0

so i basically have 2 roles in my database which are sollicitant and bedrijf i wanna redirect them both to a different page, i now have a script which controls the email and password in my database but i have no idea how to "check" which role they have so they both can be redirected to a different welcome page

this is my code that checks the password and email but not the role.. how do i redirect both roles to a different page?

<?php
if(isset($_POST['verzenden'])) {

    $inputEmail = htmlspecialchars($_POST['email']);
    $inputWachtwoord = htmlspecialchars($_POST['wachtwoord']);

    $servername   = "localhost";
    $databasename = "powerjobs";
    $username     = "root";
    $password     = "";

    try {
        $conn = new PDO("mysql:host=$servername; dbname=$databasename", $username, $password);

        $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

    } catch(PDOException $e) {
        echo "Connection failed: " . $e->getMessage();
        return;
    }

    try {
        $stmt = $conn->prepare("SELECT * FROM registratie WHERE email = '$inputEmail'");
        $stmt->execute();

        $result = $stmt->setFetchMode(PDO::FETCH_ASSOC);
        $row    = $stmt->fetch();

        $rowCount = $stmt->rowCount();

        if ($rowCount) {

            if ($inputWachtwoord == $row['wachtwoord']) 
                header("Location: sollicitant.html");
            else
                echo "<br/>Gebruikersnaam en wachtwoord komen niet overeen.";
        } else {
            echo "<br/>Login failed, no record found";
        }
    }
    catch(PDOException $e) {
        echo "Error: " . $e->getMessage();
    }

    $conn = null;

    session_start();

    $_SESSION["login"] = true;
    $_SESSION["email"] = $inputEmail;

}
?>
RiggsFolly
  • 93,638
  • 21
  • 103
  • 149
Melissa
  • 1
  • 2
  • `$inputWachtwoord` is the password? You need to use prepared statements correctly, parameterize the query. – chris85 Jul 13 '17 at 13:21
  • Just add another `if` and `else` before `header` which checks if its a company or an applicant. – Daan Jul 13 '17 at 13:23
  • What is your database structure? – Kurt Van den Branden Jul 13 '17 at 13:23
  • when you have `$rowCount` true check for the `role / group`, `$row` have the full row with `role/group` your user belongs to, so get the `role/group` from your result and redirect your user to desired page. – Farrukh Ayyaz Jul 13 '17 at 13:23
  • @chris85, yes its password in Dutch – Jigar Shah Jul 13 '17 at 13:23
  • The MySQL `show grants` command will help you identify the role. You will need a plan for users with both. – Dan Bracuk Jul 13 '17 at 13:23
  • You need to hash passwords, plain text passwords are a huge security vulnerability, and with your SQL injection hole you're looking at problems here.. but to answer your question run a conditional on `$row['role_column']`. – chris85 Jul 13 '17 at 13:24
  • There are a couple of resources to help you with this. Here's one that might be helpful http://www.codefreax.net/2014/11/script-code-php-multi-user-secure-login-system.html – Oluwaseye Jul 13 '17 at 13:25
  • is your password stored as plain text or hashed? – Masivuye Cokile Jul 13 '17 at 13:25
  • __-how to "check" which role they have___ So where do you store the information that tells you if they are one thing or the other – RiggsFolly Jul 13 '17 at 13:38
  • This is a repost of your previous question. – Jay Blanchard Jul 13 '17 at 14:17
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Jul 13 '17 at 14:17
  • **Never store plain text passwords!** Please use ***PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)*** to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). ***It is not necessary to [escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Jul 13 '17 at 14:17
  • Did you [add a column to the database](https://stackoverflow.com/a/45016820/1011527) so you could identify the user's role? – Jay Blanchard Jul 13 '17 at 14:20
  • @JayBlanchard yes, the roles are 0 and 1, 0 is for the user and 1 is for the admin, i just dont know how to query something to make a difference between themwhen i also have to control the email and password – Melissa Jul 13 '17 at 14:22
  • @Melissa now you are confusing here u said `2 roles in my database which are sollicitant and bedrijf` now u saying is zero and 1 – Masivuye Cokile Jul 13 '17 at 14:22
  • @Melissa check my answer below and build from it.... – Masivuye Cokile Jul 13 '17 at 14:23
  • Both my previous answer to the question and the answer @MasivuyeCokile provided below illustrate how to identify the user's role and redirect appropriately. – Jay Blanchard Jul 13 '17 at 14:23
  • 1
    @JayBlanchard now just looked at your answer and it is an exact re-post the OP does not take ppl's suggestions in to consideration – Masivuye Cokile Jul 13 '17 at 14:24
  • To be fair @MasivuyeCokile it looks like she refactored her database to include a roles column. – Jay Blanchard Jul 13 '17 at 14:26
  • @JayBlanchard yeah, 0 is sollicitant and 1 is bedrijf, i just used the numbers to have less shit in my database – Melissa Jul 13 '17 at 14:43
  • I have edited the answer below to reflect 0 and 1 – Jay Blanchard Jul 13 '17 at 14:46
  • @JayBlanchard it still keeps saying username and password do not match, i cant figure out what it is that doesn't work – Melissa Jul 13 '17 at 14:51
  • Did you use PHP's built-in password functions to store and verify the hash? – Jay Blanchard Jul 13 '17 at 14:52
  • @JayBlanchard i dont think so, im a bit confused – Melissa Jul 13 '17 at 14:56
  • Melissa please go read [this tutorial](http://jayblanchard.net/proper_password_hashing_with_PHP.html) on how to properly prepare and use passwords in PHP. Rewrite your code based on the tutorial and add the information from the answer @MasivuyeCokile and I have given you. – Jay Blanchard Jul 13 '17 at 14:59
  • @JayBlanchard im sorry, my english just isnt good enough to understand tutorials like that but thanks for your time and help – Melissa Jul 13 '17 at 15:01
  • You can use a translation service. – Jay Blanchard Jul 13 '17 at 15:02

