logging in as user or admin from 2 different tables

Question

okay so i wanna log in as user and admin, my user table is called "sollicitant" and my admin is "bedrijf" (this is dutch lol sorry). the code i have right now works for only 1 table but how can i have a sql query that looks in both tables to log in?

<?php
if(isset($_POST['email'])) {

    $inputEmail = htmlspecialchars($_POST['email']);
    $inputWachtwoord = htmlspecialchars($_POST['wachtwoord']);

    $servername   = "localhost";
    $databasename = "vacaturebank.";
    $username     = "root";
    $password     = "";

    try {
        $conn = new PDO("mysql:host=$servername; dbname=$databasename", $username, $password);

        $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

    } catch(PDOException $e) {
        echo "Connection failed: " . $e->getMessage();
        return;
    }

    try {
        $stmt = $conn->prepare("SELECT * FROM sollicitant WHERE email = '$inputEmail'");
        $stmt->execute();

        $result = $stmt->setFetchMode(PDO::FETCH_ASSOC);
        $row    = $stmt->fetch();

        $rowCount = $stmt->rowCount();

        if ($rowCount) {

            if ($inputWachtwoord == $row['wachtwoord']) echo "<br/>Successvol ingelogd";
            else                                    echo "<br/>Gebruikersnaam en wachtwoord komen niet overeen.";
            header("Location: inloggen.html");
        } else {
            echo "<br/>Login failed, no record found";
        }
    }
    catch(PDOException $e) {
        echo "Error: " . $e->getMessage();
    }

    $conn = null;

    session_start();

    $_SESSION["login"] = true;
    $_SESSION["email"] = $inputEmail;

}
?>

Your code is vulnerable to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection) attacks. You should use prepared statements with bound parameters, via either the [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) drivers. [**This post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has some good examples. — Alex Howansky, Jul 10 '17 at 15:40
**Never** store plain text passwords. Instead use [`password_hash()`](http://us3.php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://us3.php.net/manual/en/function.password-verify.php). If you're using a version of PHP prior to 5.5, do **not** use MD5 or SHA1 to hash passwords. Instead you can use [this compatibility pack](https://github.com/ircmaxell/password_compat). — Alex Howansky, Jul 10 '17 at 15:40
Why would you keep user info in two tables? Put the actual login info in a single table, then track things like roles and permissions in related tables as needed. — David, Jul 10 '17 at 15:41
@David because its a school project and i had to do it this way. — Melissa, Jul 10 '17 at 15:42
@AlexHowansky things like that dont matter, its just for school and i have to do it this way — Melissa, Jul 10 '17 at 15:42
@Melissa: Your school is teaching you to do things *very* incorrectly. Things like this *do* matter. (SQL injection isn't just about security, it's also a common source of bugs. If your school *insists* on buggy code, then, well, you're going to write buggy code.) In any event, if you *must* keep these things in separate tables, then how do you want to query both tables? In separate successive queries? In a single query where it doesn't matter which table had the value? Something else? Step back for a minute and define the behavior you want from the application. — David, Jul 10 '17 at 15:44
*"It's only for school, so security doesn't matter..."*. If teachers and professors are not talking about security from day one, they're doing it wrong. Challenge them. They're teaching sloppy and dangerous coding practices which you will have to unlearn later. — Jay Blanchard, Jul 10 '17 at 15:58
@David i just mean to say that i have to do this or i won't pass this year and i'd just like some help to finish it since i can't do it on my own.... — Melissa, Jul 10 '17 at 16:01
@JayBlanchard they are but i don't have to do it for THIS project, i just asked for help and i don't need comments on everything else that is wrong — Melissa, Jul 10 '17 at 16:02
If an answer solved your problem, consider accepting the answer. Here's how http://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work then return here and do the same with the tick/checkmark till it turns green. This informs the community, a solution was found. Otherwise, others may think the question is still open and may want to post (more) answers. You'll earn points and others will be encouraged to help you. *Welcome to Stack!* — Jay Blanchard, Jul 10 '17 at 16:08
@Melissa: `"and i don't need comments on everything else that is wrong"` - "Learning" involves more than just passing one teacher's test. But we're getting off-topic from the question. Regarding the question itself, can you define clearly the behavior you're looking to implement? Keeping login information in separate tables like this is *very* unorthodox. So it's not intuitive how you want the system to behave. Do you want a single query to look in both tables? Does it matter which table matched the login, or does it only matter that a match was found? Any other specifics? — David, Jul 10 '17 at 17:07

Jay Blanchard · Answer 1 · 2017-07-10T16:21:53.367

You need to specify both tables with the email column:

SELECT * 
FROM sollicitant, bedrijf 
WHERE sollicitant.email = '$inputEmail' 
AND bedrijf.email = '$inputEmail'

Another possibility is using an explicit JOIN with alias' (The alias' are just for shortening things up, you do not have to use them.):

SELECT *
FROM sollicitant s, bedrijf b
ON s.email = b.email
WHERE s.email = '$inputEmail'

Doing this means you only have to account for the eamil in one column of one table as the JOIN makes sure you only get those rows having a matching email. If the query is empty the email does not exist in both.

Edit

If you want to decide where to go based on a user's role you should consolidate all users into one table having a column that delineates the user's role:

SELECT * FROM users WHERE email = '$inputEmail'

Then the PHP once you have fetched the data:

if('sollicitant' == $row['role']) {
    header('Location: sollicitant.php');
    exit();
} elseif ('bedrijf' == $row['role']) {
    header('Location: befrijf.php');
    exit();
} else {
    echo 'There is a problem with your login.';
}

Warning!

...as others have said...

Little Bobby says your script is at risk for SQL Injection Attacks.. Even escaping the string is not safe!

I hate when people say "I'm not that far along..." or "This site will not be public..." or "It's only for school, so security doesn't matter...". If teachers and professors are not talking about security from day one, they're doing it wrong. Challenge them. They're teaching sloppy and dangerous coding practices which students will have to unlearn later. I also hate it when folks say, "I'll add security later..." or "Security isn't important now..." or "Ignore the security risk...".

Never store plain text passwords! Please use PHP's built-in functions to handle password security. If you're using a PHP version less than 5.5 you can use the password_hash() compatibility pack. It is not necessary to escape passwords or use any other cleansing mechanism on them before hashing. Doing so changes the password and causes unnecessary additional coding.

hmm, i think i wasn't too specific, i need to log in as sollicitant OR bedrijf so i have to check which one it is. if i log in as an sollicitant i for example go to sollicitant.php and if i log in as a bedrijf i go to bedrijf.php — Melissa, Jul 10 '17 at 16:10
That would be a different question entirely or you need to edit your question to make it clearer. In either case, you should store all users in one table and have a column which differentiates their roles. I'll edit my answer to reflect what I just said. — Jay Blanchard, Jul 10 '17 at 16:12
sounds so easy but i've never worked with roles before so i don't think i'll be able to do that — Melissa, Jul 10 '17 at 16:19
It's very easy, just requires another column in the table. See my edit. — Jay Blanchard, Jul 10 '17 at 16:22

logging in as user or admin from 2 different tables

1 Answers1

Edit

Warning!

Linked

Related