-1

I am struggling to get my login system to work for a college project.

i have a signUp.php page with two roles to choose from "librarian" and "Member".

Depending on the role they chose. when they sign in they will see a different "home.php" page.

I think the issue is the if statement on the home page or the way i have structured the "UserRole" section on the sign Up page. my page keeps showing "Librarian" Content no matter what role i choose. Still new here, i cant pinpoint what i have done wrong.

home.php

    <?php
session_start();
?>
<!DOCTYPE html>
<html>
<head>
    <title>Only-Books</title>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <meta http-equiv="X-UA-Compatible" content="IE=edge">
</head>
<body>
    <?php
    if(isset($_SESSION['UserRole']) == 'Librarian'){
        // header ("Location: home.php");
        include ('Librarian.php');
    } else if(isset($_SESSION['UserRole']) == 'Member' ) {
        // header ("Location: home.php");
        include ('Member.php');
    } else {
        header ('Location: signIn.php');
    }
    ?>

signUp.php

<form method="POST" action="process.php" >
            <input id="UserName" type="text" name="UserName" placeholder="Your Name" required>
            <input id="UserSurname" type="text" name="UserSurname" placeholder="Your Surname" required>
            <input id="UserEmail" type="text" name="UserEmail" placeholder="Your Email" required>

            <br>
            <!-- add a radio for librarian or member -->
            <p>Are you a librarian?</p>
            <input id="UserRole" type="radio" name="Librarian" value="Librarian" required>
            <p>Or a Member?</p>
            <br>
            <input id="UserRole" type="radio" name="Member" value="Member" required>
            
            <input id="UserPassword" type="password" name="UserPassword" placeholder="Your Password" required>
            <input id="UserPassword2" type="password" name="UserPassword2" placeholder="Confirm Password" required>
            <input type="submit" name="submit" value="Sign Up">

process.php "signUp procssor"

<?php 
session_start();
include_once ('database.php');
if(isset($_POST['submit'])){
    $UserName = $_POST['UserName'];
    $UserSurname = $_POST['UserSurname'];
    $UserEmail = $_POST['UserEmail'];
    $UserType = $_POST['UserRole'];
    $UserPassword = $_POST['UserPassword'];
    $sql = "INSERT INTO users (UserName, UserSurname, UserEmail, UserRole, password) VALUES ('$UserName', '$UserSurname', '$UserEmail', '$UserType', '$UserPassword')";
    if(mysqli_query($conn, $sql)){
        header ("Location: signIn.php");
    } else {
        echo "Something Is Broken";
    }
    mysqli_close($conn);
}

if(isset($_POST['submit'])){
    $_SESSION['UserName'] = $_POST['UserName'];
    $_SESSION['UserSurname'] = $_POST['UserSurname'];
    $_SESSION['UserEmail'] = $_POST['UserEmail'];
    $_SESSION['UserRole'] = $_POST['UserRole'];
    $_SESSION['UserPassword'] = $_POST['UserPassword'];
}

?>

signIn Processor

<?php 
session_start();
if(isset($_POST['login'])){
    extract($_POST);
    include ('database.php');
    $sql = "SELECT * FROM users WHERE UserEmail = '$UserEmail' AND password = '$UserPassword'";
    $row = mysqli_fetch_array(mysqli_query($conn,$sql));
    if(is_array($row)){
        $_SESSION['ID'] = $row['UserID'];
        $_SESSION['UserEmail'] = $row['UserEmail'];
        $_SESSION['UserPassword'] = $row['password'];
        $_SESSION['UserName'] = $row['UserName'];
        $_SESSION['UserRole'] = $row['UserRole'];
        $_SESSION['UserSurname'] = $row['UserSurname'];
        header('location:home.php');
} else {
    echo "Login Failed";
}
}
?>
  • 1
    Please get Post Values by Input Names Not with ID of Input. – Hassan ALi Dec 06 '21 at 11:46
  • **Warning:** You are wide open to [SQL Injections](https://php.net/manual/en/security.database.sql-injection.php) and should use parameterized **prepared statements** instead of manually building your queries. They are provided by [PDO](https://php.net/manual/pdo.prepared-statements.php) or by [MySQLi](https://php.net/manual/mysqli.quickstart.prepared-statements.php). Never trust any kind of input! Even when your queries are executed only by trusted users, [you are still in risk of corrupting your data](http://bobby-tables.com/). [Escaping is not enough!](https://stackoverflow.com/q/5741187) – Dharman Dec 06 '21 at 12:51
  • **Never store passwords in clear text or using MD5/SHA1!** Only store password hashes created using PHP's [`password_hash()`](https://php.net/manual/en/function.password-hash.php), which you can then verify using [`password_verify()`](https://php.net/manual/en/function.password-verify.php). Take a look at this post: [How to use password_hash](https://stackoverflow.com/q/30279321/1839439) and learn more about [bcrypt & password hashing in PHP](https://stackoverflow.com/a/6337021/1839439) – Dharman Dec 06 '21 at 12:51
  • **Never use `extract($_POST);`** This allows anyone to do anything in your code. – Dharman Dec 06 '21 at 12:51

1 Answers1

1

Your if statements are not doing what you think they are.

if(isset($_SESSION['UserRole']) == 'Librarian'){

isset returns a bool value if the past in value is set https://www.php.net/manual/en/function.isset.php

Assuming $_SESSION['UserRole'] is set your if statement would look like:

if(true == 'Librarian') which doesn't make much sense.

Instead, you should do something like:

if(isset($_SESSION['UserRole']) && $_SESSION['UserRole'] == 'Librarian'){

DevWithZachary
  • 3,545
  • 11
  • 49
  • 101
  • 2
    With PHP 7+ you can also shorten this using the [null coalescing operator](https://www.php.net/manual/en/migration70.new-features.php#migration70.new-features.null-coalesce-op) to: `if (($_SESSION['UserRole'] ?? '') == 'Librarian')` – But those new buttons though.. Dec 06 '21 at 11:48