PHP Login redirect help

Django x2 · 12 Oct 2010 at 13:37

Hi guys,

I'm messing about with PHP scripts and have a log in which queries the users in a database. If the user has a 1 in the table, they are admin and are directed to admin.php. If the user is the default (0) then they are directed to the normal page. But, what I can't seem to achieve is a redirect to an "opps" page if any of the above enter their details incorrectly.

Code:

<?php
session_start();

include("connect.php"); 
function clean($value) {
                if(get_magic_quotes_gpc()) $value = stripslashes($value);
                return trim(mysql_real_escape_string($value));
}

if($_POST['login'] && $_POST['username'] && $_POST['password']) {

        $username = clean($_POST['username']);

        $password = md5($_POST['password']);

        $result = mysql_query("SELECT username FROM users WHERE username = '$username' AND password = '$password' 

And admin = '1'");

                if(mysql_num_rows($result) > 0) {
                                $_SESSION['username'] = $username;

                header("Location: correct.php");


         }

else{
                header("Location: wrong.php");

                }
}

?>

What do I need to add?

Django x2 · 12 Oct 2010 at 14:39

Thanks mate,

Is there a bracket missing in the code though as my page just renders at the top like this:

0) {
$row_login = mysql_fetch_array($result);
if($row_login['admin'] == 1){
$_SESSION['username'] = $username;
header("Location: admin.php"); // An admin
exit;
}
if($row_login['admin'] == 0){
$_SESSION['username'] = $username;
header("Location: notadmin.php"); // Not an admin
exit;
}
} else {
header("Location: detailswrong.php"); // No users found with that username and password combo
exit;
}
} else {
header("Location: nodata.php"); // Field missed
exit;
}
?>

Django x2 · 12 Oct 2010 at 14:52

I guess it's falling over at the $row_login?

Django x2 · 12 Oct 2010 at 15:18

Hmm, yeah, for some reason, it doesn't work.

My SQL table only has username, password and admin fields and the user is only asked for their username and password.

Something is casuing it to fail now

Django x2 · 13 Oct 2010 at 10:46

Arrgh, I still can't get this to work.

Django x2 · 13 Oct 2010 at 13:31

Ok, thanks.

If I leave the code untouched, I get this at the top of the screen (which isn't even really an error)

and the page formatting is all wrong.

If I take out this line of code:

Code:

} else {
header("Location: nodata.php"); // Field missed
exit;

The page then renders correctly with no "errors" but both admins and normal users go to the same page.

Django x2 · 14 Oct 2010 at 10:08

well I'm dammed if I can see what's missing, but then my PHP skillz are about as good as I am at dieting (ie, not very)

Django x2 · 14 Oct 2010 at 13:11

Yeah, I've turned on Error Reporting but i still get the same error as in the screenshot.

I have no idea why it's doing that at all

Django x2 · 14 Oct 2010 at 21:50

Sorted, I manned up and started again as I really need to grasp this myself now.

Here's the code I'm using. Please let me know if it can be improved:

PHP:

<?php
session_start();
require_once('includes/config.php');


if(isset($_POST['submitted'])) {

    require_once('includes/classes/class.wc_validation.php');

    $form = new wc_validation();

    $form->Text($_POST['username'],'UserName',false,0,50);
    $form->Text($_POST['password'],'Password',true);

    if (!$form->hasErrors){

        /* There are no issues with the form with regards to not being empty etc so now go through to processing the sql requests to check if user is on the system */

        $sql = "SELECT * FROM users WHERE username = '" . $form->formData['UserName'] . "' ";

        if (!$result = $db->Select($sql)){

                /* it seems that username doesnt exist in the datbase so take them back to the login form letting them know this, by adding a error message to the from object we 

currently have
                   and outputting it on the page */

                   $form->addError('UserName','The username you entered doesnt appear to exist in our system please double check you have entered it correctly and try again');


        } else {

            /* so the username exists lets now check that the password is correct */

            $sql = "SELECT * FROM users WHERE username = '" . $form->formData['UserName'] . "' AND password = '" . md5($form->formData['Password']) . "' LIMIT 1";

            if (!$result = $db->Select($sql)){

                  /* it seems that the username is incorrect so back to the login screen telling them that the password is incorrect
                     you can change the messages if you want to */
                  $form->addError('Password','The password doesnt match with the credentials we have on the system please try again');

            } else {

                    /* they have used the correct details and now can be redirected to the appropriate areas if they are admin or not. */
                    if ($result[0]['admin'] == '0'){

                        #redirect to non admin page but first store info into a session 

                        $_SESSION['user']['username'] = $result['username'];
                        $_SESSION['user']['level'] = $result['admin'];
                        header('Location: normal.php');


                    }else {
                        #redirect to admin page

                         $_SESSION['user']['username'] = $result['username'];
                        $_SESSION['user']['level'] = $result['admin'];
                        header('Location: admin.php');

                    }

            }



        }



    }


}

?>

Django x2 · 15 Oct 2010 at 12:05

Ahh, good tips, thanks v much