Using multiple queries (only one is working)

Question

i would like to allow multiple users to login according to their userID and forward each user to his page. However only the last if condition works.

<?php

$conn = mysqli_connect("localhost", "root", "", "clinic system");
if(isset($_POST['submit'])){
    $idname = $_POST['name'];
    $password = $_POST['password'];

    $query1 = "SELECT *     FROM users WHERE UID='".$idname."' AND pass= '".$password."' AND User_type_id= '1'";
    $query2= "SELECT *  FROM users WHERE UID='".$idname."' AND pass= '".$password."' AND User_type_id= '2'";
    $query3= "SELECT *  FROM users WHERE UID='".$idname."' AND pass= '".$password."' AND User_type_id= '3'";
    $result1 = mysqli_query($conn, $query1);
    $result2 = mysqli_query($conn, $query2);
    $result3 = mysqli_query($conn, $query3);

    if(mysqli_fetch_assoc($result1)){
        $_SESSION['User'] = $_POST['name'];
        header("location:Dr.html");
    }

    if(mysqli_fetch_assoc($result2)){
        $_SESSION['User'] = $_POST['name'];
        header("location:Assis.html");
    }

    if(mysqli_fetch_assoc($result3)){
        $_SESSION['User'] = $_POST['name'];
        header("location:Recep.html");
    }
    else{
      header("location:stafflog.php?Invalid=  please enter correct ID or Password");
    }
}


?>

Why do 3 queries? Do `SELECT user_type_id FROM users WHERE ...` — Barmar, Apr 01 '20 at 17:15
You should add `exit;` after each header also. That hasn't been addressed. — Funk Forty Niner, Apr 01 '20 at 17:33
**Never store passwords in clear text or using MD5/SHA1!** Only store password hashes created using PHP's [`password_hash()`](https://php.net/manual/en/function.password-hash.php), which you can then verify using [`password_verify()`](https://php.net/manual/en/function.password-verify.php). Take a look at this post: [How to use password_hash](https://stackoverflow.com/q/30279321/1839439) and learn more about [bcrypt & password hashing in PHP](https://stackoverflow.com/a/6337021/1839439) — Dharman, Apr 01 '20 at 20:41

score -1 · Accepted Answer · edited Apr 01 '20 at 17:37

You only need to retrieve the User_type_id from the database and then decide on that which page to go to...

$query1 = "SELECT *     FROM users WHERE UID='".$idname."' AND pass= '".$password."'";
$result1 = mysqli_query($conn, $query1);

if($row = mysqli_fetch_assoc($result1)){
    $_SESSION['User'] = $_POST['name'];
    if ( $row['User_type_id'] == 1 )  {
        header("location:Dr.html");
    }
    if ( $row['User_type_id'] == 2 )  {
        header("location:Assis.html");
    }
    if ( $row['User_type_id'] == 3 )  {
        header("location:Recep.html");
    }
    exit;
}

Although a couple of major points - you should be using prepared statements - How can I prevent SQL injection in PHP?.

Also you should not be storing plain text passwords, have a read of How to use PHP's password_hash to hash and verify passwords

I'd use a `switch` statement since you're comparing the same value each time. Or at least use `elseif`. — Barmar, Apr 01 '20 at 17:38

hndvf · Answer 2 · 2020-04-01T17:19:03.877

-2

you dont need to have 3 queries for this. why dont you just save a column in the database called "userTypeID" and have it be a int. then when a user logs in check the table and save the number in the session. this can be done easily in 1 query.

also i believe you are exposed to sql injection. you should use prepared statements.

edited Apr 01 '20 at 17:19

answered Apr 01 '20 at 17:15

hndvf

101
8

You mean column, not row. – Barmar Apr 01 '20 at 17:16

Using multiple queries (only one is working)

2 Answers2