my query is not working for pending and approve

Question

   if (isset($_POST['login_btn'])) {
      $username = mysqli_real_escape_string($db, $_POST['username']);
      $password = mysqli_real_escape_string($db, $_POST['password']);
    
      if (empty($username)) {
        array_push($errors, "Username is Required");
      }
      if (empty($password)) {
        array_push($errors, "Password is Required");
      }
    
      if (count($errors) == 0) {
            $password = md5($password);
    
            $query = "SELECT * FROM request WHERE username='$username' AND password='$password' ";
            $results = mysqli_query($db, $query);
    
            if (mysqli_num_rows($results) == 1){
                $logged_in_user = mysqli_fetch_assoc($results);
                if ($logged_in_user['user_type'] == 'admin') {
                    $_SESSION['user'] = $logged_in_user;
                    $_SESSION['success']  = "Welcome Admin";
                    header('location: admin/home.php'); 
    
                }elseif($logged_in_user['user_type'] == 'employee') {
                    $_SESSION['user'] = $logged_in_user;
                    $_SESSION['success']  = "Welcome Employee";
                    header('location: admin/employee.php'); 
                    
                }else{
                    $_SESSION['user'] = $logged_in_user;
                    $_SESSION['success']  = "Welcome User";
                    header('location: index.php');
                  }
            
            
            }else {
                array_push($errors, "Wrong username/password combination");
            }
        }
    }
    
    
    if (isset($_POST['login_btn'])) {
     $username = mysqli_real_escape_string($db, $_POST['username']);
      $password = mysqli_real_escape_string($db, $_POST['password']);
    
        if (count($errors) == 0) {
            $password = md5($password);
            
    
            $query = "SELECT * FROM request WHERE username='$username' AND password = '$password'";
           $check_user=mysqli_query($db,$query);
    
            if (mysqli_num_rows($check_user)==1){
               
                $approved_by_admin = mysqli_fetch_assoc($check_user);
                if($approved_by_admin ["status"] =='approved'){
                   echo '<script type  = "text/javascript">';
                   echo 'alert("Login Success!")';
                    echo 'window.location.href = "index.php"';
                    echo '</script>';
                   
                }
               elseif($approved_by_admin ["status"] =='pending'){
                   echo '<script type  = "text/javascript">';
                    echo 'alert("Your account is still pending for approval!")';
                    echo 'window.location.href = "login.php"';  
                    echo '</script>';
                    
               }
            }else{
                    echo "Wrong  Combination";
                }
        }
    }

My query for approve and pending is not working.

If i remove query for admin, employee and user it will work but this will not work the echo 'window.location.href = "index.php"';

Basically my code is not working since it will just continue to login even if the user's status is pending and not approved by the admin.

The 2nd part of if (isset($_POST['login_btn'])) { for pending and approve is not working

please don't store passwords using the obsolete, insecure md5 algorithm - that is a security risk. Learn about PHP's built-in, up-to-date, secure [password hashing and verification functions](https://www.php.net/manual/en/faq.passwords.php) instead. — ADyson, Oct 08 '21 at 13:21
Anyway...how many rows of data do you expect `$results` to contain? `$logged_in_user = mysqli_fetch_assoc($results);` will retrieve the first row. Then later on you're doing `$approved_by_admin = mysqli_fetch_assoc($results);` which will attempt to get a second row from the same results. Are you sure you shouldn't just be trying to read status from the row you already retrieved? — ADyson, Oct 08 '21 at 13:24
Also you're redirecting the user via the Location header if they're logged in, but then later trying to also redirect them using JS based on different conditions. There's a `}` missing somewhere too. The whole code seems very confused and it's unclear what rules you're actually trying to implement. — ADyson, Oct 08 '21 at 13:25
I don't understand then...is this one script, or a merge of two scripts? It's unclear. We cannot see your original code or read your mind. As you've shown it, the code contains syntax errors and also makes no sense. Please edit the question to clarify the situation and provide a [mre] of your issue. Thanks. — ADyson, Oct 08 '21 at 13:40
merge of two script since there are same code the difference only is the code for admin,employee ,user and pending and approve i just add script so that i know if it will show — sKy, Oct 08 '21 at 13:49
I assume you don't run _all_ this code in one single request, then? They are from separate files? — ADyson, Oct 08 '21 at 13:58
i try to run it in one single request and separate just the same result only the query for admin,employee and user is working — sKy, Oct 08 '21 at 14:03
It makes no sense to put it all in one file, the two sections of code contradict each other with the way they do the redirects — ADyson, Oct 08 '21 at 14:07
sorry it is my 1st time to code in php so im having a hard time on it. so how can i make them not to contradict each other since i need them both in my system since there require that my admin can accept new user registration and i need multiple users in my system — sKy, Oct 08 '21 at 14:12
Ok. So we also need to define the rules a bit better. For example, do admin users also require another admin user to approve them, or is it only employees and users? Or only users? — ADyson, Oct 08 '21 at 14:55

score -1 · Accepted Answer · answered Oct 08 '21 at 18:53

You need to integrate the test for approval into the existing login process. It makes no sense to have two separate processe sets of code, because

a) it's inefficient to query the same data twice from the database, and b) the first part of the code will have already set up the redirects before you even start checking with the second part.

This will make more sense, I think:

if (isset($_POST['login_btn'])) {
  $username = mysqli_real_escape_string($db, $_POST['username']);
  $password = mysqli_real_escape_string($db, $_POST['password']);

  if (empty($username)) {
    array_push($errors, "Username is Required");
  }
  if (empty($password)) {
    array_push($errors, "Password is Required");
  }

  if (count($errors) == 0) {
        $password = md5($password);

        $query = "SELECT * FROM request WHERE username='$username' AND password='$password' ";
        $results = mysqli_query($db, $query);

        if (mysqli_num_rows($results) == 1){
            $logged_in_user = mysqli_fetch_assoc($results);
            if ($logged_in_user['user_type'] == 'admin') {
                $_SESSION['user'] = $logged_in_user;
                $_SESSION['success']  = "Welcome Admin";
                header('location: admin/home.php'); 
                exit();
            }elseif($logged_in_user['user_type'] == 'employee') {
                $_SESSION['user'] = $logged_in_user;
                $_SESSION['success']  = "Welcome Employee";
                header('location: admin/employee.php'); 
                exit();
                
            }else{
              if($logged_in_user["status"] =='approved'){
                $_SESSION['user'] = $logged_in_user;
                $_SESSION['success']  = "Welcome User";
                header('location: index.php');
                exit();
              }
              else {
                echo '<script type="text/javascript">';
                echo 'alert("Your account is still waiting for approval!")';
                echo 'window.location.href = "login.php"';  
                echo '</script>';
              }
            }
        }else {
            array_push($errors, "Wrong username/password combination");
        }
    }
}

P.S. You should always exit(); immediately after you set a Location header, then there is no danger of protected content being accidentally leaked from later in the script.

P.P.S. Please don't store passwords using the obsolete, insecure md5 algorithm - that is a security risk. Learn about PHP's built-in, up-to-date, secure password hashing and verification functions instead.

P.P.P.S. While mysqli_real_escape_string will protect against most SQL injections, it's not foolproof. Prepared statements and parameters are a more secure and up-to-date way to write queries safely. See How can I prevent SQL injection in PHP for a thorough guide.

thanks for the suggestion finally working. – sKy Oct 09 '21 at 11:39 — sKy, Oct 09 '21 at 11:39

my query is not working for pending and approve

1 Answers1