &&!empty($password) ) 
    {
         $query = " SELECT * FROM `login` WHERE   `username`='$username' AND `password`='$password'  ";
         if($result=mysql_query($query,$database))
         {

$user=mysql_fetch_assoc($result);
if($user==false){
  echo "invalid username";
}

elseif($user['admin']==1) {
  echo"admin is logged in";
    header("Location: admin.php");
    
  }
  elseif($user['approval']==1) {
    $_POST['user']=$user['username'];
    echo "user is logged in";
    header("Location: faqja2.php");
  }
  else{
    echo "Your account is'nt approved by admin yet";
    
    
  }

  
 } 
                          die (mysql_error());
          }
   else echo "Fill in all blank fields";
   } 
    ?>
    </body>
</html>

The code works correctly! And here is the phpmyadmin database i've created:The database

Doggy
  • 63
  • 2
  • 10

1 Answers1

0

If I understood correctly, then you can use your "approval" column as a 0|1 boolean (int) flag.

Then adding it to the WHERE clause
(NOTA: It must first be created in the INSERT before this can work).

I.e.:

$query = "INSERT INTO login 
          (firstname, lastname, username, password, cv, email, approval) 
           VALUES ('$firstname', '$lastname', '$username','$password','$cv','$email', 0)";

Then, for your SELECT: (sidenote: the 1 means approved, so set your message respectively). 

$query = "SELECT * 
            FROM `login` WHERE `username`='$username' 
            AND `password`='$password' AND `approval` = 1"; // or 0, depending on the query.

$result = mysql_query($query, $database);

// You may have to use the following instead
// if your present method of checking does not work
// which has been commented out
/* 
if(mysql_num_rows($result) > 0){
    echo "Your account has been approved."; 
}
else{
   echo "Your account isn't approved by an admin yet."; 
}
*/

if($result=mysql_query($query, $database)){...}

Also check for errors against your queries.

Add or die(mysql_error()) to mysql_query() and error reporting.

  • You can add in the other parts of your code to what I have given you.

  • I suggest you look at this answer though: https://stackoverflow.com/a/29778421/

  • It uses PDO with a prepared statement and a safe password hashing function.

Notes about SQL injection and password storage.

Your present code is open to SQL injection. Use mysqli_* with prepared statements, or PDO with prepared statements.

Passwords

I also noticed that you may be storing passwords in plain text. This is not recommended.

Use one of the following:

Other links:

Important sidenote about column length:

If and when you do decide to use password_hash(), the compatibility pack or crypt, it is important to note that if your present password column's length is anything lower than 60, it will need to be changed to that (or higher). The manual suggests a length of 255.

You will need to ALTER your column's length and start over with a new hash in order for it to take effect. Otherwise, MySQL will fail silently.

Community
  • 1
  • 1
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
  • Thank you but how can i notice the admin to approve this account? – Doggy Jan 16 '16 at 19:48
  • Ok one last question how can the computer notice that this user which is logging in is the admin? Should i make a special register form for the admin? – Doggy Jan 16 '16 at 19:53
  • @Doggy another way that this can be done automatically/dynamically would be to send an approval email where the user clicks on a link with a unique random key. If everything matches, then the UPDATE happens. There are many scripts out there and here on Stack. If you need to know if it is the admin, then a column such as "admin" with again a boolean `0|1` flag can be used in a `WHERE` clause. I.e.: `WHERE admin = 1` type of thing. – Funk Forty Niner Jan 16 '16 at 19:55
  • @Doggy addendum to the above. You may have to use 2 seperate queries and in a conditional statement. Show them/do something if an admin, and something else if not an admin. – Funk Forty Niner Jan 16 '16 at 19:59
  • Ok but who is the admin ?Where does the program notices that he is different by the other users?Maybe i have to make a new register form for the admin and add an if condition to tell the program that he is the admin? – Doggy Jan 16 '16 at 20:06
  • @Doggy You can either do that, or make the email column a UNIQUE constraint (something you should do and in order to avoid duplicate emails if you're not already doing that), and then the admin him/herself would use their email as part of their login credentials and also use a boolean against "admin" column. Then to check, you can use a `while` loop with an `if` to check against a row if admin = 0 or 1. I.e.: `while($row = mysql_fetch_array($result)){ if($row['admin'] == 1) { echo "You are admin."; } else { echo "Not admin."; } }` type of thing. There are other ways, but that's the basic. – Funk Forty Niner Jan 16 '16 at 20:18
  • I'm trying to do this:elseif($user['username']=='Doggy'&&$user['password']=='doggy'){ $user['admin']==1) echo"admin is logged in"; header("Location: admin.php"); //totell that Doggy is the admin – Doggy Jan 16 '16 at 21:15