0

Hey i am currently working on a book store for a university project. And would like to implement that only admins can access the backend of the website.

My login scripts currently allows all types of users Login .

I have two mysql tables a user table and a userType table.

Within the user table i have the following fields : userId , username , password & userTypeId.

Within the userType table i have the following fields : userTypeId & userType

The userTypeId is the foreign key between the two tables.

Here is the script for the admin_login.php page

<?php

session_start();
if (isset($_SESSION["superUser"])){
	header("location: index.php");
	exit();
	
}
?>
<?php

if (isset($_POST["username"]) &&isset ($_POST["password"])) {
	$superUser = preg_replace('#[^A-Za-z0-9]#i', '', $_POST["username"]);
	$password = preg_replace('#[^A-Za-z0-9]#i', '', md5($_POST["password"]));

	

//connect to sql data

include "../storescripts/mysql.php";
$sql= mysql_query("SELECT userID FROM user WHERE username='$superUser'  AND password='$password' LIMIT 1");

//MAKE SURE USER EXISTS

$existCount = mysql_num_rows($sql); //Counts the number of rows 
if($existCount==1){
	while($row = mysql_fetch_array($sql)){
		$userID = $row["userID"];
}

$_SESSION["userID"]= $userID;
$_SESSION["superUser"] = $superUser;
$_SESSION["password"] = $password;




header("location: index.php");


exit ();


}else {
	
	
 	echo("incorrect username or password");
	
	
	
	exit();
}
}


?>


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Store Admin</title>
<link href="../styles/abcMainLogin.css" rel="stylesheet" type="text/css" />
<link href="styles/abcMain.css" rel="stylesheet" type="text/image_viewer" />
<script src="http://jqueryjs.googlecode.com/files/jquery-1.2.6.min.js" type="text/javascript"></script>  
<script src="popup.js" type="text/javascript"></script> 

</head>
       
<body>





<div id="container">
	<div id="header">
   
    <img src="../Images/logo.png" width="200" height="200" /></div>
	<div id="navigation">
		<ul>
			<li><a href="/index.php">Home</a></li>
	
		</ul>
	</div>
  <div id="content-container1">
		<div id="content-container2">
			<div id="section-navigation">
		
			</div>
			<div id="content">
	       <h2> Log in </h2>
       
           <br/>
  <form id="form1" name="form1" method="post" action="admin_login.php"> 
  <table align=center width="50%" border="0" cellspacing="0" cellpadding="10">
  <tr>
  <td width="80%" height="40">Username: </td>
  <td width="80%"><label>
  <input name="username" type="text" id="username" size maxlength="20""40" /></label>
 
  </td>
  </tr>
 
  <tr>
  <td height="40">Password: </td>
  <td><label><input name="password" type="password" id="password" size="20" maxlength="64"/></label>
  </td>
  </tr>
  
  <tr>
  <td height="40"></td>

  <td><input type="submit" name="button" id="button" value="LogIn"  />
  </td>
  </tr>
    </table>
      &nbsp;
    </form>
 

</div>

</div>
			</div>
			<div id="aside">
				<h3>
					
				</h3>
		
			</div>
			<div id="footer">
				Copyright © ABC Books |<a href="_admin/index.php">Admin</a>
			</div>
		</div>
	</div>
</div>

</body>
</html>

This is the code for the redirect page on successful login

<?php

session_start();
if(!isset($_SESSION["superUser"])){
	header("location:admin_login.php");
	exit();
	
	
}
 

//be sure to check that this superUser SESSION is in the database
$superUserID = preg_replace('#[^0-9]#i','', $_SESSION["userID"]);
$superUser = preg_replace('#[^A-Za-z0-9]#i', '', $_SESSION["superUser"]);
$password = preg_replace('#[^A-Za-z0-9]#i', '', ($_SESSION["password"]));

//connect to sql data

include "../storescripts/mysql.php";
$sql= mysql_query("SELECT * FROM user WHERE userID='$superUserID' AND username='$superUser' AND password='$password' LIMIT 1");

//MAKE SURE USER EXISTS


$existCount = mysql_num_rows($sql); //Counts the number of rows 
if($existCount==0){
	echo "false details";
	exit();
	
}

?>


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>Store Admin</title>
<link href="../styles/abcMainAdminIndex.css" rel="stylesheet" type="text/css" />
</head>

<body>

<div id="container">
	<div id="header">
   
    <img src="../Images/logo.png" width="200" height="200" /></div>
	<div id="navigation">
		<ul>
			<li></li>
			<li></li>
			<li></li>
			<li><a href="admin_logout.php">Logout</a></li>
            <li><a href="../index.php">Store Front</a></li>
		</ul>
	</div>
  <div id="content-container1">
		<div id="content-container2">
			<div id="section-navigation">
			
			</div>
<div id="content">
				<h2>
					Welcome <font size="4"><i><u><?php echo $superUser; ?></u></i></font> - Select an option below
				</h2>
                
                <br />
                <p><a href="book_inventory_list.php">Manage Book Inventory</a> | <a href="user.php">User</a> | <a href="author.php">Author</a> | <a href="stock.php">Stock</a><p>
                <p><a href="publisher.php"> Publisher</a> | <a href="address.php">Address </a> | <a href="supplier.php">Supplier</a> | <a href="genre.php">Genre</a> | <a href="format.php">Format </a> </p>
		
			</div>
			<div id="aside">
				<h3>
					
				</h3>
		
			</div>
			
		</div>
	</div>
  
</div>
<div id="footer">
				Copyright © ABC Books 
			</div>
</body>
</html>

I hope this helps.

To sum it up i would like to only allow users to login where of course the username & password match but also the userTypeId is = 1.

Also i would like to implement a function that instead of echoing back saying "incorrect username or password" but to identify which field was incorrect.

Thank you

2
Contributors
3
Replies
5
Views
5 Years
Discussion Span
Last Post by blocblue
1

Why not simply add the user type to the query when looking up the username and password?

$sql= mysql_query("SELECT userID FROM user WHERE username='$superUser'  AND password='$password' AND userTypeId = 1 LIMIT 1");
0

Why not simply add the user type to the query when looking up the username and password?

$sql= mysql_query("SELECT userID FROM user WHERE username='$superUser'  AND password='$password' AND userTypeId = 1 LIMIT 1");

ahh that works thank you

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.