php and phpmyadmin user login with admin users

Question

    <!DOCTYPE html>
<html>
<head>
<meta charset="utf-8">
<title>Login</title>
<link rel="stylesheet" href="style.css" />
</head>
<body>
<?php
require('databaseConnect.php');
session_start();


if (isset($_POST['username'])) {
    $username = $_POST['username'];
    $password = $_POST['password'];

    $query    = "SELECT * FROM `UserReg` WHERE username='$username' and password='" . md5($password) . "'";
    $result = mysql_query($query) or die(mysql_error());
    $rows = mysql_num_rows($result);
    if($rows==1){
     $_SESSION['username'] = $username;
     if($admin == 1) { // here $role should be database value whatever you have taken 
        //redirect page for admin
     }else
     header("Location: admin.php"); // This will redirect the user to index.php page. 
}else{
      echo "<div class='form'><h3>Username/password is incorrect.</h3><br/>Click here to <a href='login.php'>Login</a></div>";
}

    function test_input($data)
    {
        $data = trim($data);
        $data = stripslashes($data);
        $data = htmlspecialchars($data);
        return $data;
    }
?>

<div class="testbox">

<img src="Logo.png" alt="Logo" align="middle" style="width:340px;height:90px;" >

<h1>Login</h1>
<form action="<?php
    echo htmlspecialchars($_SERVER["PHP_SELF"]);
?>" method="post" name="login">

<label id="icon" for="name"><i class="icon-user"></i></label>
<input type="text" name="username" id="name" placeholder="Username" required/>
<label id="icon" for="name"><i class="icon-shield"></i></label>
<input type="password" name="password" id="name" placeholder="Password" required/>
<input name="submit" type="submit" value="Login" />
<input type="reset" value="Reset"/>

<a href='registration.php'>Register Here</a>
</form>
</div>

<?php
}
?>
</body>
</html>

A user can login perfectly fine.
In the database i have assigned the users to 0 and the admin to 1.
What do i need to add to the code to allow the admin to login and be directed to a different page, other than the index page.

You really shouldn't use [MD5 password hashes](http://security.stackexchange.com/questions/19906/is-md5-considered-insecure) and you really should use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. Make sure that you [don't escape passwords](http://stackoverflow.com/q/36628418/1011527) or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. — Jay Blanchard, May 03 '16 at 14:27
[Little Bobby](http://bobby-tables.com/) says [your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! — Jay Blanchard, May 03 '16 at 14:27
Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). — Jay Blanchard, May 03 '16 at 14:27
If you're distinguishing between users you use the value in that column to determine the redirect. — Jay Blanchard, May 03 '16 at 14:31
phpMyAdmin is a tool for managing a MySQL or MariaDB instance, it's not a database system itself. You probably mean MySQL or MariaDB instead. — Isaac Bennetch, May 04 '16 at 17:55

score 1 · Answer 1 · answered May 04 '16 at 16:40

Apart from the other issues (SQL injection, deprecated functions) that have been already mentioned before:

Setting a header will not work if you output anything before issueing it. So you will have to move the HTML sequence at the beginning to after the PHP code block (or maybe use output buffering).
Moving function definitions to the top of the code will make your code easier readable.
And I do not see in your code where you set the value of $admin although it is included in the answers.

The role-check-and-redirect section can be reduced to:

     [...]
     $admin = $data['admin'];                          // assuming that users role is contained in `admin` field
     $target = $admin==1 ? 'admin.php' : 'index.php';  // select appropriate target location
     header('Location: '.$target);                     // redirect
     exit;                                             // and stop program execution
}else{ [...]

score 0 · Answer 2 · answered May 03 '16 at 14:42

0

You can use if condition to redirect e.g in your code

if($rows==1){
     $_SESSION['username'] = $username;
     if($role == 1) { // here $role should be database value whatever you have taken 
        //redirect page for admin
     }else
     header("Location: index.php"); // This will redirect the user to index.php page. 
}else{
      echo "<div class='form'><h3>Username/password is incorrect.</h3><br/>Click here to <a href='login.php'>Login</a></div>";
}

answered May 03 '16 at 14:42

Mukesh Ram

6,248
4
19
37

when i've changed it to what you suggested, the form is no longer visable – Laura May 03 '16 at 14:52
have you properly declare $role variable ? – Mukesh Ram May 03 '16 at 14:57
ive changed it to $admin as that is the column name in the database – Laura May 03 '16 at 15:02
Here you should declare $admin variable as below $data = mysql_fetch_assoc($result); $admin = $data['admin']; – Mukesh Ram May 03 '16 at 15:15
i'm still just getting a blank page – Laura May 03 '16 at 15:22

score 0 · Answer 3 · answered May 03 '16 at 15:25

You have an error in your code.

replace with below

<?php
if (isset($_POST['username'])) {
    $username = $_POST['username'];
    $password = $_POST['password'];

    $query = "SELECT * FROM `UserReg` WHERE username='$username' and password='" . md5($password) . "'";
    $result = mysql_query($query) or die(mysql_error());
    $rows = mysql_num_rows($result);
    if ($rows == 1) {
        $data = mysql_fetch_assoc($result); 
        $admin = $data['admin'];
        $_SESSION['username'] = $username;
        if ($admin == 1) { // here $role should be database value whatever you have taken 
            //redirect page for admin
        } else
            header("Location: admin.php"); // This will redirect the user to index.php page. 
    }else {
        echo "<div class='form'><h3>Username/password is incorrect.</h3><br/>Click here to <a href='login.php'>Login</a></div>";
    }
}

function test_input($data) {
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    return $data;
}
?>

Why should the OP "replace with below"? A ***good answer*** will always have an explanation of what was done and why it was done in such a manner, not only for the OP but for future visitors to SO. — Jay Blanchard, May 03 '16 at 17:16
This sends all users to the admin page, even when they are assigned 0 in the database. Im wanting the users which are 0 for admin to go ti the index page, the users which are 1 for admin to the admin page. — Laura, May 04 '16 at 09:43

php and phpmyadmin user login with admin users

3 Answers3