1

Can you help me I have a problem with my code? This code below was the login process page and I want to redirect it to specific page either admin homepage or user homepage. When I run it those account assigned as User it will redirect to Admin Page. I have no problem those account assigned as Admin because it automatically redirect to Admin Page.

 session_start();
 $message = "";

if(count($_POST) > 0){
    $conn = mysql_connect("localhost", "root", "");
    mysql_select_db("etransmittal", $conn);
    $result = mysql_query("SELECT * FROM tbl_userlist WHERE username = '" . $_POST["userid"] . "' AND user_password = '" . $_POST["userpassword"] . "'");
    $row = mysql_fetch_array($result);

    if(is_array($row)){
        $_SESSION['userid'] = $row['userid'];
        $_SESSION['username'] = $row['username'];
        $_SESSION['userrole'] = $row['userrole_id'];
        $_SESSION['firstname'] = $row['fname'];
        $_SESSION['middlename'] = $row['mname'];
        $_SESSION['lastname'] = $row['lname'];
        $_SESSION['nbu'] = $row['nbu'];
        $_SESSION['department'] = $row['department'];
        $_SESSION['branch'] = $row['branch'];

    }
    else{
        $message = "Invalid username or password";
    }
}

/*if(isset($_SESSION['userid'])){
    header("location: admin_homepage.php");
}*/

if(isset($_SESSION['userrole']) == '1'){
    header("location: admin_homepage.php");
}

else if(isset($_SESSION['userrole']) == '2'){
    header("location: user_homepage.php");
}
Saty
  • 22,443
  • 7
  • 33
  • 51
pvegetah
  • 71
  • 2
  • 13
  • 1
    Your if statements are now checking as following: if(true == '2') {} – Matheno Dec 04 '15 at 09:15
  • You really should not be writing code that relies on `mysql_` functions anymore. The MySQL extension has been deprecated for years (ever notice these red warning boxes in the documentation?) and is dropped entirely in PHP7, that was just released earlier this week. Also see [Why shouldn't I use mysql_* functions in PHP?](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php). So on a server running the latest PHP version, **this code will not work**. – Oldskool Dec 04 '15 at 10:05

2 Answers2

3

isset — Determine if a variable is set and is not NULL

Your code mess up with if and isset .it is use as

if (isset($_SESSION['userrole']) && $_SESSION['userrole'] == '1') {
    header("location: admin_homepage.php");
} else if (isset($_SESSION['userrole']) && $_SESSION['userrole'] == '2') {
    header("location: user_homepage.php");
}

Read http://php.net/manual/en/function.isset.php

http://php.net/manual/en/control-structures.if.php

Note:- mysql is deprecated instead use mysqli or PDO

Your code is open for sql injection read this How can I prevent SQL injection in PHP?

Don't store plain password into database

http://php.net/manual/en/function.password-hash.php

http://php.net/manual/en/faq.passwords.php

Community
  • 1
  • 1
Saty
  • 22,443
  • 7
  • 33
  • 51
0

isset returns boolean, if the value session variable exists, it will return true else false...You need to check the existence as well as the value so change your checks to

 if(isset($_SESSION['userrole']) && $_SESSION['userrole']=='1'){
      header("location: admin_homepage.php");
 }
 else{
    header("location: user_homepage.php");
 }

Moreover, passing parameters directly with in the sql query can lead to SQL injection, please read about sql injection and use bind params to avoid it.

Example to do that (used it in one of my projects)

 $db = new PDO('mysql:dbname='.$mysql_dbname.';host='.$mysql_servername, $mysql_username, $mysql_password);
 $stmt = $db->prepare( "SELECT ID, fromName, fromEmail, toName, toEmail, date, subject, body FROM messages WHERE  ID = ?;");
 $stmt->execute(array($messageid));
 $data = $stmt->fetchAll(PDO::FETCH_ASSOC);
Danyal Sandeelo
  • 12,196
  • 10
  • 47
  • 78