-2

I have created a table in my db as user and I have assigned the accounts with the user types as Admin,User,Vendor.

I have 3 seperate dashboards created for each of the roles. When I login to the system the redirection works totally fine. But when I insert the url of the dashboard of the another type of user the page loads without any redirection.

when I log in as User and if I insert the following url in the browser admin page loads for a general user.

http://localhost:3002/Admin/dashboard.php

I cannot figure out what's wrong in my code.

This is my php code for login control

    <?php
    session_start();

    include('./validate.php');
    require_once('../Includes/db/dbConnection.php');
    $db = DBConnection::getInstance();
    $connection = $db->getConnection();

    if(isset($_POST['btnLogin'])){
        $username=validate($_POST['uname']);
        $pass=validate($_POST['psw']);
        
        $sql="SELECT userId,userType FROM user WHERE username='$username' AND password='$pass'";
        $res=mysqli_query($connection,$sql);
        $count=mysqli_num_rows($res)>0;
        if($count>0){
            $row=$res->fetch_assoc();
            $_SESSION['userId']=$row['userId'];
            $_SESSION['username']=$username;
            $_SESSION['userType']=$row['userType'];
            $_SESSION['loggedIn']='true';
            switch ($_SESSION['userType']){
                case 'User':
                    header("location: ../User/dashboard.php");
                    break;
                case 'Admin':
                    header("location: ../Admin/dashboard.php");
                    break;
                case 'Vendor':
                    header("location: ../Vendor/dashboard.php");
                    break;
                default:
                   
                    break;
            }
        }else{
           $_SESSION['status']='Wrong Username/Password';
           header("Location: ../login.php"); 
        }
    }

?>

This is the code I use in the dashboard.php file for each user.

Admin

<?php
    session_start();
    if(!isset($_SESSION['loggedIn']) && $_SESSION['loggedIn']!='true' && $_SESSION['userType']!='Admin'){
        header("Location: ../login.php");
    }  
?>

User

<?php
    session_start();
    if(!isset($_SESSION['loggedIn']) && $_SESSION['loggedIn']!='true' && $_SESSION['userType']!='User'){
        header("Location: ../login.php");
    }  


?>

What am I doing wrong ?

Harsha Abeyvickrama
  • 46
  • 7
  • 1
    Your script is open to [SQL Injection Attack](http://stackoverflow.com/questions/60174). Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187) You should alway use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) in either the `MYSQLI_` or `PDO` API's instead of concatenating user provided values into the query. Never trust ANY user input! – RiggsFolly Feb 01 '21 at 09:03
  • Ok I will make that change. Thank you – Harsha Abeyvickrama Feb 01 '21 at 09:06
  • I have inserted it in the question above as Admin and User separately . Not sure whether I am doing it wrong ? – Harsha Abeyvickrama Feb 01 '21 at 09:10
  • **Never store passwords in clear text or using MD5/SHA1!** Only store password hashes created using PHP's [`password_hash()`](https://php.net/manual/en/function.password-hash.php), which you can then verify using [`password_verify()`](https://php.net/manual/en/function.password-verify.php). Take a look at this post: [How to use password_hash](https://stackoverflow.com/q/30279321/1839439) and learn more about [bcrypt & password hashing in PHP](https://stackoverflow.com/a/6337021/1839439) – Dharman Feb 01 '21 at 14:19

1 Answers1

1

You need to use OR in this check not AND

<?php
session_start();
if(!isset($_SESSION['loggedIn']) || 
    $_SESSION['loggedIn']!='true' ||
    $_SESSION['userType']!='User')
{
    header("Location: ../login.php");
    exit;
}
RiggsFolly
  • 93,638
  • 21
  • 103
  • 149
  • Yess. It worked. Can you explain what's the difference between those two ? I wanted all the 3 condition to be true . With the knowledge I have OR returns true if at least 1 condition is true and AND returns true if and only if all the conditions are true. So whats the difference? – Harsha Abeyvickrama Feb 01 '21 at 09:18
  • 1
    Well all 3 can be true, but if one is not true you should not be in this dashboard – RiggsFolly Feb 01 '21 at 09:21
  • @Dharman It was :) Nice to know you are checking up on me – RiggsFolly Feb 01 '21 at 15:55