Hey everyone,

I have a login script that works but I want to add some code to it that includes the field labeled “user_level” in my database to determine whether or not the user is an admin or not…“1” for the admin and “o” for regular user. If the user is an admin, they will be redirected to the admin page, and if not, then they will be redirected to the regular user page.

here is the checkuser.php file for the login page
[php]<?php
session_start();

$host=“"; // Host name
$username=""; // Mysql username
$password=""; // Mysql password
$db_name=""; // Database name
$tbl_name="****”; // Table name

// Connect to server and select databse.
mysql_connect("$host", “$username”, “$password”)or die(“cannot connect”);
mysql_select_db("$db_name")or die(“cannot select DB”);

// username and password sent from form
$username=$_POST[‘username’];
$password=$_POST[‘password’];

// To protect MySQL injection
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

$sql=“SELECT * FROM users WHERE username=’$username’ AND password=’$password’ AND activated=‘0’”;
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==0){
// Register $myusername, $mypassword and redirect to file “login_success.php”
$_SESSION[‘username’] = $username;
$_SESSION[‘password’] = $password;
header(“location: user-area.php”);
}
else {
echo “Wrong Username or Password”;
}
?>[/php]
How would I achieve this? do I simply just and another sql statement in and if so how would I write it so it doesn’t interfere with what I have already written? Any help would be greatly appreciated

First of all, you’re checking if $count is equal to 0 for the successful login. That should be $count == 1:

[php]if($count==1){[/php]

Once you’ve determined that the user’s information is valid, you can then use mysql_fetch_array to get the users’ record and check their “user_level”.

[php]if($count==0){
// Register $myusername, $mypassword and redirect to file “login_success.php”
$_SESSION[‘username’] = $username;
$_SESSION[‘password’] = $password;

$user = mysql_fetch_array($result);

// NB: You might want to check if it’s 1 or ‘1’, depending on how the value is stored in MySQL
if($user[‘user_level’] == ‘1’) {
header(“Location: some-admin-page.php”);
} else {
header(“location: user-area.php”);
}
}
else {
echo “Wrong Username or Password”;
}[/php]

I did what you said and when I did, I told me that my username and password is wrong…which isnt correct because I used what was stored in the database and used that for my log in information. So I don’t know why it would say it was incorrect…

also, wouldn’t I need to add a query for selecting the user_level field in my database and then do something with it?

Out of interest, shouldn’t you be checking for accounts that are activated?

[php]$sql=“SELECT * FROM users WHERE username=’$username’ AND password=’$password’ AND activated=‘0’”;[/php]

Should it be:

[php]$sql=“SELECT * FROM users WHERE username=’$username’ AND password=’$password’ AND activated=‘1’”;[/php]

That is correct, I don’t know why I set it as ‘0’. however, no difference…I still get a message stating I have the wrong username and password.

I’m stumped as to why it’s not working. Do you run PHPMyAdmin or a similar tool that allows you to run queries? Could you echo the $sql variable after it has been set and then put it into PMA and test it?

it returns empty for some reason when the fields are not empty…how should the query be?

Do you mean the query doesn’t have the $username and $password put into it correctly? Or that it returns no results?

Are you sure that the user and pass you’re trying are correct?

it’s not returning any results for some reason…the username and password is stored in the database and that’s what I use when I log in but it’s not recognizing the query when I put it in phpmyadmin…

ok, so I have the check user working but my admin.php still isn’t working right…It shows this error:
“Parse error: syntax error, unexpected T_ENCAPSED_AND_WHITESPACE, expecting T_STRING or T_VARIABLE or T_NUM_STRING in C:\Program Files (x86)\EasyPHP-5.3.8.1\www\Sample\admin-page.php on line 18”

here is the admin.php
[php] <?php

$user = $_SESSION[‘username’];

//connect to db
$connect = mysql_connect(’*********’,’*****’,'’);
mysql_select_db('’);

$get = mysql_query(“SELECT * FROM users WHERE user_level=‘1’ AND user_level=‘0’”);
while($row = mysql_fetch_assoc($get))
{
$admin = $row[‘user_level’];
}

if ($admin == 0) {
echo “Log in | Log out

This is not an admin page

”;
exit();
}
if ($admin == 1) {
echo “Log in | Log out

This is an admin page

”;
exit();
}
?>
[/php]

ok, so I seem to understand this code better than the other logincheck but for some reason the user name and password combination doesn’t match even though I entered the same info as it is in the database. I must be doing something wrong…

here is what displays on the admin page since I have the print_r code to display: “Array ( [error] => Array ( [failed] => Username and Password combination do not match (2). ) [username] => ****** [password] => ******* )”

here is the checkuser.php
[php]<?php
session_start();

$host=“"; // Host name
$username="****"; // Mysql username
$password="”; // Mysql password
$db_name="*******"; // Database name
$tbl_name="********"; // Table name

// Connect to server and select databse.
mysql_connect("$host", “$username”, “$password”)or die(“cannot connect”);
mysql_select_db("$db_name")or die(“cannot select DB”);

// username and password sent from form
$username=$_POST[‘username’];
$password=$_POST[‘password’];

// To protect MySQL injection
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);

