Invalid multi level users navigating page PHP

Question

My login page couldn't read on the multi level users. I have two types of users: UMD and CMD. Their location page will be different based on their level (CMD_home.php for CMD & UMD_home2.php for UMD). Currently when click login, both user navigate to UMD_home2.php page. Below are my codes, please assist to edit the code.

<?php

include "../setting/config.php";

session_start();

if (isset($_POST['login']))
{
    $username = $_POST['username'];
    $password = $_POST['password'];
    //UMD,CMD
    $query2 = "SELECT * FROM registered_accounts WHERE username='$username' AND password='$password'";

    if (count(fetchAll($query2)) > 0)
    { //this is to catch unknown error.
        foreach (fetchAll($query2) as $row)
        {
            if ($row['username'] == $username && $row['password'] == $password)
            {
                $_SESSION['test'] = true;
                $level['level'] == "CMD";
                header('location:CMD_home.php');
            }
            else
            {
                echo "<script>alert('Wrong login details.')</script>";
            }
        }
    }

}

if (isset($_POST['login']))
{
    $username = $_POST['username'];
    $password = $_POST['password'];
    //UMD,CMD
    $query3 = "SELECT * FROM registered_accounts WHERE username='$username' AND password='$password'";

    if (count(fetchAll($query2)) > 0)
    { //this is to catch unknown error.
        foreach (fetchAll($query2) as $row)
        {
            if ($row['username'] == $username && $row['password'] == $password)
            {
                $_SESSION['test'] = true;
                $level['level'] == "UMD";
                header('location:UMD_home2.php');
            }
            else
            {
                echo "<script>alert('Wrong login details.')</script>";
            }
        }
    }

}

?>

Remove the second isset($_POST['login'] ... From the first query get the level from select query and redirect to the corresponding page — Shibon, Jun 03 '20 at 12:26
You always need to `exit` after a header or it will just carry on to the end of the page. — Nigel Ren, Jun 03 '20 at 12:29
[How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php?rq=1) and don't store plain text passwords in your db — brombeer, Jun 03 '20 at 12:37
It works fine now after I follow Mr Tim's code and I've added $query_run=mysqli_query($conn, $query2); $level = mysqli_fetch_array($query_run); under the query line. But the alert message doesn't display if I key in invalid username & pass, as well click login without key in anything.. Before this it works. — Rajeswari Rajoo, Jun 03 '20 at 12:49

Tim567 · Accepted Answer · 2020-06-03T13:25:15.457

0

I think your problem is really easy. There is no if statments arround the $level['level'] == "CMD"; and $level['level'] == "UMD";

Try this:


<?php
include "../setting/config.php";

session_start();

if (isset($_POST['login'])) {

    if (!isset($_POST['username']) || !isset($_POST['password'])){
        exit;
    }

    $username = $_POST['username'];
    $password = $_POST['password'];
    //UMD,CMD

    $sql = $pdo->prepare('SELECT * FROM registered_accounts WHERE username = :name AND password = :password');

    $sql->execute([ 'name' => $username , 'password' => $password]);

    if (count($sql) > 0) { //this is to catch unknown error.
        foreach ($sql as $row) {
            if ($row['username'] == $username && $row['password'] == $password) {
                $_SESSION['test'] = true;
                if($level['level'] == "CMD"){
                    header('location:CMD_home.php');
                    exit;
                }else if($level['level'] == "UMD"){
                    header('location:UMD_home2.php');
                    exit;
                }
            }else{
                alert();
            }
        }
    }else {
        alert();
    }
    function alert(){
        echo "<script>alert('Wrong login details.')</script>";
    }
}
?>

edited Jun 03 '20 at 13:25

answered Jun 03 '20 at 12:27

Tim567

775
1
5
22

Undefined variable: level in ...\test.php and Trying to access array offset on value of type null in ...\test.php on line 39 which is in code if($level['level'] == "CMD"){ – Rajeswari Rajoo Jun 03 '20 at 12:36
It means that you havn't set the `$level['level']` variable – Tim567 Jun 03 '20 at 12:37
Where are the `levels` stored? – Tim567 Jun 03 '20 at 12:38
It works fine now. I've added $query_run=mysqli_query($conn, $query2); $level = mysqli_fetch_array($query_run); under the query line. – Rajeswari Rajoo Jun 03 '20 at 12:43
But the alert message doesn't display if I key in invalid username & pass, as well click login without key in anything.. Before this it works... – Rajeswari Rajoo Jun 03 '20 at 12:44
After another look i think the issue is that you alert is at a wrong location. I eddited my answer so it;s at the correct location. I also added protection for `injection` and added `exit; tags` – Tim567 Jun 03 '20 at 13:24
This works perfect !.. Thank you so much for your time @Tim587 – Rajeswari Rajoo Jun 03 '20 at 16:05

Invalid multi level users navigating page PHP

1 Answers1