I am trying to create a login page that will send the user to a different index.php page based on their login credentials. For example, should a user with the “IT Technician” role log in, they will be sent to “index.php”, and if a user with the “Student” role log in, they will be sent to the “student/index.php” page.
I can’t see what’s wrong with my code, but it’s not working… I’m getting the “wrong login credentials” message every time I press the login button.
My code for the user login page is here:
<?php
session_start();
if (isset($_SESSION["manager"])) {
header("location: http://www.zuluirminger.com/SchoolAdmin/index.php");
exit();
}
?>
<?php
if (isset($_POST["username"]) && isset($_POST["password"]) && isset($_POST["role"])) {
$manager = preg_replace('#[^A-Za-z0-9]#i', '', $_POST["username"]);
$password = preg_replace('#[^A-Za-z0-9]#i', '', $_POST["password"]);
$role = preg_replace('#[^A-Za-z0-9]#i', '', $_POST["role"]);
include "adminscripts/connect_to_mysql.php";
$sql = mysql_query("SELECT id FROM Users WHERE username='$manager' AND password='$password' AND role='$role' LIMIT 1");
$existCount = mysql_num_rows($sql);
if (($existCount == 1) && ($role == 'IT Technician')) {
while ($row = mysql_fetch_array($sql)) {
$id = $row["id"];
}
$_SESSION["id"] = $id;
$_SESSION["manager"] = $manager;
$_SESSION["password"] = $password;
$_SESSION["role"] = $role;
header("location: http://www.zuluirminger.com/SchoolAdmin/index.php");
} else {
echo 'Your login details were incorrect. Please try again <a href="http://www.zuluirminger.com/SchoolAdmin/index.php">here</a>';
exit();
}
}
?>
<?php
if (isset($_POST["username"]) && isset($_POST["password"]) && isset($_POST["role"])) {
$manager = preg_replace('#[^A-Za-z0-9]#i', '', $_POST["username"]);
$password = preg_replace('#[^A-Za-z0-9]#i', '', $_POST["password"]);
$role = preg_replace('#[^A-Za-z0-9]#i', '', $_POST["role"]);
include "adminscripts/connect_to_mysql.php";
$sql = mysql_query("SELECT id FROM Users WHERE username='$manager' AND password='$password' AND role='$role' LIMIT 1");
$existCount = mysql_num_rows($sql);
if (($existCount == 1) && ($role == 'Student')) {
while ($row = mysql_fetch_array($sql)) {
$id = $row["id"];
}
$_SESSION["id"] = $id;
$_SESSION["manager"] = $manager;
$_SESSION["password"] = $password;
$_SESSION["role"] = $role;
header("location: http://www.zuluirminger.com/SchoolAdmin/student/index.php");
} else {
echo 'Your login details were incorrect. Please try again <a href="http://www.zuluirminger.com/SchoolAdmin/index.php">here</a>';
exit();
}
}
?>
And the form that the data is pulled from is shown here:
<form id="LoginForm" name="LoginForm" method="post" action="http://www.zuluirminger.com/SchoolAdmin/user_login.php">
User Name:<br />
<input type="text" name="username" id="username" size="50" /><br />
<br />
Password:<br />
<input type="password" name="password" id="password" size="50" /><br />
<br />
Log in as:
<select name="role" id="role">
<option value="">...</option>
<option value="Head">Head</option>
<option value="Deputy Head">Deputy Head</option>
<option value="IT Technician">IT Technician</option>
<option value="Pastoral Care">Pastoral Care</option>
<option value="Bursar">Bursar</option>
<option value="Secretary">Secretary</option>
<option value="Housemaster">Housemaster</option>
<option value="Teacher">Teacher</option>
<option value="Tutor">Tutor</option>
<option value="Sanatorium Staff">Sanatorium Staff</option>
<option value="Kitchen Staff">Kitchen Staff</option>
<option value="Parent">Parent</option>
<option value="Student">Student</option>
</select><br />
<br />
<input type="submit" name = "button" id="button" value="Log In" onclick="javascript:return validateLoginForm();" />
</h3>
</form>
Once logged in (and should the correct page be loaded, the validation code I have at the top of the script looks like this:
<?php
session_start();
if (!isset($_SESSION["manager"])) {
header("location: http://www.zuluirminger.com/SchoolAdmin/user_login.php");
exit();
}
$managerID = preg_replace('#[^0-9]#i', '', $_SESSION["id"]);
$manager = preg_replace('#[^A-Za-z0-9]#i', '', $_SESSION["manager"]);
$password = preg_replace('#[^A-Za-z0-9]#i', '', $_SESSION["password"]);
$role = preg_replace('#[^A-Za-z0-9]#i', '', $_SESSION["role"]);
include "adminscripts/connect_to_mysql.php";
$sql = mysql_query("SELECT id FROM Users WHERE username='$manager' AND password='$password' AND role='$role' LIMIT 1");
$existCount = mysql_num_rows($sql);
if ($existCount == 0) {
header("location: http://www.zuluirminger.com/SchoolAdmin/index.php");
exit();
}
?>
Just so you’re aware, the database table has the following fields: id, username, password and role.
Any help would be greatly appreciated!
Many thanks,
Zulu
This is a classic debugging situation, in which you can temporarily output intermediate data is see what is going wrong. There are a few improvements you can make to the code to make this easier.
SELECTtwice, and doing user input filtering twice. This is unnecessary. Reduce this to one block – it will make your code much more compact.Rather than putting code inside mysql functions, I think this is better:
Now you can uncomment the
echoline and see if the SQL is correct. Run it against the database manually to check, and then remove it when you’re happy.header('Location: ...')i.e. with an upper-case ‘L’. Your way will work, but this way is more correct.exit(). This is because PHP will keep on running the script normally until the server realises that the user has disconnected – and you want to be kind to your server:)."/SchoolAdmin/index.php", which will save you hard-wiring your website address.You don’t need to check all the
$_POSTvars before you do your database op. It’s fine just to do this:Much neater, and does the same thing!
define('ROLE_IT_TECH', 'IT Technician');in a common include file. You can then reference it in your login code and in your login form, so you know you are always using the same value in all use-cases.include_oncerather thaninclude, so PHP ignores any repeated include statements.