IN THE CODE BELLOW WHEN I LOG IN AS ADMIN IT IS ok BUT WHEN I LOGIN AS TRADER I GOT ERROR

General PHP Help
#1 
<?php
include("config.php");
session_start();
?>
<?php
if(isset($_POST['user_login']))
{
    $username=$_POST['username'];
    $password=$_POST['password'];   
    $stmt = $DB_con->prepare("SELECT user_name,user_password,role FROM users WHERE user_name=:username");    
    $stmt->bindParam(':username', $username, PDO::PARAM_STR);
    $stmt->execute();
    $user=$stmt->fetch(PDO::FETCH_BOTH);
   if($user && $user['role']=="Trader" && password_verify($password,$user['user_password']))
   {
    
      ?>
              <script>
                  alert('You have succesfully logged in please continue with your Administation managements');
                  window.location.href='../Admin/index';
              </script>
            <?php
            $_SESSION['admin']=$username;
   
            
    }

      elseif($user && $user['role']=="Admin" && password_verify($password,$user['user_password']))
   {
    
      ?>
              <script>
                  alert('You have succesfully logged in please continue with your Administation managements');
                  window.location.href='../Admin/index';
              </script>
            <?php
            $_SESSION['admin']=$username;
   
            
    }
    else
    {
     ?>
         <script>
            alert('Sorry the details you entered are not correct please re_enter the correct details');
          window.location.href='../index';
            </script>
           <?php
     exit();  
    }
}
?>

Admin Edit: Fixed Code Tags

#2

Which error did you get?

#3

When login as trader it error is password is not correct though password is correct but when I login as admin it is succefully

#4

No. By stringing together three dissimilar tests in one conditional statement, the “details you entered are not correct” message can mean that the username wasn’t found, that the role wasn’t exactly ‘Trader’ or ‘Admin’, or that the password didn’t verify, and there’s no simple way, without adding even more logic, to determine which test failed.

Authenticating who someone is involves verifying the submitted username, then verifying the password. This is a separate concern from the user’s role and the logic for these two different things should be separate. Separating out each step in the process will give you logic with specific points in it where you can add debugging/logging statements to determine which test is failing.

There’s a bunch of repetitive and unnecessary code in this, it is missing validation logic for the form data (if the username or password is empty, there no point in using the data), the user role should be a role id, with a separate database table holding the role names, the session variable should hold the logged in user’s id (auto-increment primary index), not the username, and the session variable should be named as to the meaning of the data in it, not for a specific type/role of the user. It also appears that the login form and the form processing code are on different pages, making for a bad User eXperience (UX) .

1 Like
Sponsor our Newsletter | Privacy Policy | Terms of Service