problem with different level of user login

Question

I had a problem with multi level user login in PHP MySQL. I able to login with admin but nothing happen when im trying to login with different user. Is there something Im missing here?

Here is my code snippet

    <form action="" method="post">
        <div class="form-group">
            <label for="inputUsername">Username</label>
            <input type="text" class="form-control" name="username" placeholder="username" required>
        </div>
        <div class="form-group">
            <label for="inputPassword">Password</label>
            <input type="password" class="form-control" name="password" placeholder="Password" required>
        </div> 
        <div class="user_type">
        <table>
          <tr> 
          <td>User Type &nbsp;</td>   
          <td><select name="usertype" id="type">
          <option value="-1"> Select user type</option>
          <option value="customer">Customer</option>
          <option value="landlord">Landlord</option>
          <option value="admin">Admin</option>
          </select></td>
        <button type="submit" name="submit" class="btn btn-primary">Login</button>

<?php
include('connection.php');

if(isset($_POST['submit'])){

  $username=$_POST['username'];
  $password=$_POST['password'];
  $type=$_POST['usertype'];
  
  $query="SELECT * FROM `user_level` WHERE username='$username' and password='$password' 
  and type='$type'";
  $result=mysqli_query($conn,$query);
  
  while($row=mysqli_fetch_array($result)){
    if($row['username']==$username && $row['password'==$password] && 
    $row['type']=='Admin') {
    header("Location: admin_mainpage.php");
    } elseif($row['username']==$username && $row['password'==$password] && 
    $row['type']=='Land Owner'){
      header("Location: LO_mainpage.php");
    }elseif($row['username']==$username && $row['password'==$password] && 
    $row['type']=='Customer'){
      header("Location: Customer_mainpage.php");
    }
  } 
  }
?>

`$row['password'==$password]` that is an issue here. Enable error reporting and error handling on the query. — Funk Forty Niner, Oct 21 '18 at 14:13
What you're doing is completely wrong, you shouldn't be simply using plain passwords — Dev Man, Oct 21 '18 at 14:13
Another thing, `Customer` != `customer`. Same thing for your other values. Letter-case is important on certain OS'. — Funk Forty Niner, Oct 21 '18 at 14:15
@FunkFortyNiner what do you mean with error reporting and error handling? you mean exception handling? I will deal with it later. I have checked many times on letter case, weird thing is that I able to login with admin type user but unable to do similar with different user. — Rid10, Oct 21 '18 at 14:23
@ImmortalDude what Im doing is completely simple project unless I did not get what you really mean. — Rid10, Oct 21 '18 at 14:25
Additionally, you shouldn't let a user pick their rights level on login. That should be looked up AFTER authenticating the user. Get username/pass. Compare wtih DB. If correct, get user rights level/role/whatever and redirect to correct spot, if wrong redirect back to login. — ivanivan, Oct 21 '18 at 14:54
As an aside - look into using [`password_hash()`](https://stackoverflow.com/questions/30279321/how-to-use-password-hash) — Nigel Ren, Oct 21 '18 at 15:20
I mean passwords should not be stored without being hashed , but as you've said that this is a simple project , most likely you're using this project as a means of learning php and user authentication so I guess it's ok, though always make a habit of hashing passwords even in test projects because you never know when you might suddenly convert that test project into a full blown app — Dev Man, Oct 21 '18 at 17:25

Djamel Kr · Answer 1 · 2018-10-25T13:10:50.660

You just have to write the exact type of user , try this code :

<?php

if(isset($_POST['submit'])) {

  // Make sure to change "username" "password" "database" 
  $conn = mysqli_connect("localhost", "username", "password", "database"); 

  $username = $_POST['username'];
  $password = $_POST['password'];
  $type = $_POST['usertype'];

  $query="SELECT * FROM user_level WHERE username='$username' and password='$password' and type='$type'";
  $result=mysqli_query($conn,$query);

  // Just use the if statement, it will test if a user exist with these infromation or not   
  if( $row = mysqli_fetch_array($result) ) {

    // Now we are sure that we entered a right information and there a user,  you just need to test the type using the switch statement
    switch ($type) {
        case "admin" :  
            header("Location: admin_mainpage.php");break;
        case "landlord" :
            header("Location: LO_mainpage.php");break;
        case "customer" :
            header("Location: Customer_mainpage.php");break;
    }
  }

}

?>

<form  method="post">
    <div class="form-group">
       <label for="inputUsername">Username</label>
       <input type="text" class="form-control" name="username" placeholder="username" required>
    </div>
    <div class="form-group">
       <label for="inputPassword">Password</label>
       <input type="password" class="form-control" name="password" placeholder="Password" required>
    </div>
    <div class="user_type">
    <table>
        <tr>
           <td>User Type &nbsp;</td>
           <td>
              <select name="usertype" id="type" required>
                 <option value="" selected> Select user type</option>
                 <option value="customer" >Customer</option>
                 <option value="landlord" >Landlord</option>    
                 <option value="admin" >Admin</option>  
              </select>
           </td>
           <td>
           <button type="submit" name="submit" class="btn btn-primary">Login</button>
           </td>
        </tr>
    </table>
</form>

This is the sql table :

DROP TABLE IF EXISTS `user_level`;
CREATE TABLE `user_level` (
  `id` int(11) NOT NULL AUTO_INCREMENT,
  `username` varchar(20) NOT NULL,
  `password` varchar(20) NOT NULL,
  `type` varchar(20) NOT NULL,
  PRIMARY KEY (`id`)
)

INSERT INTO `user_level` (`id`, `username`, `password`, `type`) VALUES
(1, 'mac',  '123',  'admin'),
(2, 'krisha',   '123',  'customer'),
(3, 'Haris',    '123',  'landlord');

The above code could be simplified by removing the type as the users password and user name should suffice, could you add that as a suggestion to your post as it may help the OP better improve his authentication system — Dev Man, Oct 21 '18 at 17:27
@ImmortalDude you are totally correct but i'm not sure if he is using session so i just let it easy for him , if you want you could edit my post — Djamel Kr, Oct 21 '18 at 17:59
@Rid10 the code is working and it has been tested, make sure that you stored correct data in your **user_level** table , just lowercase **"admin","customer","landlord"** — Djamel Kr, Oct 25 '18 at 12:55

problem with different level of user login

1 Answers1