0

I am trying to make a sample website that have a different privileges the admin is for admin page and the client is for client page?

and this is my PHP code db_login

<?php

    $uname = $_POST["uname"];
    $pword = $_POST["pword"];

    require_once("../connector/db_open.php");

    $sql = "SELECT * FROM tbl_create_acc WHERE uname = '".$uname."' AND pword = '".$pword."'";
    $result = $conn->query($sql) or die ($conn->error);

    if($result->num_rows >0)
    {

        if (isset($_SESSION["uname"]) == ($_COOKIE['admin']))
        {
            $row = mysqli_fetch_array($result);
            session_start();
            $_SESSION['id'] = $row['id'];
            $_SESSION['uname'] = $row['uname'];
            $_SESSION['pword'] = $row['pword']; 
            header("Location: ../page/adminpage.php");
        }
        else
        {
            header("Location: ../page/clientpage.php");
        }

    }
    else
    {   
        header("Location: ../page/index1.php");
    }
    require_once("../connector/db_close.php");

?>
Newbie
  • 3
  • 1
  • 1
  • 5
  • 6
    `isset()` returns a boolean true/false, not a string. So you'd want `if ((isset($_SESSION["uname"]) && $_SESSION["uname"] == $_COOKIE['admin'])`. You should also check if the cookie is set first, to avoid "*Undefined index*" warnings. And you need `session_start();` before that `if`-block. Further, you're **not hashing your passwords**, which you **really should**, look into [`password_hash()`](http://php.net/manual/en/function.password-hash.php) Also, storing passwords in a session is discouraged. – Qirel Jul 14 '16 at 21:13
  • 4
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [You don't want to be compromised.](http://stackoverflow.com/q/38297105/1011527) – Jay Blanchard Jul 14 '16 at 21:16
  • 3
    **Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Jul 14 '16 at 21:17
  • While all the above comments are advice you should heed, what is your actual question? – Tim Malone Jul 14 '16 at 21:38
  • Why are you checking if session is equal to cookie? – a coder Jul 14 '16 at 22:31
  • Sir Qirel why i cant still go to admin page the code you give me is working but still cant work will if i using a admin username still go in client page – Newbie Jul 15 '16 at 07:27

0 Answers0