0

I need some help trying to figure out why my php login redirect isnt functioning properly. I first attempted just a simple login and it worked fine. but after I added an if statement to redirect according to their user level, it just crashes.

here's the code:

*edit: i need more help with the code actually redirecting to the corresponding page of the user's role level. Currently, im able to log in (no login errors) but it does not send the user to the their corresponding page (ie: admin to the admin page, user to the the user page, and coordinator to the coordinator page).

<?php
session_start();
include 'connect.php';


$email = $_POST["login_email"];
$pwd= $_POST["login_pwd"];
$role = $_POST["role"];

$sql = "SELECT * FROM users WHERE email='$email' AND password= '$pwd' AND role='$role' ";


if($row != mysqli_fetch_assoc($result)){
    echo "Your user name or password is incorrect!";
    header("Location:login.html");
}else{
    $_SESSION['id'] = $row['id'];
    if ($_SESSION['role'] == 'admin') {
   header("Location: admin.php");
} else if ($_SESSION['role'] == 'editor') {
   header("Location: editor.php");
} else if ($_SESSION['role'] == 'user') {
   header("Location: user.php");
}
    echo "Successful login!";
}
len
  • 13
  • 3
  • 3
    Can't do an echo before a header. Have the Header include something like `admin.php?MSG=Password_Incorrect'` and have admin.php echo it – Forbs Apr 12 '17 at 00:57
  • **WARNING:** When using `mysqli` you should be using [parameterized queries](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and [bind_param](http://php.net/manual/en/mysqli-stmt.bind-param.php) to add user data to your query. DO NOT use string interpolation or concatenation to accomplish this because you have created a severe [SQL injection bug](http://bobby-tables.com/). **NEVER** put `$_POST`, `$_GET` or **any** user data directly into a query, as it can be very harmful if someone seeks to exploit your mistake. – Blue Apr 12 '17 at 01:09

2 Answers2

0

A location header is designed to tell the browser that it should redirect the page to another source. When you echo out content, you're basically saying that you're done sending headers, and content begins. In the case of sending a location, you shouldn't really be sending any content at all, because the page will simply redirect when it reads the header (Not displaying any content at all.)

See this post for more information on this issue.

Community
  • 1
  • 1
Blue
  • 22,608
  • 7
  • 62
  • 92
0

In the code you provided it shows that you set the $role variable as $role = $_POST["role"]; but when redirecting you use $_SESSION['role'] == 'admin' to determine the role of the user but you never set $_SESSION['role'] in the code.

Try the code below to see if it works;

//other code above
else{
    $_SESSION['id'] = $row['id'];
    if ($role == 'admin') {
   header("Location: admin.php");
} else if ($role == 'editor') {
   header("Location: editor.php");
} else if ($role == 'user') {
   header("Location: user.php");
}
//other code below

Let me know if it helps or if you find a problem.

Douglas Hosea
  • 1,002
  • 13
  • 30
  • That's some pretty insane horrendousness. What if the user has javascript disabled? Why even bring javascript into the picture? – Blue Apr 12 '17 at 01:18
  • I was just suggesting a way of displaying an error message before redirect. – Douglas Hosea Apr 12 '17 at 01:19
  • This code displays the message "Successful login" but does not redirect the user to their corresponding page ie: admin page, user page, coordinator page – len Apr 12 '17 at 01:52
  • @len, i have edited my answer, please take a look at it. – Douglas Hosea Apr 12 '17 at 02:59
  • i tried it and i get the same, it allows login but doesnt redirect to the corresponding page. – len Apr 12 '17 at 20:31