1 Answers1

1

By the looks of things it looks like you are have stored the password as plain text of which you are not suppose to do that you need to store the hashed password value using password_has() and password_verify()

therefore when you are saving in your signup page you need to hash the password

like :

$hash = password_hash($inputWachtwoord,PASSWORD_DEFAULT);

Then when you storing you will no longer store $inputWachtwoord but you will store $hash

Then you can login using password_verify()

like :

<?php
ob_start();
session_start();

if (isset($_POST['verzenden'])) {

    $inputEmail      = $_POST['email'];
    $inputWachtwoord = $_POST['wachtwoord'];

    $servername   = "localhost";
    $databasename = "powerjobs";
    $username     = "root";
    $password     = "";

    try {
        $conn = new PDO("mysql:host=$servername; dbname=$databasename", $username, $password);

        $conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

    }
    catch (PDOException $e) {
        echo "Connection failed: " . $e->getMessage();
    }

    try {
        $stmt = $conn->prepare("SELECT * FROM registratie WHERE email = ? ");
        $stmt->execute([$inputEmail]);
        $result = $stmt->fetchall(PDO::FETCH_ASSOC);
        if (count($result) > 0) {
            foreach ($result as $key => $row) {
                if (password_verify($inputWachtwoord, $row['wachtwoord'])) {
                    //password matches
                    $_SESSION["login"] = true;
                    $_SESSION["email"] = $inputEmail;

                    //check user role
                    switch ($row['role']) {
                        case 0:
                            $redirectUrl = "ThisRolePage.php";
                            break;

                        case 1:
                            $redirectUrl = "ThisRolePage.php";
                            break;
                    }

                    header("location:$redirectUrl"); //redirect user to respective page
                    exit();

                } else {

                    echo "password and username does not match";
                }
            }

        } else {

            echo "username invalid";
        }
    }
    catch (PDOException $e) {
        echo "Error: " . $e->getMessage();
    }
}
?>
Jay Blanchard
  • 34,243
  • 16
  • 77
  • 119
Masivuye Cokile
  • 4,754
  • 3
  • 19
  • 34
  • fyi, i changed the roles to 0(sollicitant and 1(bedrjif) cause thats how they are indentified in my database. i used this code but it keeps giving the password and username does not match error while it does, idk whats wrong? – Melissa Jul 13 '17 at 14:48
  • it does not match because you have saved the password as plain text. you did not follow from the top you just took the code – Masivuye Cokile Jul 13 '17 at 15:04
  • i changed "$inputWachtwoord = $_POST['wachtwoord'];" to "$hash = password_hash($_POST['wachtwoord'], PASSWORD_DEFAULT);", isnt that what i was supposed to do then? – Melissa Jul 13 '17 at 15:06