members area

I am trying to create a members area of the site (So if a member logins and there type is 0, they are taken to an Admin/ section. If they login and the type is 1 they would simply be taken to the index.php. Lastly if they try to login, but cant they would be taken back to the login page
[php]

<?php session_start(); include("db/configPDO.php"); $Email=$_POST['email']; $Password=$_POST['password']; $sql = "SELECT type FROM Members WHERE email = :Email AND password = :Password"; $STM = $dbh->prepare($sql); $STM->bindParam(':Email', $Email); $STM->bindParam(':Password', $Password); $STM->execute(); $count = $STM->rowCount(); $row = $STM -> fetch(); if(($count==1) && ($row==0)) { $_SESSION[type]=$row[0]; $_SESSION[email]=$Email; header( "location:Admin/"); } else if (($count==1) && ($row==1)) { $_SESSION[type]=$row[0]; $_SESSION[email]=$Email; header( "location:index.php"); } else { header("location:login.php"); } $dbh = null; ?>

[/php]

You aren’t checking the correct thing in your if(). You need to specify the array item to check for $row, not just $row.
[php]
if(($count==1) && ($row[‘type’]==0))
[/php]
This goes for all the other if() too.

changed thew code and tried to login, no dice
[php]

<?php session_start(); include("db/configPDO.php"); $Email=$_POST['email']; $Password=$_POST['password']; $sql = "SELECT type FROM Members WHERE email = :Email AND password = :Password"; $STM = $dbh->prepare($sql); $STM->bindParam(':Email', $Email); $STM->bindParam(':Password', $Password); $STM->execute(); $count = $STM->rowCount(); $row = $STM -> fetch(); if(($count==1) && ($row['type']==0)) { $_SESSION[type]=$row[0]; $_SESSION[email]=$Email; header( "location:Admin/"); } else if (($count==1) && ($row['type']==1)) { $_SESSION[type]=$row[0]; $_SESSION[email]=$Email; header( "location:index.php"); } else { header("location:login.php"); } $dbh = null; ?>

[/php]

Before you even get into trying to make your code work, allow me to make a recommendation. You are mixing upper and lower case all over the place. It is going to cause you problems later on. Take a standard naming convention and style and stick to it.

I would recommend always using lower case and separating your descriptive words with an underscore. There is also camelCase which in my opinion is not as easy to read.

A Windows server is not case-sensitive, but Linux / UNIX is.

Might I make a suggestion, instead of having a just a number represent a user’s level have it be descriptive. For example the database table column would be setup something like:

public
member
admin

and have it as an enum type in the table that way it forces it to be one of those, with public being the default probably.

that way all you will have to do is something like the following:

[php]$_SESSION[‘type’] = $row[‘type’]; // When a user logins [/php]

then in your config file that is usually at the top of every page (require(‘lib/includes/utilities.inc.php’);), for example mine is called utilities.inc.php you would have something like this:

[php]session_start();

// Check for a user type (access level) in the session:
$user_type = (isset($_SESSION[“type”])) ? $_SESSION[“type”] : NULL;
[/php]

Lastly you could have something like this on you members page:

[php]if ( isset($user_type) && $user_type = ‘member’) {
echo “Welcome to the Member’s Page”;
} else {
header(“Location: index.php”); // Direct non-member back to the home page
exit();
}[/php]

You know the person is logging in so all you have to do is when they successfully login is to redirect them to the members page and if someone who’s not a member attempts to access the page they will not be able to. This way a non-member will never know about the page in the first place and you can even hide it in the navigational menu. :wink:

Based on your query you provided that should have worked. Maybe you should do a var_dump of $count and $row to make sure they are the values you expect. If they aren’t then maybe you need to look at your query more and see if it’s even returning anything.

I want to make this as efficient as possible and think strider64 way is optimal and think enums is way better.
Heres the new table

CREATE TABLE Members( id SMALLINT NOT NULL AUTO_INCREMENT, PRIMARY KEY(id), name VARCHAR(50), email VARCHAR(50), password VARCHAR(50), type ENUM('Admin','User','Guest') DEFAULT 'Guest', created DATE, image VARCHAR(150) );
Heres a couple of insert statements

INSERT INTO Members (id,name,email,password,type,created,image) VALUES (1,"Luke Urtnowski","[email protected]","test","Admin",2014-07-07,"http://www.almostsavvy.com/wp-content/uploads/2011/04/profile-photo.jpg");
INSERT INTO Members (id,name,email,password,type,created,image) VALUES (2,"Jason Cannon","[email protected]","test","User",2014-07-07,"http://www.almostsavvy.com/wp-content/uploads/2011/04/profile-photo.jpg");
INSERT INTO Members (id,name,email,password,type,created,image) VALUES (3,"Davida Milkes","[email protected]","test","User",2014-07-07,"http://www.almostsavvy.com/wp-content/uploads/2011/04/profile-photo.jpg");

