0

I have the following code:

<?php
session_start(); // Starting Session
include_once('config.php');

$error=''; // Variable To Store Error Message
if (isset($_POST['submit'])) {
if (empty($_POST['user']) || empty($_POST['pass'])) {
$error = "Please complete both fields";
}else{
// Define $username and $password
$user=$_POST['user'];
$pass=md5($_POST['pass']);
// To protect MySQL injection for Security purpose
$user = stripslashes($user);
$pass = stripslashes($pass);
$user = mysqli_real_escape_string($mysqli, $user);
$pass = mysqli_real_escape_string($mysqli, $pass);
// SQL query to fetch information of registered users and finds user match.
$result = mysqli_query($mysqli, "SELECT * FROM users WHERE Username='$user' AND Password='$pass' LIMIT 1");
if ($row = mysqli_fetch_array($result)) {
    $_SESSION['Username'] = $row['Username'];
    $_SESSION['Account_Type'] = $row['Account_Type'];

if ($row['Account_Type'] === 'A') {
    header ("location: adminHome.php");
    exit;
} else {
    header ("location: home.php");
    exit;
}
} else {
    $error = "Username or Password is invalid";

    mysqli_close($mysqli); // Closing mysqli connection
}
    }
}
?>

<!doctype html>
<html>
<head>
<link rel="stylesheet" type="text/css" href="style/style.css"> 
<script type="text/javascript" src="//code.jquery.com/jquery-2.1.3.min.js"></script>
<title>Login</title>

</head>
<body>

<div id = "logReg">
<span href="#" class="button" id="toggle-login">Log in</span> 
</div>

<div id="login">
  <div id="triangle"></div>
  <h1>Log in</h1>
  <form action = "" id = "logregform" method = "POST">
    <p id = "err"> <?php if(isset($error)) {echo $error;} ?> </p>
<input id = "logtxt" type="text" placeholder="Username" name = "user" required/>
<input type="password" placeholder="Password" name = "pass" required/>
<input type="submit" value="Log in" name = "submit" />
<br>
<br>
<p id ="bklg">Dont have an account? <a href="register.php">Sign up</a></p> 
  </form>
</div>
<script>

$('#toggle-login').click(function(){
  $('#login').slideToggle('fast'); 
});
</script>
</html>

I'm able to login as a normal user whos account_type is "U".
However im unable to login as an admin with account_type is "A". Ive set the admins username and password to 456 just for testing purposes but once i type that in and click submit i instantly get the error saying that the username and password is invalid.

Any ideas what ive done wrong or how to fix this?

Thanks!

3
Contributors
13
Replies
49
Views
2 Years
Discussion Span
Last Post by joshuajames.delacruz
Featured Replies
0

Your code seem fine for me. Have you tried to echo out the $user and $pass before the query and compare manually to the database?

0
<?php
session_start(); // Starting Session
include_once('config.php');

$error=''; // Variable To Store Error Message
if (isset($_POST['submit'])) {
    if (empty($_POST['user']) || empty($_POST['pass'])) {
    $error = "Please complete both fields";
    }
    else{
        // Define $username and $password
        $user=$_POST['user'];
        $pass=md5($_POST['pass']);
        // To protect MySQL injection for Security purpose
        $user = stripslashes($user);
        $pass = stripslashes($pass);
        $user = mysqli_real_escape_string($mysqli, $user);
        $pass = mysqli_real_escape_string($mysqli, $pass);
        // SQL query to fetch information of registered users and finds user match.
        $result = mysqli_query($mysqli, "SELECT * FROM users WHERE Username='$user' AND Password='$pass' LIMIT 1");
        if ($row = mysqli_fetch_array($result)) {
            $_SESSION['Username'] = $row['Username'];
            $_SESSION['Account_Type'] = $row['Account_Type'];

                //try this method sometimes you need a variable instead directly putting the date
                $acct = $row['Account_Type'];

                    if ($acct === 'A') {
                        header ("location: adminHome.php");
                        exit;
                    } else {
                        header ("location: home.php");
                        exit;
                    }

            } else {
        $error = "Username or Password is invalid";

        mysqli_close($mysqli); // Closing mysqli connection
        }
    }
}
?>

<!doctype html>
<html>
<head>
<link rel="stylesheet" type="text/css" href="style/style.css"> 
<script type="text/javascript" src="//code.jquery.com/jquery-2.1.3.min.js"></script>
<title>Login</title>

</head>
<body>

<div id = "logReg">
<span href="#" class="button" id="toggle-login">Log in</span> 
</div>

<div id="login">
  <div id="triangle"></div>
  <h1>Log in</h1>
  <form action = "" id = "logregform" method = "POST">
    <p id = "err"> <?php if(isset($error)) {echo $error;} ?> </p>
<input id = "logtxt" type="text" placeholder="Username" name = "user" required/>
<input type="password" placeholder="Password" name = "pass" required/>
<input type="submit" value="Log in" name = "submit" />
<br>
<br>
<p id ="bklg">Dont have an account? <a href="register.php">Sign up</a></p> 
  </form>
</div>
<script>

$('#toggle-login').click(function(){
  $('#login').slideToggle('fast'); 
});
</script>
</html>
0

@Ips yeah ive echoed them out. the user can login fine.

