login in with admin using php and html

Question

I'm trying to login admin and a user but why it didn't get the admin page? can you help me with this guys?. because it only display index.php when login.

<?php
session_start();

include('connect.php');

$emailaddress   = $_POST['emailaddress'];
$password       = md5($_POST['password']);

$search = mysql_query("SELECT * FROM users WHERE email='".$emailaddress."' AND password='".$password."' AND active='1'") or die(mysql_error()); 
$match  = mysql_num_rows($search);

if($match){
    $_SESSION["email"]      = $emailaddress;
    $_SESSION["password"]   = $password;


    $_SESSION["firstname"]  = mysql_result($search,0,"fname");
    $_SESSION["lastname"]   = mysql_result($search,0,"lname");


    header('Location: index.php');
    $msg = 'Login Complete! Thanks';
}

elseif ($match) {
    $_SESSION["emailaddress"]       == 'admin@iva.com';
    $_SESSION["password"]           == 'password';

    header('Location: admin.php');
    $msg = 'Login Complete! Thanks';
}


else{
    $msg = 'Login Failed! Please make sure that you enter the correct details and that you have activated your account.';
}

can you help me with this guys?...

because `if($match)` and `elseif($match)` have same result and if username and password are correct, you never go into second condition. what are you trying to achieve? — mitkosoft, Mar 09 '16 at 12:28
`mysql_*` functions are deprecated since PHP 5.5 (and **removed entirely** in PHP 7) and you should [stop using them](http://stackoverflow.com/q/12859942) if you can. You should choose another API that enables usage of prepared statements, like `mysqli_*` or PDO instead - see [choosing an API](http://php.net/manual/en/mysqlinfo.api.choosing.php).You also shouldn't use `md5`-hashing. And you should use `exit;` after every `header("Location: ...");` call. — Qirel, Mar 09 '16 at 12:31
`mysql_*` is deprecated -- `if($match)` and `elseif($match)` both equate to the same -- `$msg = "..."` is never outputted and is placed after a `header("...")` function (so will never be seen anyway). Start again mate, this is a mess! — Ben, Mar 09 '16 at 12:33
*Curious:* Is this a live site or intended to go live? and storing passwords in a session is a very bad idea. — Funk Forty Niner, Mar 09 '16 at 13:05
Sorry guys...i am really not good in php i'm still starting...hmm...can you help me guys how to do it?... ^_^ — angel1108, Mar 09 '16 at 13:08

score 1 · Accepted Answer · answered Mar 09 '16 at 12:35

First you have to manage the role of all the users. e.g You have to add user_role column in your users table and inserting role of user when new user registration. Here we consider user_role of admin user is admin and other user is normal_user. Now change your code with below code.

<?php
session_start();

include('connect.php');

$emailaddress   = $_POST['emailaddress'];
$password       = md5($_POST['password']);

$search = mysql_query("SELECT * FROM users WHERE email='".$emailaddress."' AND password='".$password."' AND active='1' AND user_role != 'admin'") or die(mysql_error()); 
$match  = mysql_num_rows($search);

if($match){
    $_SESSION["email"]      = $emailaddress;
    $_SESSION["password"]   = $password;


    $_SESSION["firstname"]  = mysql_result($search,0,"fname");
    $_SESSION["lastname"]   = mysql_result($search,0,"lname");


    header('Location: index.php');
    $msg = 'Login Complete! Thanks';
}

elseif ($match) {
    $_SESSION["emailaddress"]       == 'admin@iva.com';
    $_SESSION["password"]           == '36dada69c95e116a59f57552dcf9032d';

    header('Location: admin.php');
    $msg = 'Login Complete! Thanks';
}


else{
    $msg = 'Login Failed! Please make sure that you enter the correct details and that you have activated your account.';
}
?>

Hope this will work for you!

i've made a little adjustment and i've got it...thank you sir ^^ — angel1108, Mar 09 '16 at 13:14

login in with admin using php and html

1 Answers1