PHP login adding role

Question

<?php
session_start();

include 'dbConnection.php';

$uid = $_POST['uid'];
$pwd = $_POST['pwd'];

$sql = "SELECT * FROM user WHERE uid='$uid' and pwd='$pwd'";
$result = $conn->query($sql);


if(!$row = $result->fetch_assoc())
 {
   echo '<script language="javascript">';
   echo 'alert("Username or Password Incorret!")';
   echo '</script>';
   header("Location:index.php");

}
else{

$_SESSION['id']= $row['id'];    
echo '<script language="javascript">';
echo 'alert("Logged!")';
echo '</script>';

}
?>

Hello community, The code above is a simple login that I'm trying to develop. I'm kinda new to PHP still learning, the script works fine (but is missing encryption) the next step for the login is to add a role but I don't know where to add or adapt my code! If someone has suggestions they are all welcome!

Adding a role means (admin,student) in case of admin goes to xxx.php , case student goes to yyy.php — CHx Xq, Oct 26 '16 at 20:07
no output before headers, this should be spitting out errors — , Oct 26 '16 at 20:07
use a CMS like wordpress, as @Shiv says, you are taking one heck of a leap from this script to creating roles/permissions — useyourillusiontoo, Oct 26 '16 at 20:08
I'm not too sure you know how this is supposed to work but it seems like you want to add another column in the MySQL table and then just alert it when you log in? — Shiv, Oct 26 '16 at 20:09
**Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. — Jay Blanchard, Oct 26 '16 at 20:09
From @tadman: WARNING: Writing your own access control layer is not easy and there are many opportunities to get it severely wrong. Please, do not write your own authentication system when any modern development framework like Laravel comes with a robust authentication system built-in. — Jay Blanchard, Oct 26 '16 at 20:09
[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! — Jay Blanchard, Oct 26 '16 at 20:10
I hate when people say *"I'm not that far along..."* or *"This site will not be public..."* or *"It's only for school, so security doesn't matter..."*. If teachers and professors are not talking about security from day one, they're doing it wrong. Challenge them. They're teaching sloppy and dangerous coding practices which students will have to unlearn later. I also hate it when folks say, *"I'll add security later..."* or *"Security isn't important now..."* or *"Ignore the security risk..."*. If you don't have time to do it right the first time, when will you find the time to add it later? — Jay Blanchard, Oct 26 '16 at 20:10
As for your original question: There are either too many possible answers, or good answers would be too long for this format. Please add details to narrow the answer set or to isolate an issue which can be answered in a few paragraphs. I would suggest you find a development forum (perhaps [Quora](http://www.quora.com/Computer-Programming)?) to work out generalities. Then, when/if you have specific coding issues, come back to StackOverflow and we'll be glad to help. — Jay Blanchard, Oct 26 '16 at 20:11

score 2 · Accepted Answer · answered Oct 26 '16 at 20:14

2

Based of what you have said in the comments:

Firstly add a column for "role" in your database table.

Then your PHP script could just be a matter of adding the following into the successful login block.

if($row['role'] == "Admin"){
    header('Location: admin.php');
}elseif($row['role'] == "Student"){
    header('Location: student.php');
}

As others have said, you should really use a proper authentication system which takes care of escaping sql queries, security, password hashing etc.

answered Oct 26 '16 at 20:14

Shiv

831
1
12
29

Please do not spend time answering overly broad questions. – Jay Blanchard Oct 26 '16 at 20:49
@JayBlanchard ok. I'll keep that in mind. I just remember the time when I was new to SO and felt everyone was being harsh :p – Shiv Oct 26 '16 at 20:58
1

I understand, but this is not about being harsh. – Jay Blanchard Oct 26 '16 at 20:59
@JayBlanchard yeah I see what you mean :) – Shiv Oct 26 '16 at 21:00

Krzysztof Atłasik · Answer 2 · 2019-04-14T08:26:26.190

I see some serious problems with your script:

Don't use mysqli - it's deprecated and shouldn't be used. Use PDO instead.
You should hash your passwords. Read about password_hash().

Don't create SQL statements by conca3. You concatenating string from user input. It is vulnerable to SQL injection. You should use placeholders.

$stmt = $db->prepare("SELECT * FROM user WHERE uid=:uid AND password=:password");
$stmt->execute(array(':password' => $password, ':uid' => $uid));
$rows = $stmt->fetchAll();

If you want a more detailed review of your code you can post on codereview.

As for implementation of roles, you could create an additional table ROLE with single column NAME. For example (in MySql):

CREATE TABLE role (
  name varchar(255) NOT NULL
) 

ALTER TABLE role ADD PRIMARY KEY ('name');

INSERT INTO role (name) VALUES
('ADMIN'),
('STUDENT');

Then you could add an additional column to your user table with foreign key to table roles.

ALTER TABLE user ADD (
     role varchar(255) NOT NULL,
     FOREIGN KEY(role) REFERENCES role(name)
)

Ten you could just fetch the name of the role and redirect to the right location.

if($row['ROLE'] == "ADMIN"){
    header("Location: http://example.com/admin.php");
    die();
} else {
     ....
}

What are the advantages of this approach? You have all your roles listed in one table and because of a foreign key, you will preserve data integrity. In column ROLE of the USER table, you will be able to store the only role which is also stored in the ROLE table. If you would try to remove role which is assigned still assigned to any user database wouldn't allow it.

This answer assumes your user could have only one role. If you want to be able to assign multiple roles to your user, you would have to learn how to map many-to-many relationship in the database.

score -1 · Answer 3 · answered Oct 26 '16 at 20:46

To get this properly, you'll need a separate table in the database for roles, and an extra column in the user-table with user_role, where you store the ID from the role-table that the user should have assigned to him. When pulling data, you join the two tables on the ID, and get other information about the role, like name.

So, the role-table would contain something like: role_id, role_name you can of course have other information here as well, like user_level (int), but that is for a more advanced project.

In the user-table, you add a user_role column, where you store the id-number from the role-table.

To get the actual name of the role, you'll have to join the two tables, something like this would do: $sql = "SELECT * FROM user t1 LEFT JOIN role t2 ON t1.user_role = t2.role_id WHERE uid='$uid' and pwd='$pwd'";

That way you will have another result in the returned info from the database, containing the role.

Please do not spend time answering overly broad questions. – Jay Blanchard Oct 26 '16 at 20:49 — Jay Blanchard, Oct 26 '16 at 20:49

PHP login adding role

3 Answers3