0

I want to make multi level user login menu, but it doesn't go the assigned menu according to different user level. what did i do wrong?`

 # LOGIN CEK TO USER TABLE LOGIN
  $loginSql = "SELECT * FROM user WHERE username='$txtUser' AND password='".md5($txtPassword)."'";
  $loginQry = mysql_query($loginSql, $koneksidb) or die ("Query Salah : ".mysql_error());

  # IF SUCCEED
  if (mysql_num_rows($loginQry) >=1) 
  {
   $loginData = mysql_fetch_array($loginQry);
   $_SESSION['SES_LOGIN']  = $loginData['kode_user']; 
   $_SESSION['SES_ADMIN']  = $txtUser;
   $_SESSION['level']      = $loginData['level'];
   // Refresh
   if($row['level'] == "admin")
        {
            
            header("Location: admin.php");
        }
        else if($row['level'] =="academic")
        {
            header("Location: academic.php");
        }
        else if($row['level'] == "student")
        {
            
            header("Location: student.php");
        }
   echo "<meta http-equiv='refresh' content='0; url=?open'>";
  }

`

Fortunatus Gathot
  • 13
  • 4
  • 1
    1) md5 is old should not be used anymore http://php.net/manual/en/faq.passwords.php.. 2) Your wide open for SQL injection attacks.. 3) mysql_* are deprecated you should use mysqli_* functions or PDO instead... 4) after a header() function you should use exit(), die() or __halt_compiler() to stop the script's execution – Raymond Nijland Sep 01 '17 at 14:22
  • 2
    Questions seeking debugging help ("why isn't this code working?") must include the desired behavior, a specific problem or error and the shortest code necessary to reproduce it in the question itself. – Raymond Nijland Sep 01 '17 at 14:25
  • You never set `$row` you set `$loginData` – Jay Blanchard Sep 01 '17 at 14:25

1 Answers1

0

You never set $row you set $loginData therefore 

if($row['level'] == "admin")...
else if($row['level'] =="academic")...
else if($row['level'] =="student")...

will not work. You should use this test:

if($loginData['level'] == "admin")...
else if($loginData['level'] =="academic")...
else if($loginData['level'] =="student")...

OR use the session variable (making sure session_start() is at the top of the script):

if($_SESSION['level'] == "admin")...
else if($_SESSION['level'] =="academic")...
else if($_SESSION['level'] =="student")...

Warning!

Little Bobby says your script is at risk for SQL Injection Attacks.. Even escaping the string is not safe!

Please stop using mysql_* functions. These extensions have been removed in PHP 7. Learn about prepared statements for PDO and MySQLi and consider using PDO, it's really pretty easy.

You really shouldn't use MD5 password hashes and you really should use PHP's built-in functions to handle password security. Make sure you don't escape passwords or use any other cleansing mechanism on them before hashing. Doing so changes the password and causes unnecessary additional coding.

Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119