Admin and user Login page redirect

Question

i want to have a static user in the database as admin and password admin for the administrator but the rest of the users it will using different users and password from the database,this is my script

<?php
mysql_select_db('billdb',mysql_connect('localhost','root','test'))or die(mysql_error());
?>
<?php
//Start session
session_start();
    //Function to sanitize values received from the form. Prevents SQL injection
    function clean($str) {
        $str = @trim($str);
        if(get_magic_quotes_gpc()) {
            $str = stripslashes($str);
        }
        return mysql_real_escape_string($str);
    }

        //Sanitize the POST values
    $username = clean($_POST['username']);
    $password = clean($_POST['password']);
    $fname = ($_POST['fname']);
    $lname = ($_POST['lname']);

        //Create query
    $qry="SELECT * FROM admin WHERE username='$username' AND password='$password'";
    $result=mysql_query($qry);


if($result) {
        if(mysql_num_rows($result) > 0 ) {
            //Login Successful
            session_regenerate_id();
            $member = mysql_fetch_assoc($result);
            $_SESSION['username'] = $member['username'];
            $_SESSION['password'] = $member['password'];
            $_SESSION['fname'] = $member['fname'];
            $_SESSION['lname'] = $member['lname'];


            session_write_close();
            header("location: homepage.php?");
            exit();
            }

        else {
            //Login failed
            header("location: login_error.php");
            exit();
        }
        }
    else {
        die("Query failed");
    }   


?>

i want to do a page redirect if its a different user it should go to homepage1.php but if its admin it should go to homepage.php

***Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php).*** [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). — Jay Blanchard, Nov 22 '16 at 13:08
[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! ***SQL Injection!*** *It's not just for breakfast any more!* — Jay Blanchard, Nov 22 '16 at 13:08
**Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. — Jay Blanchard, Nov 22 '16 at 13:09
If you get something back from the database, like a variable which is equal to 'admin', you can test it and use it for the redirect. — Jay Blanchard, Nov 22 '16 at 13:10
**Never store passwords in the SESSION array!** Why would you need to even do that? Are you planning to perform another login with the information? — Jay Blanchard, Nov 22 '16 at 13:11
If an answer solved your problem, consider accepting the answer. Here's how http://meta.stackexchange.com/questions/5234/how-does-accepting-an-answer-work then return here and do the same with the tick/checkmark till it turns green. This informs the community, a solution was found. Otherwise, others may think the question is still open and may want to post (more) answers. You'll earn points and others will be encouraged to help you. *Welcome to Stack!* — Jay Blanchard, Nov 22 '16 at 13:17
Because you do not need it for anything and it exposes the password should someone hack the session @LorenceHernandez. In other words, *it's dangerous!* — Jay Blanchard, Nov 22 '16 at 13:18
@LorenceHernandez please visit : http://stackoverflow.com/questions/19594202/is-it-secure-to-store-a-password-in-a-session — Masivuye Cokile, Nov 22 '16 at 13:19
Yes @LorenceHernandez, see this: http://stackoverflow.com/questions/6483092/php-session-hijacking — Jay Blanchard, Nov 22 '16 at 13:22
@JayBlanchard cool thanks il read it., i always think of storing it in session so when the user change their pass it saves the overhead of checking in database if the password they entered is matched. thanks too Masivuye Cokile — Lorence Hernandez, Nov 22 '16 at 13:25
@JayBlanchard web is not really my native thing, i should really read some stuffs about best practices — Lorence Hernandez, Nov 22 '16 at 13:27
Apparently you are using a whole new table for the admins. You could just add a column to your users table called: `admin` or `role` or something. 0= normal user. 1= admin — Loko, Nov 22 '16 at 13:28
You could store the hash of the password in a session variable if you wanted to @LorenceHernandez and check it with `password_verify()` if you wanted to save a round trip to the database but honestly, a you're not saving much. — Jay Blanchard, Nov 22 '16 at 13:51
thanks for that :) i solved my problem before the creator of this thread lol — Lorence Hernandez, Nov 22 '16 at 13:52

Jay Blanchard · Answer 1 · 2016-11-22T13:56:19.430

1

I have supplied a lot of warnings you should heed in the comments under your question but wanted to answer your question about redirects. Assuming there is a field called admin in your table and the value for an admin is 'admin' you can do the following:

if($result) {
    if(mysql_num_rows($result) > 0 ) {
        //Login Successful
        $member = mysql_fetch_assoc($result);
        if('admin' == $member['admin']) { // some way of identifying an admin
            // admin
            header("location: homepage.php?");
            exit;
        } else {
            // user
            header("location: homepage1.php?");
            exit;
        }
    }
}

edited Nov 22 '16 at 13:56

answered Nov 22 '16 at 13:16

Jay Blanchard

34,243
16
77
119

Either I'm misunderstanding OP's question or OP's database structure is not like this. He has a new table called 'admin' so when there is no admin found with that username or password, he wont go through the `if(mysql_num_rows($result)>0){` anyway. So it should just be: `if(mysql_num_rows($result)>0){ //admin }else{ //user } `. It's easy as that right? – Loko Nov 22 '16 at 13:32
I had to make some assumptions @Loko but you could be right as well since we have no idea of the structure of the OP's database. – Jay Blanchard Nov 22 '16 at 13:52
For the sake of OP's structure and code, I hope I'm wrong but it doesnt look like it. – Loko Nov 22 '16 at 13:54
He is saying, " static user in the database as admin" and "rest of the users" which is why I went the direction I did. – Jay Blanchard Nov 22 '16 at 13:56
He has this query though: `SELECT * FROM admin WHERE username='$username' AND password='$password'` which makes me think his structure is the way that I'm thinking it is. – Loko Nov 22 '16 at 13:57
Yeah - it could be. We'll likely never know given this OP's track record. – Jay Blanchard Nov 22 '16 at 13:57

Admin and user Login page redirect

1 Answers1