-3

Here is the login page where user and admin logs

    $username = trim(mysql_prep($_POST['username']));
    $password = trim(mysql_prep($_POST['password']));

    if (empty($errors)){        
            if (!$username){
                $message = "username field is empty!";
            }else if (!$password){
                $message = "password field is empty!";
            }else{
    //  **********  Authenticate user details   ************
        $cpassword = sha1($password);
        $query = "SELECT * FROM users WHERE surname = '{$username}' AND password = '{$cpassword}' AND position = 'admin' LIMIT 1";
                    $result_set = mysql_query($query);
                    confirm_query($result_set);
                    if (mysql_num_rows($result_set) == 1){
    //  **********  checks the result from db   *************
                        $found_user = mysql_fetch_array($result_set);
                        $_SESSION['user_id'] = $found_user['id'];
                        $_SESSION['username'] = $found_user['surname'];
                        redirect_to("admin.php");
                    }else{
                        //redirect_to("index.php");
                        $message = "username or password is incorrect";
                    }
            }                       
    }else {

        if (count($errors) == 1) {
            $message = 'there was 1 error in the form';
        }else {
        $message = 'there were ' . count($errors) . ' errors in the form';
        }
    }

    <form name="user" method="post" action="log.php" >

        <input id="uname" type="text" name="username" placeholder="Enter your username" value="<?php echo htmlentities($username); ?>"/><br /><br />
        Password:<br />
        <input id="pass" type="password" name="password" placeholder="Enter your password" value="<?php echo htmlentities($password); ?>"/><br /><br />
        <input id="Signin" type="submit" name="Submit" value="Sign in" /><br /><br />

    </form>
GolezTrol
  • 114,394
  • 18
  • 182
  • 210
Tuns
  • 1
  • 4
  • 3
    Show us what you have tried, SO isn't a free coding service. – Epodax Nov 13 '15 at 08:59
  • Send a `Location` header? Or simply follow a different code-path by `include`? Use your favourite search-engine and search for 'php redirecting' leading to this http://stackoverflow.com/questions/768431/how-to-make-a-redirect-in-php? – Tom Regner Nov 13 '15 at 09:01
  • Just as a side note, you really shouldn't use mysql_ functions. They are deprecated and will soon disappear and your code will stop working. Consider looking into mysqli_ or PDO. – Christian Lundahl Nov 13 '15 at 09:17
  • i have this in my function.php. function redirect_to($location = NULL){ if ($location != NULL){ header("Location: {$location}"); exit; } } – Tuns Nov 13 '15 at 09:28
  • then this at the top of my code: if (logged_in()){ redirect_to("index.php"); } – Tuns Nov 13 '15 at 09:34

2 Answers2

3

You can remove the position clause from your query. That way, you will always get the user returned, whether they are admin or not.

$query = "SELECT * FROM users WHERE surname = '{$username}' AND password = '{$cpassword}' LIMIT 1";

After that, you can check for that position (or role) in the code:

$result_set = mysql_query($query);

confirm_query($result_set);
if (mysql_num_rows($result_set) == 1){
  $found_user = mysql_fetch_array($result_set);

  $role = $found_user['position'];
  $_SESSION['user_id'] = $found_user['id'];
  $_SESSION['username'] = $found_user['surname'];

  if ($role == 'admin') {
    redirect_to("admin.php");
  }else{
    redirect_to("user.php");
  }
}else{
  //redirect_to("index.php");
  $message = "username or password is incorrect";
}

While the snippet above should fix your immediate issue, there are some issues with this code.

First of all, you shouldn't store actual passwords. It's hard to be sure, but by the looks of your code, you do store the actual passwords. See for instance this article for a guide to get you started doing this the right way. Note this is Really Important! Badly stored passwords can lead to leaks, which can result in data loss, private data of your employees or customers leaking out, and if you don't care about that, it will also affect the reputation of your company or you personally.

Secondly, you are using the old mysql_* functions, which are deprecated and have been removed in PHP 7. This means that this code won't even run on the latest PHP.

GolezTrol
  • 114,394
  • 18
  • 182
  • 210
  • Thanks alot but, i think, i hashed the password with sha1() function – Tuns Nov 13 '15 at 09:30
  • Thanks, i tried d above code, but still facing the same issue, it dosen't redirect to user page but only redirects to admin page – Tuns Nov 13 '15 at 09:43
  • have tried so many of the above code but in different ways. the issue i kept on facing was that it will redirect me to the first page: admin but will not redirect to the users page. i changed it as to users page first then admin in the else statement but still does the same thing – Tuns Nov 13 '15 at 09:46
  • Yes! it works thanks alot like million times. BIG UPS to you THANKS!!! – Tuns Nov 13 '15 at 09:50
0

Since there is no user type defined as per the given details, i am using username for conditional statement. Change your code as follows

if (mysql_num_rows($result_set) == 1){
//  **********  checks the result from db   *************
    $found_user = mysql_fetch_array($result_set);
    $_SESSION['user_id'] = $found_user['id'];
    $_SESSION['username'] = $found_user['surname'];

    // Here is the logic
    if( $username == 'admin' ){
        header('location: admin.php');
    } else {
        header('location: user.php');
    }
}
Tismon Varghese
  • 849
  • 1
  • 6
  • 17