Can't get Admin Login to work

I have been trying to create an admin area using a bool of admin being 1 and user being 0.
However, when I login regardless if the user is admin or not, I am returned to the homepage instead of being directed to the admin page. Here is my code

function loginUser ($conn, $username, $password){
    $usernameExists = usernameExists($conn, $username);

    if ($usernameExists === false){
        header("location: ../login.php?error=incorrectLogin");
    $passwordHash = $usernameExists["password"];
    $checkPassword = password_verify($password, $passwordHash);

    if ($checkPassword === false){
        header("location: ../login.php?error=incorrectPassword");
    elseif ($checkPassword === true){
        $sql="select * from users where username='".$username."' AND password ='".$password."'";

        $result=mysqli_query($conn, $sql);
        $row = mysqli_fetch_array($result);
        $_SESSION["id"] = $usernameExists["id"];
        $_SESSION["username"] = $usernameExists["username"];
        $_SESSION["is_admin"] = $usernameExists["is_admin"];

        if($row['is_admin'] == 1){
            header("location: ../adminArea/admin.php");

        else {
            header("location: ../Home.php?error=none");
        echo "Welcome " . $_SESSION['username'];

Any help is greatly appreciated

Dump the value of $row[‘is_admin’] and kill the script. Is the value what you are expecting?

 $_SESSION["username"] = $usernameExists["username"];
 $_SESSION["is_admin"] = $usernameExists["is_admin"];


There are other issues with the code that should be dealt with when you get it “working”.

The select query in the posted code will never match a row, because the passwords in the database are hashed and will not match the submitted $password value.

When a person logs in you are authenticating WHO they are, not what their permissions are. You should only store the user_id in a session variable, then query on each page request to get any other user information such as the username or access information. This will allow those pieces of information to be edited and they will take affect on the next page request. By storing them in session variables, any changes made to the values won’t take effect until the user logs in again. If you promote or demote (ban) a user, you want it to take effect on the very next page request.

The only redirect your login code should have is to the exact same url of the current page, upon successful login. This will cause a get request for that page which will prevent the browser from trying to resubmit the form data if the user reloads that page or browses away from and back to that page. If you want to allow the user to goto a different page, provide navigation link(s).

The form and the form processing code should be on the same page. This will eliminate all the repeated logic for the redirects and displaying user errors. Just store the user error messages in an array, then test and display the content of that array when you re-display the form.

Don’t put external, unknown, dynamic values directly into sql query statements. Use a prepared query instead.

You should also trim, then validate all inputs before using them.

Session_start doesn’t belong inside that logic. It belongs near the top of the code on any page that needs it. In fact, if the current user is already logged in, you wouldn’t display nor process the login form, which requires you to preform the session test before ever running the posted code.

Sponsor our Newsletter | Privacy Policy | Terms of Service