-1

here is the validate login page:

<?php

include ("config.php");

if(isset($_POST['submit'])){

   $Nmutilizador = mysqli_real_escape_string($conn, $_POST['username']);
   $pass = md5($_POST['Password']);
   $lvlacesso = $_POST['NivelAcesso'];

   $select = " SELECT * 
                FROM users 
                WHERE NmUtilizador = '$Nmutilizador' 
                && PalavraPasse = '$pass' ";

   $result = mysqli_query($conn, $select);

   if(mysqli_num_rows($result) > 0){
        $row = mysqli_fetch_array($result);

        if ($_SESSION['NivelAcesso'] == '1') { 
            // check the value of the 'status' in the db
            //go to admin area
            header("Location: indexadmin.php");
        } else {
            //go to members area
            header("Location: indexposlogin.php");  
        }
     
   }else{
      $error[] = 'incorrect email or password!';
   }
};
?>

I wanted after validating the login to redirect to the page depending on the access level , I would appreciate you helping me as soon as possible, thank you

Im new at this of php

RiggsFolly
  • 93,638
  • 21
  • 103
  • 149
Santos54
  • 1
  • 1
  • **Warning:** Your code is vulnerable to SQL Injection attacks. You should use parameterised queries and prepared statements to help prevent attackers from compromising your database by using malicious input values. http://bobby-tables.com gives an explanation of the risks, as well as some examples of how to write your queries safely using PHP / mysqli. **Never** insert unsanitised data directly into your SQL. The way your code is written now, someone could easily steal, incorrectly change, or even delete your data. – ADyson Jun 08 '22 at 16:07
  • https://phpdelusions.net/mysqli also contains good examples of writing safe SQL using mysqli. See also the [mysqli documentation](https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php) and this: [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) . Parameterising your queries will also greatly reduce the risk of accidental syntax errors as a result of un-escaped or incorrectly quoted input values. If you learnt your current technique from a tutorial or book, please don't use it again. – ADyson Jun 08 '22 at 16:07
  • 1
    Also, please don't store passwords using the obsolete, insecure md5 algorithm - that is another security risk. Learn about PHP's built-in, up-to-date, secure [password hashing and verification functions](https://www.php.net/manual/en/faq.passwords.php) instead. See also [How to use PHP's password_hash to hash and verify passwords](https://stackoverflow.com/questions/30279321/how-to-use-phps-password-hash-to-hash-and-verify-passwords) – ADyson Jun 08 '22 at 16:07
  • 2
    It looks like you have been following some really old, bad tutorial. Stop using it and find a modern one. And/or don't tackle logins as a beginner, it's too easy to badly get it wrong. Use a ready made module or framework and focus on adding some real value to your application's features, instead. – ADyson Jun 08 '22 at 16:08
  • 1
    First you assign `$lvlacesso = $_POST['NivelAcesso'];`, a variable that is never used. Then you check `if ($_SESSION['NivelAcesso'] == '1') {` a variable that doesn't exist. Do you mean to check `$row['NivelAcesso']` which would be the access level from the database matching a given user? Also, add `exit` after `header` to ensure code execution halts. – Markus AO Jun 08 '22 at 18:14

1 Answers1

0

You don't start the session at the top so your If statement will not work:

You need

session_start()

as the first command.

//$_SESSION['NivelAcesso'] will be null without session_start()
if ($_SESSION['NivelAcesso'] == '1') { // check the value of the 'status' in the db
    //go to admin area
    header("Location: indexadmin.php");
    } else {
    //go to members area
    header("Location: indexposlogin.php");  
}
     
   }else{
      $error[] = 'incorrect email or password!';
   }
silversunhunter
  • 1,219
  • 2
  • 12
  • 32