$sql=“SELECT * FROM users WHERE username=’$username’ AND password=’$password’ AND activated=‘0’”;
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==0){
// Register $myusername, $mypassword and redirect to file “login_success.php”
$_SESSION[‘username’] = $username;
$_SESSION[‘password’] = $password;
header(“location: index.php”);
}
else {
echo “Wrong Username or Password”;
}
?>[/php]

here is the admin.php script:
[php]<?php

$user = $_SESSION[‘username’];

//connect to db
$connect = mysql_connect(‘’,'’,'’);
mysql_select_db('*’);

$get = mysql_query(“SELECT * FROM users WHERE user_level=‘1’ OR user_level=‘0’”);
while($row = mysql_fetch_assoc($get))
{
$admin = $row[‘user_level’];
}

if ($admin == 0) {
header(“Location: user-area.php”);
exit();
}
elseif ($admin == 1) {
header(“Location: admin-page.php”);
exit();
}
?>[/php]

i meant to say [php]if($count==1)[/php] for the checkuser.php so that’s what I have. Sorry for the confusion

Out of interest, does your username or password contain any kind of characters or items that would upset MySQL?

If you echo them both after:

[php]$username = stripslashes($username);
$password = stripslashes($password);
$username = mysql_real_escape_string($username);
$password = mysql_real_escape_string($password);[/php]

Have they changed at all?
Also, do you still have the line 18 error?

ok, for some reason, the issue is fixed I think because that array message that I got before doesn’t show the word error…it shows “Array ( [username] => ***** [password] => ******* )” So I guess this means the login went through and the sessions have started. …Now for the “too many redirect error” I get when I ‘include’ the ‘admin’ script… I have one redirect header in the checkuser.php and then I have two in the admin script here:
[php]<?php

$user = $_SESSION[‘username’];

//connect to db
$connect = mysql_connect(‘’,'’,'’);
mysql_select_db('**’);

$get = mysql_query(“SELECT * FROM users WHERE user_level=‘1’ OR user_level=‘0’”);
while($row = mysql_fetch_assoc($get))
{
$admin = $row[‘user_level’];
}

if ($admin == 0) {
header(“Location: user-area.php”);
exit();
}
elseif ($admin == 1) {
header(“Location: admin-page.php”);
exit();
}
?>[/php] do I solve this by using certain kinds of sessions? I’m not sure if I said that right…

<?php $user = $_SESSION['username']; //connect to db $connect = mysql_connect('******','****','*******'); mysql_select_db('*******'); $get = mysql_query("SELECT * FROM `users` WHERE user_level='1' OR user_level='0'"); while($row = mysql_fetch_assoc($get)) { $admin = $row['user_level']; if ($admin == 0) { header("Location: user-area.php"); } elseif ($admin == 1) { header("Location: admin-page.php"); } } ?>

I did what you said however, I have this as the message that displays instead of the website it is supposed to be directed to

“This webpage has a redirect loop
The webpage at http://127.0.0.1:8080/Sample/user-area.php has resulted in too many redirects. Clearing your cookies for this site or allowing third-party cookies may fix the problem. If not, it is possibly a server configuration issue and not a problem with your computer.
Here are some suggestions:
Reload this webpage later.
Learn more about this problem.
Error 310 (net::ERR_TOO_MANY_REDIRECTS): There were too many redirects.”

How do I fix this?

IF YOU WANT TO SIMPLY REDIRECT WHEN USER_LEVEL=0 THAN ON user-area.php AND WHEN USER_LEVEL=1 THAN admin-page.php THAN JUST USE THIS ONE

<?php $user = $_SESSION['username']; //connect to db $connect = mysql_connect('******','****','*******'); mysql_select_db('*******'); $get = mysql_query("SELECT * FROM users where username=$user");// calling two field is throw an ambiguity while($row = mysql_fetch_array($get)) { $admin = $row['user_level']; if ($admin == 0) { header("Location: user-area.php"); } elseif ($admin == 1) { header("Location: admin-page.php"); } } ?>

ok, I did that…and I get these errors…

"Notice: Undefined variable: _SESSION in C:\Program Files (x86)\EasyPHP-5.3.8.1\www\Sample\checkuser.php on line 3

Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in C:\Program Files (x86)\EasyPHP-5.3.8.1\www\Sample\checkuser.php on line 10"

checkuser.php is the admin.php that you had posted in the previous post

you need to get one unique field from your table than you use that query which you using. without using an unique field from your table its throw an error.

select * from tablename where columname=‘xyz’ AND columname=‘0’ OR columname=‘1’

where this columnname=‘xyz’ is unique field for this statement … try like this

thanks. if you have still query than feel free to ask

I still get the

“Notice: Undefined variable: _SESSION in C:\Program Files (x86)\EasyPHP-5.3.8.1\www\Sample\checkuser.php on line 3”

am I supposed to make that variable the name of the field that I have in the database? “user_level”? or keep it as ‘user’?
[php]<?php

$user = $_SESSION[‘username’];

//connect to db
$connect = mysql_connect(‘’,’*****’,'’);
mysql_select_db(’*******’);

$get = mysql_query(“SELECT * FROM users where user_level= ‘0’ AND user_level= ‘1’”);// calling two field is throw an ambiguity
while($row = mysql_fetch_array($get))
{
$admin = $row[‘user_level’];
if ($admin == 0)
{
header(“Location: user-area.php”);
}
elseif ($admin == 1)
{
header(“Location: admin-page.php”);
}
}
?>
[/php]