-1

I made a login page which is meant to give me access to user.php or admin.php depending on email and password. I have a database (phpmyadmin) with 2 users. I added a boolean field "type" (0 meaning regular user and 1 meaning admin).

Here's my php code : 

<?php
session_start();
$mysqli = new mysqli("localhost", "root", "", "database");
if ($mysqli->connect_errno) {
    echo "Echec lors de la connexion à MySQL : (".$mysqli->connect_errno.") ".$mysqli->connect_error;
}
if (isset($_POST['submit'])) {
    $email = $_POST['email'];
    $password = $_POST['password'];

    if ($email == "" || $password == "") {
        echo '<div id ="errormsg">Please fill in all fields</div>';
    } else {
        $query = mysqli_query(
            $mysqli,
            "SELECT * FROM client WHERE email = '$email' and password = '$password' and type = 1 "
        ) or die ("Can't query the database");
        $count = mysqli_num_rows($query);

        if ($count == 1) {
            if ($type == 1) {
                $_SESSION['email'] = $email;
                header("location: admin.php");
            } else {
                if ($type == 0) {
                    $_SESSION['email'] = $email;
                    header("location: user.php");
                } else {
                    echo '<div id="errormsg">No matches, try again</div>';
                }
            }
        }
    }
}

When I type an admin's email and password I'll be redirected to user.php instead of admin.php. When I type a normal user's email and password nothing happens , the same page (login.php) refreshes

goto
  • 7,908
  • 10
  • 48
  • 58
Darkimo
  • 1
  • 2
  • Your query failed and you need to check for the real error. *"Can't query the database"* did not help you. – Funk Forty Niner Jan 26 '17 at 12:54
  • what are the details of this error message? – Mr. K. O. Rolling Jan 26 '17 at 12:54
  • Hello and Welcome to SO. Visit http://bobby-tables.com to learn more about SQL injections and how to prevent them. The way you've coded (`$_POST` directly in query) is not safe at all! Your database can be hacked in a few seconds. – Twinfriends Jan 26 '17 at 12:55
  • 1. Have you enabled error reporting? Try these lines at the top of the file `ini_set('display_errors', 1); ini_set('display_startup_errors', 1); error_reporting(E_ALL);` 2. Have you tried to `print_r($count);` to see if it's null or not? – Antonios Tsimourtos Jan 26 '17 at 12:55
  • 1
    Plus in your query you should replace `type == 1` with `type = 1` – Antonios Tsimourtos Jan 26 '17 at 12:56
  • `type == 1` this is wrong, in SQL you just need to do `type=1` - however, you restrict that query to **only** select "admins", so the check you do later isn't working because you 1) don't fetch any fields and 2) the restriction in the query. – Qirel Jan 26 '17 at 12:56
  • Use this to find the error: http://php.net/manual/en/mysqli.error.php – Pedro Amaral Couto Jan 26 '17 at 12:57
  • **Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Jan 26 '17 at 12:57
  • @Qirel duh my bad; my comment was deleted. More coffee required *lol* thanks for putting me back on track ;-) – Funk Forty Niner Jan 26 '17 at 12:59
  • @Fred-ii- Aye, coffee is fuel for us humans - without it, we don't function! *Cheers* – Qirel Jan 26 '17 at 12:59
  • *1.* Be aware of SQL injections. Consider using PDO. *2.* You're using 'type == 1', you just need one sign: type = 1 *3.* After that you're using ($type ==1) but $type isn't automatically defined. you need to fetch the SQL row. *4.* Moreover, since you already used the type = 1 condition in your query, why double checking it? *5.* The "no matches" error should appear in the Else statement of $count == 1 *6.* Seems like you don't hash or encrypt the passwords in your DB *7.* I wonder how you check if the user has permissions in the admin/user php files – Ofir Baruch Jan 26 '17 at 13:00
  • Sidenote: You should also add `exit;` after each header. Otherwise, your code might want to continue to execute. – Funk Forty Niner Jan 26 '17 at 13:01
  • i replaced type==1 to type=1 , that error disapeared but when i login the same page juste refreshes. – Darkimo Jan 26 '17 at 13:03
  • What is "the same page"? Is it admin.php? – Antonios Tsimourtos Jan 26 '17 at 13:08
  • No, login.php. it didn't redirect me to user.php or admin.php , the login page just refreshes. – Darkimo Jan 26 '17 at 13:10
  • Use `print_r($count);` right before the `if(count == 1)` and share results. You have some logical mistakes in your code right now - which are mentioned by Ofir Baruch's comment – Antonios Tsimourtos Jan 26 '17 at 13:13
  • Ok i fixed the problem of the redirection , when i login with type 1 (admin) email and password it redirect me to user.php instead of admin.php , when i login with normal user email and pass (type 0) it just refreshes and a "0" appears on the top left of the page – Darkimo Jan 26 '17 at 13:24
  • If you still have a problem update your question, also just to be correct you should really read and understand Ofir Baruch's comment. Right now your query selects ONLY users that are admins. If this is what you want then you don't have to check about the type of the user because you already know user is an admin. If you want from all the users to see who is admin then you will have to change that. – Antonios Tsimourtos Jan 26 '17 at 13:26
  • Ok i'll update the question. thnx – Darkimo Jan 26 '17 at 13:28

1 Answers1

0

I think $type is not a valid code for if statement try $email if working and if you have many user try to select again and validate if that user is an admin or user to admin.php, user.php or login.php for wrong username and password.

<?php
        session_start();
        $mysqli = new mysqli("localhost", "root", "", "database");
    if ($mysqli->connect_errno) {
        echo "Echec lors de la connexion à MySQL : (" . $mysqli->connect_errno . ") " . $mysqli->connect_error;
    }
        if (isset($_POST['submit']))
    {
        $email = $_POST['email'];
        $password = $_POST['password'];

        if( $email == "" || $password == "")
        {
            echo '<div id ="errormsg">Please fill in all fields</div>';
        }

        else 
        {
            $query = mysqli_query($mysqli, "SELECT * FROM client WHERE email = '$email'
            and password = '$password' and type = 1 ") or die ("Can't query the database");
            $count = mysqli_num_rows($query);

            if($count == 1) 
            {
                if ($email == 'admin@email.com')
                {
                    $_SESSION['email'] = $email;
                    header("location: admin.php");
                }
                else if ($email == 'user@email.com')
                {
                    $_SESSION['email'] = $email;
                    header("location: user.php");
                }
                else
                {
                    echo '<div id="errormsg">No matches, try again</div>';
                }
            }
        }
    }

    ?>
Mark Valenzuela
  • 338
  • 1
  • 9
  • Thanks Mark this worked ! but i want users that exist in my database to connect and be redirected to user.php , also admins to admin.php not only user@email.com and admin@email.com – Darkimo Jan 26 '17 at 15:17