-1

I want to separate admin and user header location. I have column in db called role in which I use 1 for admin and 2 for user and we have only two customer one admin and 2nd is user and give separate username and password both.

Now all I want when they login with username Admin it redirect to admin layout and if it's login with user it's redirect to user page. I have attached code.

<?php

    session_start();
include'config.php';


$un = $_POST['username'];
$pw = $_POST['password'];


        $sql = "SELECT * FROM sign_in where user_name='$un' and pasword='$pw'";



            //SELECT `id`, `user_name`, `pasword` FROM `sign_in` WHERE 1


        $result = $conn->query($sql);

        if ($result->num_rows > 0){

            header('Location:index2.php');

        }else{
         echo "Invalid username or password";
        }

?>

If user put wrong username password it's show popup invalid username password. I have added a screenshot for database sign_in table.

halfer
  • 19,824
  • 17
  • 99
  • 186
resdev solutions
  • 3
  • 1
  • 1
    What exactly has you stuck? How to do a redirect? How to do an `if` statement? What have you tried and what isn't working? Also, be aware that your code is wide open to SQL injection. You may want to take a look here: https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php – David Aug 11 '17 at 20:31
  • @David sir actually i am new in development so i want to share my code looking for someone who can edit and send me the code which i'm looking for... – resdev solutions Aug 11 '17 at 20:38
  • 2
    In that case you've misunderstood what this community does. You are invited to start here: https://stackoverflow.com/help If you have a specific issue that you're trying to resolve, we can help with that. But if, as you say, you're just looking for someone to do your work for you then that isn't what happens here. – David Aug 11 '17 at 20:40
  • @David sir i mean i post a question and code so someone look my code and read question and reply me back for changing code – resdev solutions Aug 11 '17 at 20:46
  • The code you have posted has several security problems: (1) SQL injection, and (2) plaintext passwords. You'd be putting your service, and your users' security, at risk if you put this into production. My advice is not to attempt to roll your own authentication system until you have had more practice. Can you use an auth library instead? – halfer Aug 11 '17 at 21:24
  • Please read [Under what circumstances may I add “urgent” or other similar phrases to my question, in order to obtain faster answers?](//meta.stackoverflow.com/q/326569) - the summary is that this is not an ideal way to address volunteers, and is probably counterproductive to obtaining answers. Please refrain from adding this to your questions. – halfer Aug 11 '17 at 21:25

1 Answers1

1

OK, you're doing many things wrong, so I'm going to write in the answer box even though i might be overkill for your answer.

First, you're passing in user data into your query, which can be dangerous, because they can give you unsafe data that you need to make sure won't cause harm to your system by executing.

Second, you're not properly protecting your users passwords. PHP has a function for that called password_hash(). It's REALLY easy to use, just password_hash($_POST['password'], PASSWORD_DEFAULT)` when you insert it into the database, rather than just the plain password as it looks like you're doing.

At the end of the day, I would suggest you use the PDO driver for PHP/MySQL. You can get an idea of how to set up your config.php file from here (scroll down to the PDO instructions 1/2 way down the page).

Once you've done that:

$stmt->prepare("SELECT * FROM sign_in WHERE user_name = :user_name")
$stmt->bindParam(':user_name', $_POST['user_name');
$stmt->execute();
$result = $stmt->fetch(PDO::FETCH_ASSOC);

You now have all the data from your sign in table. Side note, your sign_in table looks like it's probably just a users table, so maybe call it that for consistency with the rest of the world.

First, you want to compare the password they posted, with the hash in your database, and only proceed if it matches.

if(!password_verify($_POST['password'], $result['password']) {
    // if the result is false, they need to be redirected.
    header('Location: http://yoursite');
    exit;
 }

Now that we've verified they signed in, you can just show a specific header for each roll by looking at the "role_id" (which I"m assuming you have) from your results.

if($role_id == 1) { ?>
<b>You can just enter plain old HTML here - this is what you would put in for your admin header</b>
<?php } else { ?>
<b>This is the header that your user would see if they AREN'T an admin</b>
<?php } ?>

Sorry if this is overkill for your answer, but I tried to keep it as simple as possible as to how use prepared statements (to prevent SQL injection), the password_hash and password_verify functions, so you can store your users passwords securely (in hash form), and finally, showing a different header depending on user roll.

Unfortunately, it probably isn't copy/pastable into your current code, but I would suggest reading the link I provided (PDO), and then proceed from there. Shouldn't take you long at all, I promise!

Lucas Krupinski
  • 682
  • 5
  • 16