User/Admin login in PHP

Question

I know there are similar threads, and I have looked at those threads, although none of them seem to work for me.
First off, I'd like to point out that this is a simple college assignment and is not an actual website, I am not worried about "security" or anything.
Secondly, my database is made of 'username' 'password' and 'admin', admin being 0 or 1.
What I need help with is to make the user redirect to 'hit-counter.php' if the admin value is 1, not 0.
Currently, they always go to 'index_loginsuccesful.php' no matter the admin value. (Or 'index_loginfailed.php' if the username/password is wrong)
Any thoughts?

<?php
$conn = mysql_connect ("localhost", "root","");
mysql_select_db("a_blub",$conn);
$result=mysql_query("SELECT password FROM user WHERE username = '$_POST[theusername]'",$conn);
$rows=mysql_fetch_array($result);

if($_POST['thepassword'] == $rows[0])
{
    if ($_POST['admin'] == 1)
    Header("location:hit-counter.php");
    else
    Header("location:index_loginsuccesful.php");
}
else
{
    Header("location:index_loginfailed.php");
} ?>

injection, don't pass data directly to sql query, also use if( count($rows)>0){ //access admin }else{ die("no access");} — geekido, Jan 06 '15 at 11:40
**Danger**: You are using [an **obsolete** database API](http://stackoverflow.com/q/12859942/19068) and should use a [modern replacement](http://php.net/manual/en/mysqlinfo.api.choosing.php). You are also **vulnerable to [SQL injection attacks](http://bobby-tables.com/)** that a modern API would make it easier to [defend](http://stackoverflow.com/questions/60174/best-way-to-prevent-sql-injection-in-php) yourself from. — Quentin, Jan 06 '15 at 11:41
"I am not worried about "security" or anything" — Be worried. SQL injection security holes are also a massive opportunity for user input to cause your code to break. — Quentin, Jan 06 '15 at 11:42
Was wondering who'd give the injection/security talk :) Anyways, could you paste a var_dump of $row? — Peter, Jan 06 '15 at 11:43
As I pointed out, it is a simple college assignment that will not be placed online at all, that is why I am not worried about security. And about what database we're using, we don't really have a choice, that's what the teachers are telling us to use. — Gacsam, Jan 06 '15 at 11:44
@Peter, I'm not sure if this is the right one, me being a newbie, but that's the result: " array(2) { [0]=> string(5) "Admin" ["password"]=> string(5) "Admin" } " Well, that or " Notice: Undefined index: theusername in A:\xampp\htdocs\script-login.php on line 4 bool(false) " — Gacsam, Jan 06 '15 at 11:59

score 0 · Answer 1 · answered Jan 06 '15 at 11:43

If you want to redirect to different places depending on what data is in the database then you need to compare 1 to the data you get back from the database instead of $_POST which will contain the data submitted from the form. You will also need to SELECT the column containing that data as well as password.

Peter · Accepted Answer · 2015-01-06T13:19:39.407

0

Could you try this out?

$conn = mysql_connect ("localhost", "root","");
mysql_select_db("a_blub",$conn);

$result = mysql_query("SELECT password FROM user WHERE username = '".mysql_real_escape_string($_POST['theusername'])."' LIMIT 1", $conn);

$row = mysql_fetch_assoc($result);

if ($_POST['thepassword'] == $row['password']) {
    if ($row['admin'] == 1) {
        header("Location: hit-counter.php");
        exit;
    } else {
        header("Location: index_loginsuccesful.php");
        exit;
    }
} else {
    header("Location: index_loginfailed.php");
    exit;
}

edited Jan 06 '15 at 13:19

answered Jan 06 '15 at 13:10

Peter

8,776
6
62
95

Thank you, it worked, except that I had to replace 'SELECT password FROM' to 'SELECT * FROM'. – Gacsam Jan 07 '15 at 10:08
@Gacsam Excuse me, I overlooked that. – Peter Jan 07 '15 at 10:12

User/Admin login in PHP

2 Answers2