PHP landing page based on user type

Question

I`m trying to set the login.php page to divert the user after successful login to different landing page. For instace, if type = model, location:model-dashboard.php or if type=photographer, location:photographer-dashboard.php. At the moment, all users goes to dashboard.php

here is my current php code, for which i`m happy to take any suggestions

if(loggedIn()){
header("Location:dashboard.php");
exit();
}

if(isset($_POST['login'])){
$email = mysqli_real_escape_string($db , $_POST['email']);
$password = mysqli_real_escape_string($db , $_POST['password']);

$query = "select * from users where email='$email' and password='$password'";

$result = $db->query($query);

if($row = $result->fetch_assoc()){
    if($row['status'] == 1){
        $_SESSION['user_email'] = $email;
        if(isset($_POST['remember_me'])){
            setcookie("user_email" , $email , time()+60*5);
        }
        header("Location:dashboard.php");
        exit();
    }else {
        header("Location:login.php?err=" . urlencode("Contul nu este activat"));
        exit();
    }
 }else {
    header("Location:login.php?err=" . urlencode("E-mail sau parola gresita"));
        exit();
 }

}

i already tried:

$query = "select * from users where email='$email' and password='$password' and     type='$type'";

and then

 if($type =='model'){
 $link = 'model-dashboard.php';
 }
 elseif($type =='photographer'){
 $link ='photographer-dashboard.php';
 }

and use Location:$link bot no joy

Edited: $type = $row['type']; already defined this, just forgot to mention it

the current code is the one that works with single page, so just need to know what should i remove and add instead.

thank you in advance!

**Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/32391315) — Dharman, Jan 08 '23 at 23:28
**Never store passwords in clear text or using MD5/SHA1!** Only store password hashes created using PHP's [`password_hash()`](https://php.net/manual/en/function.password-hash.php), which you can then verify using [`password_verify()`](https://php.net/manual/en/function.password-verify.php). Take a look at this post: [How to use password_hash](https://stackoverflow.com/q/30279321/1839439) and learn more about [bcrypt & password hashing in PHP](https://stackoverflow.com/a/6337021/1839439) — Dharman, Jan 08 '23 at 23:28

score 0 · Answer 1 · answered Jan 08 '23 at 21:49

0

You say you tried adding an AND condition to your query. However, you don't want to constrain the users, you want to get the type from the user. Instead of adding an AND, get the type from the row:

$type = $row['type'];
// Determine $link using $type

Also, note that your current approach of redirecting users to login.php with an error is vulnerable to reflective XSS.

answered Jan 08 '23 at 21:49

nielsdos

26
1
3

hey nielsdos, thans for the reply. i did tried the $type = $row['type']; but still no joy, just didnt put thet in initial question. the example code you see, is the current one, that works with a single page, and i want to know on that code, what should i remove and what should i add. That code i found it on google. I`m not an expert :D so appreciate also better solution – afs Jan 08 '23 at 22:11
You have to show the code that you tried, otherwise I cannot help you properly. – nielsdos Jan 08 '23 at 23:07

PHP landing page based on user type

1 Answers1