Stuck at the "if" for rank checking message

Question

I am busy on a login script but i am stuck at the moment with the php code "if" line.

I want to give the rank check a own message that the user isn't allowed because he hasn't the right rank for the admin login. At this moment it gives the message of wrong username or password.

My code:

<?php
session_start();
include_once 'dbconnect.php';

if(isset($_SESSION['userSession']))
{
header("Location: home.php");
exit;
}

if(isset($_POST['btn-login']))
{
$email = $MySQLi_CON->real_escape_string(trim($_POST['user_email']));
$upass = $MySQLi_CON->real_escape_string(trim($_POST['password']));

$query = $MySQLi_CON->query("SELECT user_id, user_email, user_pass, user_rank FROM users WHERE user_email='$email'");
$row=$query->fetch_array();
if(password_verify($upass, $row['user_pass']) && ($row['user_rank'] == '2'))
{
    $_SESSION['userSession'] = $row['user_id'];
    header("Location: home.php");
}
else
{
    $msg = "<div class='alert alert-danger'>
                <span class='glyphicon glyphicon-info-sign'></span> &nbsp; email or password does not exists!
            </div>";
}

$MySQLi_CON->close();

}
?>

I am a little bit new with PHP still.

Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. — Jay Blanchard, Jul 18 '16 at 21:16
[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [Don't believe it?](http://stackoverflow.com/q/38297105/1011527) — Jay Blanchard, Jul 18 '16 at 21:16

score 1 · Answer 1 · answered Jul 18 '16 at 19:58

1

Just add an else if stage. You can have as many of those as you want, just don't go overboard.

if(password_verify(...)) {
   ...
} else if ($rank != 2) {
   ... wrong rank 
} else if (...) {
   ...
} else {
   ...
}

answered Jul 18 '16 at 19:58

Marc B

356,200
43
426
500

score 0 · Accepted Answer · answered Jul 18 '16 at 20:04

Just add an if-Statement in the password check if-Statement in order to check only the rank when the password matches.

if(isset($_SESSION['userSession']))
{
    header("Location: home.php");
    exit;
}

if(isset($_POST['btn-login']))
{
    $email = $MySQLi_CON->real_escape_string(trim($_POST['user_email']));
    $upass = $MySQLi_CON->real_escape_string(trim($_POST['password']));
    $query = $MySQLi_CON->query("SELECT user_id, user_email, user_pass, user_rank FROM users WHERE user_email='$email'");
    $row = $query->fetch_array();

    if(password_verify($upass, $row['user_pass']))
    {
        if($row['user_rank'] == '2'){
            $_SESSION['userSession'] = $row['user_id'];
            header("Location: home.php");
        } else {
            echo "You need a higher rank";
        }
    }
    else
    {
        $msg = "<div class='alert alert-danger'>
                    <span class='glyphicon glyphicon-info-sign'></span> &nbsp; email or password does not exists!
                </div>";
    }

    $MySQLi_CON->close();
}
?>

Thankyou so much! this helped me :) also learned something new :D — , Jul 18 '16 at 20:09

Stuck at the "if" for rank checking message

2 Answers2