I created the utilities file to require at the top of each page
The last step is different cause Im going to give the logged in user three options (if they are Admin, to go to the Admin section, If they are a User, they would simply go to index.php, lastly if they fail at logging in, they will be taken back to the form
[php]

<?php session_start(); include("db/configPDO.php"); $Email=$_POST['email']; $Password=$_POST['password']; $sql = "SELECT type FROM Members WHERE email = :Email AND password = :Password"; $STM = $dbh->prepare($sql); $STM->bindParam(':Email', $Email); $STM->bindParam(':Password', $Password); $STM->execute(); $count = $STM->rowCount(); $row = $STM -> fetch(); if(($count==1) && ($row['type']=='Admin')) { $_SESSION[type]=$row['type']; $_SESSION[email]=$Email; header( "location:localhost/shoresrentals/Admin/"); exit(); } else if (($count==1) && ($row['type']=='User')) { $_SESSION[type]=$row['type']; $_SESSION[email]=$Email; header( "location:localhost/shoresrentals/index.php"); exit(); } else { header("location:localhost/shoresrentals/login.php"); exit(); } $dbh = null; ?>

[/php]

Another question I have is why do I need the type of Guest in the table, cant I just have “welcome Guest” if the user never even logs in?

I tried [php]
var_dump($count);
var_dump($row);
[/php]
and I got
int 0
boolean false

So the problem is with my query, how do i check what that is?

Make your execute line look like this.
[php]
$STM->execute() or die(print_r($dbh->errorInfo()));
[/php]
That will give you the error it’s finding with the query. Also it is proper practice to always wrap your table name and column names in backticks so the query doesn’t misinterpret them for something else. The backtick key is left of the 1 on your keyboard.
[php]$sql = “SELECT type FROM Members WHERE email = :Email AND password = :Password”;[/php]

ok, made the change, now I get is

Array ( [0] => 00000 [1] => [2] => ) 1

What is the error?

I am trying to test my query by using
[php]
$STM->debugDumpParams();
[/php]
and this is the result
SQL: [78] SELECT type FROM Members WHERE email = :Email AND password = :Password Params: 2 Key: Name: [6] :Email paramno=-1 name=[6] “:Email” is_param=1 param_type=2 Key: Name: [9] :Password paramno=-1 name=[9] “:Password” is_param=1 param_type=2

Any ideas?

The query string looks fine syntax wise. Do you have error reporting turned on? Are you sure that $Email and $Password actually have a value and are not returning a php error?

Dont think thats the problem, turned error reporting on
[php]
ini_set(‘display_errors’,1);
error_reporting(E_ALL);

[/php]
check the values of both variables
[php]
$STM->debugDumpParams();

echo “
”.$sql."
";
echo $Email." ".$Password;
var_dump($count);
var_dump($row);
[/php]
and I get…
SQL: [78] SELECT type FROM Members WHERE email = :Email AND password = :Password Params: 2 Key: Name: [6] :Email paramno=-1 name=[6] “:Email” is_param=1 param_type=2 Key: Name: [9] :Password paramno=-1 name=[9] “:Password” is_param=1 param_type=2
SELECT type FROM Members WHERE email = :Email AND password = :Password
[email protected] test
int 0
boolean false
it looks like the variables are working, but how can I make sure they are being used in the query?

when I use " instead, seems to make no difference.
When I change the code to

<?php
session_start();
include("db/configPDO.php");

if(isset($_POST['email'],$_POST['password']))  
{  
$Email = $_POST['email']; 
$Password = $_POST['password']; 
    $dbh->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);     
    try { 
	$sql =  "SELECT `type` FROM `members` WHERE `email` = :email AND `password` = :password";

	$STM = $dbh->prepare($sql);
	
	$STM->bindParam(":Email", $Email);
	$STM->bindParam(":Password", $Password);
	$STM->execute();
	$count = $STM->rowCount();
	
	$row  = $STM -> fetch();
	
	$STM->debugDumpParams();  
	
	echo "<br>".$sql."<br>";
	echo $Email." ".$Password;
	var_dump($count);
	var_dump($row);
    } catch (PDOException $e) {     
        //Only use line below during testing your query 
        echo "Database error: ".$e->getMessage(); 
    }  
echo "<br>".$sql."<br>";
echo $Email." ".$Password;

$dbh = null;
}
?>

I get

Database error: SQLSTATE[HY093]: Invalid parameter number: parameter was not defined
SELECT type FROM members WHERE email = :email AND password = :password
[email protected] test

How can the parameters not be defined when the variables are?

I honestly don’t know why it’s not working. Without having the full code and db to test against it’s damn tough to say at this point. But the reason for the mos recent error is cause you changed the names of your parameters in the query but didn’t change them in the bindParam(). Remember, php sees upper and lowercase as two separate things.

thank you!!!

You’re saying :email but binding :Email

The statements are case sensitive.

This is a classic example of why I always say to get in the habit of always using lower case.

Sponsor our Newsletter | Privacy Policy | Terms of Service