Simplify multiple statements for PDO query building

Question

I wrote the following code to identify who is admin and who is the staff. It is working well but I'm wondering if there is a way to further simply this code. any help would be much appreciated. Thanks

<?php
session_start();
include('includes/con.php');
if (isset($_POST['admin'])) {
    $uname = $_POST['username'];
    $password = md5($_POST['password']);
    $sql = "SELECT username,password FROM admin WHERE username=:uname and password=:password";
    $query = $dbh->prepare($sql);
    $query->bindParam(':uname', $uname, PDO::PARAM_STR);
    $query->bindParam(':password', $password, PDO::PARAM_STR);
    $query->execute();
    $results = $query->fetchAll(PDO::FETCH_OBJ);
    if ($query->rowCount() > 0) {
        $_SESSION['admin'] = $_POST['username'];
        echo "<script type='text/javascript'> document.location = 'home.php'; </script>";
    } else
        $aerror = "admin error";

} elseif (isset($_POST['staff'])) {

    $uname = $_POST['username'];
    $password = md5($_POST['password']);
    $sql = "SELECT username,password FROM staff WHERE username=:uname and password=:password";
    $query = $dbh->prepare($sql);
    $query->bindParam(':uname', $uname, PDO::PARAM_STR);
    $query->bindParam(':password', $password, PDO::PARAM_STR);
    $query->execute();
    $results = $query->fetchAll(PDO::FETCH_OBJ);
    if ($query->rowCount() > 0) {
        $_SESSION['staff'] = $_POST['username'];
        echo "<script type='text/javascript'> document.location = 'home.php'; </script>";
    } else
        $serror = "staff error";


}

?>

Also, PHP (or really HTTP) has a native way to perform redirects instead of relying on JavaScript: https://stackoverflow.com/a/768472/231316 — Chris Haas, Aug 04 '22 at 11:19

MiYaMya · Answer 1 · 2022-08-04T03:04:17.253

Did you put your login site (admin and staff) in one place? How could you recognize the user's permission login if you put them together?

---update---

change your $_POST['staff'] and $_POST['admin'] to $_POST['permission']

for security, you need a $allowPermission to avoid SQLinjection


$allowPermission = ['admin', 'staff'];
if (isset($_POST['permission'])) {
    $permission = $_POST['permission'];
    if(!in_array($permission, $allowPermission)){
        $error = "{$permission} is error";
        echo $error;
        return false;
    }
    $uname = $_POST['username'];
    $password = md5($_POST['password']);
    $sql = "SELECT username,password FROM `{$permission}` WHERE username=:uname and password=:password";
    $query = $dbh->prepare($sql);
    $query->bindParam(':uname', $uname, PDO::PARAM_STR);
    $query->bindParam(':password', $password, PDO::PARAM_STR);
    $query->execute();
    $results = $query->fetchAll(PDO::FETCH_OBJ);
    if ($query->rowCount() > 0) {
        $_SESSION[$permission] = $_POST['username'];
        echo "<script type='text/javascript'> document.location = 'home.php'; </script>";
    } else{
        $error = "{$permission} is error";
        echo $error;
    }
}

On the staff and admin login page, there is a dropdown to select if they are staff or admin. — Bathiudeen, Aug 04 '22 at 02:53

Simplify multiple statements for PDO query building

1 Answers1