I have two types of users one is "Paid" and another "Unpaid". I want to restrict unpaid users to view view_profile.php page

Question

I want to restrict unpaid but loged in users to view view_profile.php page after login. Only paid users can visit that page. After login both users session will start but only paid users can see view_profile.php page. Unpaid users will be redirected to other page. My login.php file code is.

<?php
$username= mysql_real_escape_string($_POST['email']);
$password= mysql_real_escape_string($_POST['pass']);

$login= mysql_real_escape_string($_POST['login_user']);

if(isset($login)){
  $mysqli = new mysqli("localhost","username","password","database");           
  if ($mysqli->connect_errno) {
    echo "Failed to connect to MySQL: " . $mysqli->connect_error;
  }
  $res = $mysqli->query("SELECT * FROM users where email='$username' and password='$password'");
  $row = $res->fetch_assoc();

  $name = $row['first_name'];
  $user = $row['email'];
  $pass = $row['password'];
  $type = $row['status'];
  if($user==$username && $pass=$password){
    session_start();
    if($type=="Paid"){
      $_SESSION['mysesi']=$name;
      $_SESSION['mytype']=$type;
      echo "<script>alert('Loged in successfully !')</script>";
      echo "<script>window.location.assign('view_profile.php')</script>";
    } else if($type=="Unpaid"){
      $_SESSION['mysesi']=$name;
      $_SESSION['mytype']=$type;
      echo "<script>window.location.assign('index.php')</script>";
    } 

    else{

        echo "<script>alert('Wrong username or password')</script>";
                    echo "<script>window.open('login.php?not_admin=Check%20your%20Email%20and%20Password%20otherwise %20You%20are%20not%20an%20Registred%20User%20!','_self')</script>";
    }

  }
}  
?>

view_profile.php page top code is..only paid users can see this page.. unpaid user even if he loged in but he will not see view_profile.php page..

<?php
//connect database
$con = mysqli_connect ("localhost","username","password","database");           
        //database connect error
        if (mysqli_connect_errno())
        {   
        echo "Failed to connect to MySql: " . mysqli_connect_errno();
        }

session_start(); // Use session variable on this page. This function must put on the top of page.

if (!isset($_SESSION['mysesi']) && !isset($_SESSION['mytype'])=='Paid')
{
  echo "<script>window.location.assign('login.php')</script>";
}



?>

index.php page code is......

<?php
//connect database
$con = mysqli_connect ("localhost","username","password","database");           
        //database connect error
        if (mysqli_connect_errno())
        {   
        echo "Failed to connect to MySql: " . mysqli_connect_errno();
        }

session_start(); // Use session variable on this page. This function must put on the top of page.

if (!isset($_SESSION['mysesi']) && !isset($_SESSION['mytype'])=='Unpaid')
{
  echo "<script>window.location.assign('login.php')</script>";
}



?>

Answer 1

This answer is to outline the syntax errors you are doing and is too long for a comment. You will need to do some of the work yourself in order for you to learn and to debug code.

"Give a man a fish and you feed him for a day; teach a man to fish and you feed him for a lifetime."

Firstly, you're using mysql_real_escape_string() being an MySQL_ function which does not mix with MySQLi_ in your present code.

Therefore, you need to use its MySQLi_ equivalent being mysqli_real_escape_string() and it requires that the first parameter be a database connection.

I.e.:

$username= mysqli_real_escape_string($mysqli, $_POST['email']);

Consult the manual on the function:

• http://php.net/manual/en/mysqli.real-escape-string.php

and do the same for the other ones and placing those either after you made the connection to your database, or place your database connection at the top of your code without its present conditional statement.

Then you are doing an assignment = rather than a comparison == for:

if($user==$username && $pass=$password)
                            ^ there

Where it should read as $pass==$password with two equal signs.

Now in the first file, you should place session_start(); at the top of the login.php file. If your database connection fails, it will throw you an error and will be considered as outputting before header.

More on this: How to fix "Headers already sent" error in PHP

You also did not post the HTML form for this and is unknown if you are using the same name attributes for the inputs for the POST arrays, and if a POST method is used for the form.

I.e.:

<form method="post" action="your_handler_file.php">
Email: 
<input type="text" name="email">
etc.
</form>

Then for your conditional statement for the session arrays in the view_profile.php file, is giving you a false positive.

if (!isset($_SESSION['mysesi']) && !isset($_SESSION['mytype'])=='Paid')

That is interpreted as:

• if session mysesi array is NOT set AND is NOT set equals to Paid

Rather than the intended:

if (!isset($_SESSION['mysesi']) && $_SESSION['mytype']=='Paid')

which would be interpreted as:

• if session mysesi array is NOT set AND session array equals to Paid

and the same thing applies for the one inside the index.php file:

if (!isset($_SESSION['mysesi']) && !isset($_SESSION['mytype'])=='Unpaid')

which is interpreted the same way and should read as:

if (!isset($_SESSION['mysesi']) && $_SESSION['mytype']=='Unpaid')

NOTA: You need to keep in mind that the words Paid and Unpaid are case-sensitive. Therefore, if those words in the database are paid and unpaid being lowercase letters, then that will fail.

It is important that those match.

The same thing applies to both if($type=="Paid") and else if($type=="Unpaid").

Add error reporting to the top of your file(s) which will help find errors.

<?php 
error_reporting(E_ALL);
ini_set('display_errors', 1);

// Then the rest of your code

Sidenote: Displaying errors should only be done in staging, and never production.

and check for errors against your queries using mysqli_error(). However, that function requires a database connection as the parameter.

I.e.: mysqli_error($mysqli).

Additional tools you can use are:

• var_dump(); - http://php.net/manual/en/function.var-dump.php
• print_r(); - http://php.net/manual/en/function.print-r.php
• And of course viewing your HTML source.

---

Passwords

I also noticed that you may be storing passwords in plain text. This is not recommended.

Use one of the following:

• CRYPT_BLOWFISH
• crypt()
• bcrypt()
• scrypt()
• On OPENWALL
• PBKDF2
• PBKDF2 on PHP.net
• PHP 5.5's password_hash() function.
• Compatibility pack (if PHP < 5.5) https://github.com/ircmaxell/password_compat/

Other links:

• PBKDF2 For PHP

Important sidenote about column length:

If and when you do decide to use password_hash() or the compatibility pack (if PHP < 5.5) https://github.com/ircmaxell/password_compat/, it is important to note that if your present password column's length is anything lower than 60, it will need to be changed to that (or higher). The manual suggests a length of 255.

You will need to ALTER your column's length and start over with a new hash in order for it to take effect. Otherwise, MySQL will fail silently.

---

Prepared statement:

You should use a prepared statement in MySQLi_, or PDO with a prepared statement.

---

Footnotes:

This $_POST['login_user'] is unknown and if it is related to a submit button. If it is, you don't need to escape it, but rather to use a conditional statement like this:

if(isset($_POST['login_user'])){...} rather than if(isset($login)){...}.

The rest is up to you to get your code working.

Error checking links to consult:

• http://php.net/manual/en/mysqli.error.php (For your query)

• http://php.net/manual/en/function.error-reporting.php (For PHP)

  And use the method of redirection as outlined in comments.