How do I add a condition where a certain email and password get redirected to a different page in PHP?

Question

I want to add a condition where if the email is admin@example.com and password is admin, then the admin will be redirected to admin.html, which is different to what a normal user will be redirected to (user.html). P.S. the admin and users are in the same table. Thanks in advance.

<?php
    require_once ('../../connect.php');
    $user_email = $_POST['user_email'];
    $user_password = $_POST['user_password'];

    if ($user_email != NULL AND $user_password != NULL) 
    {
        $login = "SELECT * FROM tblusers where user_email = '$user_email' AND user_password = '$user_password' AND user_type=0";
        $result = mysqli_query($dbc, $login);

        if (mysqli_num_rows($result) >0 ) 
        {
            setcookie('user_email', $user_email);
            setcookie('user_password', $user_password);

            echo '<script type="text/javascript"> window.location ="register.php"; </script>';
        }

        else
        {
        echo '<script type="text/javascript"> alert("The email or password you have entered may be incorrect"); window.location ="login.html"; </script>';  
        }
    }

    else ($user_email != NULL AND $user_password != NULL) 
    {
        $login = "SELECT * FROM tblusers where user_email = '$user_email' AND user_password = '$user_password' AND user_type=1";
        $result = mysqli_query($dbc, $login);

        if (mysqli_num_rows($result) >0 ) 
        {
            setcookie('user_email', $user_email);
            setcookie('user_password', $user_password);

            echo '<script type="text/javascript"> window.location ="members.php"; </script>';
        }

        else
        {
        echo '<script type="text/javascript"> alert("The email or password you have entered may be incorrect"); window.location ="login.html"; </script>';  
        }
    }

    else
    {
        echo '<script type="text/javascript"> alert("Please enter your email and password in the relative fields"); window.location ="login.html"; </script>';      
    }

    mysqli_close($dbc);
?>

Well you should start by attempting to add some code to do that. A simple IF a bit like the one you already have testing for that email address and the password would be a good start. Once you have done that, if it does not work come back and ask for more help — RiggsFolly, Aug 19 '17 at 00:50
It looks like you are storing passwords on your database as _Plain Text_. Thats a dangerous security issue. PHP provides [`password_hash()`](http://php.net/manual/en/function.password-hash.php) and [`password_verify()`](http://php.net/manual/en/function.password-verify.php) please use them. And here are some [good ideas about passwords](https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet) If you are using a PHP version prior to 5.5 [there is a compatibility pack available here](https://github.com/ircmaxell/password_compat) — RiggsFolly, Aug 19 '17 at 00:51
Also note, that here at SO we are very willing to help you fix your code, but we dont write code for you! — RiggsFolly, Aug 19 '17 at 00:54
Thanks for responding. I am a newbie to programming - all this is very overwhelming for me. The code that I have written was through following a tutorial and I haven't found a direct answer that matches my level of knowledge. I do understand the code but I'm facing issues with the syntax. Also, the website isn't going to be public - it's for a school project. Can you at least show me where the if statement goes and how it is structured? Will it conflict with anything that I have wrote? Thank you. — Dave, Aug 19 '17 at 01:02
Hi, then you should throw that tutorial away and find a better one. Setting the users password into a cookie is about as insecure as it is possible to get — RiggsFolly, Aug 19 '17 at 01:06
The query is also at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) _Like I suggested above. Throw that tutorial in the bin where it belongs_ — RiggsFolly, Aug 19 '17 at 01:08
I am aware of the significance of security in such matters, but I would like to emphasize that the website will not be utilized by users - it is more of a functional model. I would deeply appreciate any assistance. — Dave, Aug 19 '17 at 01:13
Bad habits are easy to learn and hard to break. Better to enjoy the pain early in your learning curve — RiggsFolly, Aug 19 '17 at 01:14
I have updated the code attached to the question and now login doesn't work anymore. user_type=1 signifies admin privileges. What did I do wrong? — Dave, Aug 19 '17 at 02:22

Uche Ozoemena · Accepted Answer · 2017-08-19T16:24:04.793

Hmm, your post makes it really difficult to properly provide an answer, but I will try. Before that, know that @RiggsFolly really has made the most important point - get a better tutorial. I would use comments because there are some things that could be clarified but my reputation does not allow me to do that yet. So here goes an attempt at an answer.

What exactly is the logic you are trying to implement? It seems to roughly be:

if (user provides credentials AND credentials exist in database AND credentials are for user_type == 0) {
    save credentials;
    send user to registration page;
} else if (user provides credentials AND credentials exist in database AND credentials are for user_type == 1) {
    save credentials;
    send user to members page;
} else {
    send user to login page;
}

We can streamline this logic a bit:

if (user has provided credentials) { // if this fails, user is sent to login page
    // Now check if credentials exist in database
    // Notice I am using comments? Use them to make your code more readable and to better explain what you're doing/what you did!!!
    // Query the database only for matching username and password first.
    $login = "SELECT * FROM tblusers where user_email = '$user_email' AND user_password = '$user_password'";
    $result = mysqli_query($dbc, $login);
    // If this returns a match, then check for user_type. Otherwise, prompt user to provide correct credentials.
    if (mysqli_num_rows($result) > 0 ) {
        // Obtain the results of the query in an associative array so that you can easily access the value of 'user_type'
        $row = mysqli_fetch_assoc($result);
        // We have confirmed that the credentials exist. So we can save them
        // But as RiggsFolly correctly points out, PLEASE look for alternatives more secure than cookies
        save credentials;
        // Now check the value of user_type and respond accordingly
        if ($row["user_type"] == 1) { // admin
            send user to admin page; // which seems to be members.php;
        } else { // user
            // I assume there is no other user_type.
            // If there is, make this an elseif statement that checks if user_type == 0
            send user to user page; //which seems to be register.php
        }
    } else {
        display message that credentials are incorrect;
        send user to login page;
    }
} else {
    send user to login page;
}

Again, read ALL the links provided by @RiggsFolly and implement them. As he pointed out, we try to improve your code not to write it for you, which is why I tried to stick to the code you provided.

I do hope this helps you. Wish you the best as you learn.

I cannot thank you enough for guiding me through this. Your answer was extremely helpful. — Dave, Aug 20 '17 at 04:37

How do I add a condition where a certain email and password get redirected to a different page in PHP?

1 Answers1