1

I am trying to make a login system for normal user and AdminUser. If a normal user types in browser http://localhost/project the login screen comes in and user can login using his Id and Password. But while logged in if user types in browser http://localhost/project/admin the normal user also gets the access in adminpanel which i want to stop. How can I do that ?I am stuck here for long time. Any Help Please?

Login for user:

$query = "SELECT * FROM user WHERE eid='$eid'and password='$password'";
$result = $db->select($query);
if ($result != false) {
 $value = $result->fetch_assoc();
 Session::set("login", "userLogin");
 Session::set("username", $value['username']);
 Session::set("email", $value['email']);
 Session::set("uid", $value['uid']);
 Session::set("image", $value['image']);
header("Location: index.php");
} else { $loginErr = "Username
or Password Not Matched !!";}

Session function for User:

public static function checkSession(){
 self::init();
 if (self::get("userLogin")!== false) {
 self::destroy();
 header("Location:login.php");
 }
}

Session check for User:

 Session::checkSession();

Login for admin

$query = "SELECT * FROM afcadmin WHERE adminname='$adminname'and password='$password'";
$result = $db->select($query);
if ($result != false) {
  $value = $result->fetchassoc();
  Session::set("loginadmin", "adminLogin");
  Session::set("adminname", $value['adminname']);
  Session::set("adminemail", $value['adminemail']);
  Session::set("adminid", $value['adminid']);
  header("Location: index.php");
  } else { 
      $loginErr = "Usernameor Password Not Matched !!";
      }

Session function for admin:

  public static function checkSessionAdmin(){
   self::init();
   if (self::get("adminLogin")!== false) {
   self::destroy();
   header("Location:login.php");
    }
   }

Session check for admin

 Session::checkSessionAdmin();
Ami Hasan
  • 125
  • 14
  • 1
    You should probably read these: [How can I prevent SQL-injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) and http://plaintextoffenders.com/faq/devs – Alexander O'Mara Aug 30 '16 at 06:10
  • @AlexanderO'Mara that second link was entertaining and enlightening. a shame i had to find a a better background colour myself because the designer went with such a crap fallback background colour should the background image it blocked (because you know, some work places block social media like tumblr) – Memor-X Aug 30 '16 at 06:41

4 Answers4

0

You don't have to be using different tables for the user and admin login. You just need a column that will help you check if a user has admin privileges. For example: You could create an is_admin column and set it's value to 1 if the user is an admin and 0 if he/she isn't.

# Your query
$stmt = "SELECT
users.id as uid,
users.username as username,
users.is_admin as is_admin
FROM users
WHERE users.username='{$username}'
AND users.password='{$password}'
LIMIT 1
";

You then add the results to a session like you are doing already.

var_dump($_SESSION['user']);

Array {
    'uid' => '125',
    'username' => 'SomeGuy',
    'is_admin' => '1',
}

Your session will now contain a value is_admin and so you can check if a user is an administration by using a simple if statement.

if ($_SESSION['user']['is_admin'] == 1) {
    // Admin only stuff here
}
Peter
  • 8,776
  • 6
  • 62
  • 95
0

As I can see you having two separate tables for user and admin to store their data, so i think that shouldn't be any problem for your query, when its for user we can not stop to brows them any page.

But if user can use its own detail to log in admin panel that means you have multiple data in your both table, that may be caused because of you may insert same data in both table or there is something wrong in your insert Query.

But as a solution i think its better to add Roles field in both database which define where there its user or admin and after your select query make if condition to check if they fall in with your requirements and than set the session.

But From My point of view best thing is to have single Table for both Users and Admin to store all comment data and make Admin table to store user_id and some priority. when you make checking query check where there user_id is belongs to admin table or not and define them as admin or user and than set session.

This may solve your issue, but if need more help let me know.

0

You can have user_type field in the database and in the admin session you can see if the user_type is admin or customer. If its admin then redirect him to the admin dashboard otherwise to the customer dashboard. In the admin header, put a check for the same.

Hope this helps.

Harwinder Singh
  • 42
  • 1
  • 6
0

I've found the solution. I replaced the following code.

Code for User login:

Replaced Session::set("login", "userLogin"); by Session::set("login", "true");

Code for Session Function User:

Replaced if (self::get("login")!== false) by if (self::get("login")== false)

Code for Admin login:

Replaced Session::Session::set("loginadmin", "adminLogin"); by Session::set("adminlogin", "true");

Code for Session Function Admin:

Replaced if (self::get("adminlogin")!== false) by if (self::get("adminlogin")== false)
Ami Hasan
  • 125
  • 14