Multilevel Login in PHP

Question

I have php code for login, it is worked if i input just username and password, but i need to check it with column hak_akses. For example if i login with hakakses = Dosen, the response says "Login Berhasil", if i login with hakakses = TU, the response says "Login Failed"

This is my code login php

<?php

 $con = new mysqli("localhost","root","","komplain");
 if($con->connect_error)
 {
    die("Connection Failed: " .$con->connect_error);
 }

 $response = array();

 if(isset($_GET['apicall']))
 {
    switch ($_GET['apicall']) {
    case 'signup':
        # code...
        break;
    case 'login':
        if(isParameterAvailable(array('username','password')))
        {
            $username = $_POST['username'];
            $password = password_hash($_POST['password']);

            $stmt = $con->prepare("SELECT id_user, username, email, no_telp FROM user WHERE username = ? AND password = ?");
            $stmt->bind_param("ss",$username,$password);
            $stmt->execute();
            $stmt->store_result();

                if($stmt->num_rows > 0)
                {
                    $stmt->bind_result($id,$username,$email,$no_telp);
                    $stmt->fetch();

                    $user = array(
                        'id'=>$id,
                        'username'=>$username,
                        'email'=>$email,
                        'no_telp'=>$no_telp
                    );
                    $response['error'] = false;
                    $response['message'] = "Login Berhasil";
                    $response['user'] = $user;
                }
                else
                {
                    $response['error'] = false;
                    $response['message'] = "Username / Password Salah";
                }
            }
        break;

    default:
        $response['error'] = true;
        $response['message'] = 'Invalid Operation Called';

        }
   }
   else
   {
      $response['error'] = true;
      $response['message'] = 'Invalid API call';
   }
   echo json_encode($response);
?>

This is my database enter image description here

This is response from postman enter image description here

My question is what should i do if i need to check login with hakakses(level user) ? This code is just simulation, i am not using this code for my project, so i want to know how to login with multilevel user base on my code

Sorry for my English

Thank You

You should also read https://stackoverflow.com/q/58808332/1839439 — Dharman, Dec 16 '19 at 15:57
Thanks for response, yes i think i should change my code for password @Dharman — Stepanus Ryan, Dec 16 '19 at 16:01
@Dharman Do you know how to check multilevel user login in php code base on my code ? i need your help Thanks :) — Stepanus Ryan, Dec 16 '19 at 16:03
**Never store plain text passwords!** Please use ***PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html)*** to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). ***It is not necessary to [escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. — Jay Blanchard, Dec 16 '19 at 17:47

score 0 · Answer 1 · answered Dec 18 '19 at 14:42

0

You should use password_hash() for PHP versions less than 5.5.
I'm using PHP 7.0 and I'm using hash() with a salt for extra security.
I'm first looking for the user inside the db based on username/email and then compare the password with the hashed entered password.
In that way you can show an invalid password error or even a user not found error.

    $stmt = $con->prepare("SELECT id_user, username, email, no_telp, password, salt FROM user WHERE username = ? ");
    $stmt->bind_param("ss",$username);
    $stmt->execute();
    $login_ok = false; 
    $row = $stmt->fetch(); 
    if($row){ 
        $check_password = hash('sha256', $row['password'] . $row['salt']); 
        if($check_password === $row['password']){
            $login_ok = true;
        } 
        else{
           // invalid password
        }
    }
    else {
       // no user found
    }

Based on $login_ok you can do stuff like showing errors

By creating a new user you should add the hashed password + the salt inside the db.
First generate a new salt:

$salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647));

And save the password into the db like this:

hash('sha256', $password . $salt)

Also don't forget to add the salt itself to the db.

answered Dec 18 '19 at 14:42

Webdeveloper_Jelle

2,868
4
29
55

Thanks for help, but i've got some error. If i change this code like this, how to check my login with column hak_akses ? because my apps need to diference access. If the user level is "Dosen", the login is successfull in app, but if user level is "Admin", the login failed because no access to this app. How should i do ? @Jbadminton – Stepanus Ryan Dec 20 '19 at 10:35
if($row) { $hakakses = "Dosen"; if ($hakakses === $row['hak_akses']) { $response['error'] = false; $response['message'] = "Username/Password Salah"; } else { $user = array( 'id'=>$id, 'username'=>$username, 'email'=>$email, 'hak_akses'=>$hakakses, 'no_telp'=>$no_telp ); $login_ok = true; $response['error'] = false; $response['message'] = "Login Berhasil"; $response['user'] = $user; } } else { $response['error'] = false; $response['message'] = "Tidak Punya Akses"; } – Stepanus Ryan Dec 20 '19 at 10:41
something like that yes – Webdeveloper_Jelle Dec 20 '19 at 10:42
Sorry i'm newbie. This is my first experience using stack overflow for asking my homework Thanks for help :) @Jbadminton – Stepanus Ryan Dec 20 '19 at 10:43
`$login_ok` should only set to true when there are no errors and then your can put the hak_askes if statement inside the `if($login_ok)` – Webdeveloper_Jelle Dec 20 '19 at 10:44

score 0 · Accepted Answer · answered Dec 21 '19 at 12:09

Okay i find a solution. First i changed my code to this

<?php

$con = new mysqli("localhost","root","","tugas_akhir");
if($con->connect_error)
{
   die("Connection Failed: " .$con->connect_error);
}

$response = array();

$username = $_POST['username'];
$password = $_POST['password'];

$login = mysqli_query($con,"SELECT * from user WHERE username='$username'and password='$password'");
$cek = mysqli_num_rows($login);

if ($cek > 0) {

while($data = mysqli_fetch_assoc($login))
{
    $id = $data['id_user'];
    $email = $data['email'];
    $hak = $data['hak_akses'];
    $no_telp = $data['no_telp'];

    if ($data['hak_akses'] == "Dosen") {

        $user = array(
        'id_user'=>$id,
        'username'=>$username,
        'email'=>$email,
        'hak_akses'=>$hak,
        'no_telp'=>$no_telp);

        $response['error'] = false;
        $response['message'] ="Berhasil Login";         
        $response['user'] = $user;
    }
    else{
        $response['error'] = true;
        $response['message'] = "Tidak Mempunyai Akses";

    }
  }
}
else{
       $response['error'] = true;
       $response['message'] = "Username/Password Salah";
}

echo json_encode($response);
?>

I use mysqli_fetch_assoc() to retrieve data from database. And then i store data with $data

If user input is true, the message is Berhasil Login(Successful), else the message is Tidak Punya Akses(Access Denied) because i give statement if($data['hak_akses'] == "Dosen")

Multilevel Login in PHP

2 Answers2