I am working on the user side of a new webapp. Am coding using php on netbeans. I have a situation as below:
Background:I like the first page (index.php) to have the login page (with link to recover the password if forgotten only). After successful login, user must be checked if is admin or not. If admin, user is given other pages like register and view users with links to edit or delete user accounts. If user is not admin, link is given to perform other normal activities on the app including managing their account (like password change only…)
My problems are below:
i) creating that initial admin account to be used to create the users (either admin or normal user) , whose details will be communicated to them (users) via some other means…(since the app is in-house).
ii) integrating the login on the first page (index.php), and after successful login, user is redirected to respective pages based on their rights and if not successful, user is returned to index.php to login (ofcourse with details of any encountered error).
What exactly is the problem you’re having here?
Can’t you just use the registration form the admin will use to add users?
ii) integrating the login on the first page (index.php), and after successful login, user is redirected to respective pages based on their rights and if not successful, user is returned to index.php to login (ofcourse with details of any encountered error).
I usually have a single entry point (index.php). Then all I have to do is check if the user is logged in, and if he has the right authorisation to view the page requested. If the user isn’t logged in, show the login form. If he hasn’t got the right authorisation, display an error or whatever you want to do in that situation.
Thanks Guido for tip…
My main problem is managing login from the single entry (index.php). I have so far a login script (login.php) as below:
<?php
//PHP Script - login.php
include ('../mysqli_connect.php');
if(isset ($_POST['submit']))
{
$username = strip_tags($_POST['username']);
$username = mysql_escape_string($username);
$password = strip_tags($_POST['pwd']);
$password = mysql_escape_string($password);
if($username == "" OR $password == "")
{
echo "Either username or password field is empty.";
echo "<br />";
echo "<a href='index.php'>Return to login page</a>";
}
else
{
$sql = "SELECT * FROM users WHERE user_name ='$username'AND pass = SHA1
('$password')";
$res = mysqli_query($dbc, $sql) or die (mysqli_error($dbc)); //line 45
$row = mysqli_fetch_assoc($res, MYSQLI_ASSOC);//line 46
if(is_array($row) && !empty ($row))
{
$validuser = $row['user_name'];
$_SESSION['valid'] = $validuser;
}
else {
echo "Invalid username or password.";
echo "<br />";
echo "<a href='index.php'>Return to login page</a>";
}
}
}
?>
I have a problem with this code as well. Brief description below:
When I introduce
or die (mysqli_error($dbc));
on line 45, I get the error below:
Unknown column 'user_name' in 'where clause'
When I take out the die(); on line 45, I get the error below after running it:
Warning: mysqli_fetch_assoc() expects exactly 1 parameter, 2 given in D:\\USBWebserver v8_en\\root\\login\\login.php on line 46
With these errors, I can’t log in using a superadmin account i created during the DB design. If I can log in, then l have to add some user check after successful login so they are redirected to the right page based on their user level.
If that is the users table, it looks like the user_name column does exist. Strange. Try putting a space before AND.
Another thing to try: echo $sql, and run it in phpMyAdmin. What result does that give?
The second error is quite clear: mysqli_fetch_assoc() has only 1 parameter. Eliminate MYSQLI_ASSOC
Adding the extra space before AND gives the same error.
When I run query in phpmyadmin, $sql is successful (as below):
SELECT *
FROM users
WHERE user_name = 'user1' #this is $username entered in login form
AND pass = SHA1( 'userwims11' ) #this is $password entered in login form
LIMIT 0 , 30;
And you copied and pasted that query from the echo of $sql ? You didn’t fill in the name and password by hand?
In your code, the query is on one line. The query you posted now is formatted on more lines. Just copy and paste the query that is echoed and run it as is.
I meant you have to add the following statement to your PHP code:
echo $sql;
so the actual query that is being executed will be displayed in your browser.
Copy the query displayed in your browser, and run it in phpMyAdmin. No need to insert the value of user_name and pass, because they will already be there.
Can’t you just copy and paste the query you see in your browser?
Anyway, if the same identical query works fine in phpMyAdmin, and it doesn’t in your script, then I really have no idea why. Are you sure you’re connecting to the right database?