Making a certain log in pattern go to another page location

Question

I am constructing a social networking site. Users who register and log in correctly are redirected to home.php with a $_SESSION made accordingly.

But I have manually made an admin user with the username of freddy (the username is required to log in). What I am trying to state is that "if the username is equal to freddy, then take him to admin_home.php".

What I have tried is to create two separate $_SESSION's.

$_SESSION created for normal user:

    // if the user credentials are correct, log the user in:
        $_SESSION["user_login"] = $user_login;
            header( "Location: home.php" ); // refresh page
        exit;
    }

$_SESSION created for admin:

    if ($account_type == "admin"){
        // Create seperate session for admin
        $_SESSION["user_login"] = $admin_login;
                header( "Location: admin_home.php" ); // refresh page
            exit;
        }

Full query:

<?php
$user_query = mysqli_query ($connect, "SELECT * FROM users WHERE username = '$user_login' AND password = '$decrypted_password' AND closed='no' LIMIT 1");   
    $check_for_user = mysqli_num_rows ($user_query); // checking to see if there is infact a user which those credentials in the DB
        if ($check_for_user==1){
            while ($row = mysqli_fetch_array($user_query)){
                $user_id = $row['id'];
                $account_type = $row['account_type'];
            }
            // if the user credentials are correct, log the user in:
            $_SESSION["user_login"] = $user_login;
                header( "Location: home.php" ); // refresh page
            exit;
        }   

        if ($account_type == "admin"){
            // Create seperate session for admin
            $_SESSION["user_login"] = $admin_login;
                    header( "Location: admin_home.php" ); // refresh page
                exit;
            }           

        else {
                // if user row does not equal 1 ...
                echo "<div class='wrong_login'>
                        <p> Username or password is incorrect, please try again. </p>
                     </div>";       
            exit(); 
        }
}
?>

With the current code, logging in with the username freddy - which should take me to admin_home.php, takes me to home.php which is not what I want.

Since you have a `header` (and an `exit`), it doesn't even reach the admin part... You could check if the user is **not** admin before redirecting to regular `home`. — FirstOne, Mar 07 '16 at 16:04
(I don't know if you are already doing it but) Since you have two pages for differente user 'level', you **have** to check again if the user is admin on the `admin_home.php` page. Otherwise someone could just login with regular user credentials and manually go to `admin_home.php`. — FirstOne, Mar 07 '16 at 16:06

score 0 · Answer 1 · answered Mar 07 '16 at 16:08

0

First a quick suggestion. You should not store plain-text passwords if you want your users to trust you. See this doc about hashing passwords, especially the part about salting your hashes.

I would say best practice would be to create a user class, matching your database table, and create an instance of it when the user logs in, and store that class instance in your session variable. Currently you don't store things like user ID, or account type, which you'll probably want to use later.

The problem with your code as it is written, as @FirstOne points out, is that you are exiting as soon as the user is logged in correctly, instead of checking their account type first.

answered Mar 07 '16 at 16:08

QuickDanger

1,032
11
18

1

I don't think the users would have such information about your suggestion xD (though plain-text pass is not recommended). But, since we are at it: [**How can I prevent SQL-injection in PHP?**](http://stackoverflow.com/q/60174/4577762) – FirstOne Mar 07 '16 at 16:13
Users trusted Ashly Martin! User trust has essentially nothing to do with the implementation—unless you supply the implementation code, the customers are literate in that code and security savvy. Users trust sites all the time with no real basis for trust. – zaph Mar 07 '16 at 17:04
zaph, actually, it's quite common for sites with already bad security practices to also *send out* their users' passwords in "forgot emails". No user code knowledge required. See [plain-text offenders website](http://plaintextoffenders.com/) – QuickDanger Mar 07 '16 at 17:20
Not on point, even in that scenario most users appreciate the practice and not conclude there is poor security. Current professional developers write such code, surely, if these professionals are not aware of the poor practices how will Average User know how to evaluate poor practices. (Software development is a profession, right?) – zaph Mar 07 '16 at 17:36

Making a certain log in pattern go to another page location

1 Answers1