@joshuajames.delacruz ive tried the above code but the same thing happens. When logging in as the admin it instantly says "invalid username or password"

0

Wait, did you set the password of admin to '456' manually in database?

But based on your code, the $pass is set to $pass=md5($_POST['pass']);, posibly the '456' not matching md5('456') which causing the password is wrong.

0

sorry my bad there's a mistake on the Query

$result = mysqli_query($mysqli, "SELECT * FROM users WHERE Username='$user' AND Password='$pass' LIMIT 1");


  `

Edited by joshuajames.delacruz

0

may I know what's the password in database? Is it '250cf8b51c773f3f8dc8b4be867a9a02' or '456'?

And when you echo the $pass, is it '250cf8b51c773f3f8dc8b4be867a9a02' or '456'?

Edited by lps

0

the password originally was 456 but now its 250cf8b51c773f3f8dc8b4be867a9a02. however that still the admin to the normal users homepage instead of the adminhome.php

0

This is the revised code just copy and paste it.

<?php
session_start(); // Starting Session
include_once('config.php');

$error=''; // Variable To Store Error Message
if (isset($_POST['submit'])) {
    if (empty($_POST['user']) || empty($_POST['pass'])) {
    $error = "Please complete both fields";
    }
    else{
        // Define $username and $password
        $user=$_POST['user'];
        $pass=md5($_POST['pass']);
        // To protect MySQL injection for Security purpose
        $user = stripslashes($user);
        $pass = stripslashes($pass);
        $user = mysqli_real_escape_string($mysqli, $user);
        $pass = mysqli_real_escape_string($mysqli, $pass);
        // SQL query to fetch information of registered users and finds user match.
        $result = mysqli_query($mysqli, "SELECT * FROM users WHERE Username='$user' AND Password='$pass' LIMIT 1");
        if ($row = mysqli_fetch_array($result)) {
            $_SESSION['Username'] = $row['Username'];
            $_SESSION['Account_Type'] = $row['Account_Type'];

                //try this method sometimes you need a variable instead directly putting the date
                $acct = $row['Account_Type'];
                $_SESSIONS['Account_type'] = $acct;
                    if ($acct === 'A') {
                        header ("location: adminHome.php");
                        exit;
                    } else {
                        header ("location: home.php");
                        exit;
                    }

            } else {
        $error = "Username or Password is invalid";

        mysqli_close($mysqli); // Closing mysqli connection
        }
    }
}
?>

<!doctype html>
<html>
<head>
<link rel="stylesheet" type="text/css" href="style/style.css"> 
<script type="text/javascript" src="//code.jquery.com/jquery-2.1.3.min.js"></script>
<title>Login</title>

</head>
<body>

<div id = "logReg">
<span href="#" class="button" id="toggle-login">Log in</span> 
</div>

<div id="login">
  <div id="triangle"></div>
  <h1>Log in</h1>
  <form action = "" id = "logregform" method = "POST">
    <p id = "err"> <?php if(isset($error)) {echo $error;} ?> </p>
<input id = "logtxt" type="text" placeholder="Username" name = "user" required/>
<input type="password" placeholder="Password" name = "pass" required/>
<input type="submit" value="Log in" name = "submit" />
<br>
<br>
<p id ="bklg">Dont have an account? <a href="register.php">Sign up</a></p> 
  </form>
</div>
<script>

$('#toggle-login').click(function(){
  $('#login').slideToggle('fast'); 
});
</script>
</html>

then the adminhome.php

if($_SESSION['Acct_type'] == 'user'){
header('Location: userhome.php');
}

the userhome.php

if($_SESSION['Acct_type'] == 'admin'){
    header('Location: adminhome.php');
    }
0

First of all, try to echo the $row['Username'] and $row['Account_Type'] after you retrieve them from database.
Then, as you have limit the query to 1, you should probably using mysqli_fetch_assoc instead of mysqli_fetch_array.

@joshua, the problem caused by the $_SESSION['Acct_type'] is not defined to be used as comparism, the coding you show set the data into $row['Account_Type'].

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.