-1

how do i differentiate redirection page for user and admin?

Database Table:

enter image description here

Here is my code;

<?php

   require ("config.php");

   //connect to mysql
   $link = mysqli_connect($h,$u,$p,$db)
   OR die(mysql_error());

  $query = "select * from login where username='".$_POST["uname"]."'and password='".$_POST["pswd"]."'";

  $result = mysqli_query($link,$query); 
  $count =mysqli_num_rows($result);
  //while($row = mysqli_fetch_assoc($result)) {
//}
   if($count==1){
    session_start();
    $_SESSION['username'] = $_POST["uname"];
    $_SESSION['password'] = $_POST["pswd"];
    header("Location: index.html");

   }
    else{
    echo "<script language=\"JavaScript\">\n";
    echo "alert('Username or Password was incorrect!');\n";
    echo "window.location='login.html'";
    echo "</script>";
   }
?>

How do i seperate user and admin login, i rather new here so your explanation/code is much appreciate!

Thanks in advance!

Syed Shahrul Shafiq
  • 47
  • 9
  • 4
    Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). – John Conde Mar 30 '17 at 02:29
  • Use the `usertype` field in your database. That will make the difference you are asking for. – Irvin Mar 30 '17 at 02:30
  • @Irvinhey thanks for the reply, erm can you tell where should i put the `usertype` ? – Syed Shahrul Shafiq Mar 30 '17 at 02:31
  • 2
    NEVER store passwords in plain text in the database. Use encryption – Christophvh Mar 30 '17 at 07:28
  • @Christophvh how do i do that? – Syed Shahrul Shafiq Mar 31 '17 at 02:56
  • if you are new to the subject, there are tons of libraries available. Take a look at this post: http://stackoverflow.com/questions/4795385/how-do-you-use-bcrypt-for-hashing-passwords-in-php – Christophvh Mar 31 '17 at 06:53
  • @Christophvh alright will do, thanks again! – Syed Shahrul Shafiq Mar 31 '17 at 06:57

2 Answers2

1

You could add a field in the database that is the redirect page for the user; and when the user logs in, it just redirects to that page. OR you could just do this. 

<?php session_start();

   require ("config.php");

   //connect to mysql
   $link = mysqli_connect($h,$u,$p,$db)
   OR die(mysql_error());

  $query = "select * from login where username='".$_POST["uname"]."'and password='".$_POST["pswd"]."'";

  $result = mysqli_query($link,$query); 
  $count =mysqli_num_rows($result);
  while($row = mysqli_fetch_assoc($result)) {
    $userType = $row['usertype'];
  }
  if($count==1){
    $_SESSION['username'] = $_POST["uname"];
    $_SESSION['password'] = $_POST["pswd"];
     if ($userType=='admin') {
       header("Location: index.html"); //whereever you want to take admins
      } else {
     header("Location: index.html"); //wherever you want to take all users
     }


   }
    else{
    echo "<script language=\"JavaScript\">\n";
    echo "alert('Username or Password was incorrect!');\n";
    echo "window.location='login.html'";
    echo "</script>";
   }
?>

Session_start(); should always be the first thing in the document, FYI.

Pang
  • 9,564
  • 146
  • 81
  • 122
Usman Shahid
  • 302
  • 1
  • 9
0

Although I'm not a user of mysqli, this might guide you. Just convert it to mysqli version

if('admin' == $row['usertype']) {
    header('Location:admin.php');
    exit;
}
if('user' == $row['usertype']) {
    header('Location:user.php');
    exit;
}
Carl Binalla
  • 5,393
  • 5
  • 27
  • 46