User-role based login always redirect to the same page

Question

I want to redirect users to different page based on their role using PHP. But, the problem is, whoever the user, they'll always redirected to the same page (page where the first if-statement referred).

here's the code

<?php
include("config.php");
session_start();

if($_SERVER["REQUEST_METHOD"] == "POST") {

  $myusername = mysqli_real_escape_string($db,$_POST['username']);
  $mypassword = mysqli_real_escape_string($db,$_POST['password']);

  $sql = "SELECT * FROM user WHERE username = '$myusername' and password = '$mypassword'";
  $result = mysqli_query($db,$sql);
  $row = mysqli_fetch_array($result,MYSQLI_ASSOC);
  $active = isset($row['active']);
  $count = mysqli_num_rows($result);

  $role = isset($row['role']);

    if($role == 'admin'){
        $link = 'admin.php';
    }
    elseif($role == 'user'){
        $link = 'user.php';
    }
    elseif($role == 'expert'){
        $link = 'expert.php';
    }
    else{
        $link = '404.php';
    }

  if($count == 1) {
    $_SESSION['username'] = $myusername;

    header("Location: ".$link."");
    exit(); 
  }else {
     $error = "Your Login Name or Password is invalid";
  }
}
?>

So, if i replace admin.php on the first if statement with another page, the users will be redirected there. I've followed solutions from different case, but it didnt work.

even i change the "=" to "==" it will be the same, still redirected to the same page on the first if statement. If i change it to "===" it will redirected to the 404.php. — psdm, Aug 20 '16 at 15:00

score 1 · Accepted Answer · edited May 23 '17 at 12:08

1

This line

$role = isset($row['role']);

Sets $role to true or possibly false but it definitely does not set it to the contents of $row['role']

I would suggest removing that line completely it is not necessary as your if/elseif/else covers all the possible options quite nicely.

It is also totally unnecesary to move a value from the $row array into a scalar variable so this would be simpler

//$role = isset($row['role']);

if($row['role'] == 'admin'){
    $link = 'admin.php';
} elseif($row['role'] == 'user'){
    $link = 'user.php';
} elseif($row['role'] == 'expert'){
    $link = 'expert.php';
} else{
    $link = '404.php';
}

Unfortunately I have to mention that: Your script is at risk of SQL Injection Attack Have a look at what happened to Little Bobby Tables Even if you are escaping inputs, its not safe! Use prepared parameterized statements

It is also very dangerous storing plain text password on your database. The most likely attack vector on your database is internal staff. Therefore all passwords shoudl be HASHED. PHP provides password_hash() and password_verify() please use them.

edited May 23 '17 at 12:08

Community

1
1

answered Aug 20 '16 at 15:21

RiggsFolly

93,638
21
103
149

To expand: `if ( isset($row['role']) ) $role = $(row['role']);` – Abdul Sadik Yalcin Aug 20 '16 at 15:29
@Devrim It is not usually necessary to chack for the existance of a column in a database query resultset. – RiggsFolly Aug 20 '16 at 15:32
1

I had closed that question earlier with the 3 equals and reopened it based on their comment/edit. The only thing that was left was that `isset`; lordie, can't they figure stuff out for themselves? *sigh/groan*, doesn't seem like it. – Funk Forty Niner Aug 20 '16 at 15:33
@Fred-ii- Its the weekend, _nuff said_ – RiggsFolly Aug 20 '16 at 15:37
Thanks, that's solve it. It's been a year i didnt code for web, seems i need to do some review. Thank again – psdm Aug 20 '16 at 15:57

User-role based login always redirect to the same page

1 Answers1