[RESOLVED] Best way to handle this?

painfull

I am looking for the best way to handle a user level type login check system.

What I have is a simple login page which asks for name and password, then checks that against what is in the database. Functioning well so far - logging in those who are in the DB, rejecting those who aren't, and letting you know if you got any part of the login wrong.

I need to add one more function to this login code: What level of user are you?
And therefor what page do I take you to from here...

To keep things simple until I master this new thing - I am only using 3 levels

Active
Admin
Inactive

I have tried a couple of ways, which don't work; perhaps because my latest version of PHP versus the 4 or so year old info I might be reading online. Maybe just because I don't fully understand formatting the code yet.... either way... I've taken on writing some of the code myself, hoping to get to a working model soon.

At first I tried using multiple else statements, then found the elseif statement, now I've found the switch function....

So far I have a bunch of other stuff in this page, but the login workings are as follows:

$check = mysql_query("SELECT * FROM users WHERE username = '".$_POST['username']."'")or die(mysql_error());

//Gives error if user dosen't exist
$check2 = mysql_num_rows($check);
if ($check2 == 0) {
header("Location: failed.php");
die();
exit;
}
while($info = mysql_fetch_array( $check ))
{
$POST['pass'] = stripslashes($POST['pass']);
$info['password'] = stripslashes($info['password']);
$POST['pass'] = md5($POST['pass']);

//gives error if the password is wrong
if ($_POST['pass'] != $info['password']){
header("Location: failed.php");
die();
exit;
}

From there I'd like to check the "status" of a user trying to login against the variable "status" (either: 'active', 'admin' or 'inactive' - respectively), which has been included in the DB entry for each user, - I mastered Radio buttons on my registration page yesterday to do that 😃

One thing I don't quite understand is where my array is being held by PHP... is it in $info or $check? From what I can tell $check = the original query, but $info - the output array - where I suspect my data might be.... then, I could be wrong... it might be in my shoe :s

Knowing that alone will probably help me a great deal... then how do I get this page to direct the user to one of 3 subsequent pages depending on the "status" in the array? ie: which method multiple else's, elseif's or a switch case?

If any extra code or info is needed I'll be back in a few hours to see what you fine people have added to this thread 😃

Thank you.

Xager

This ought to do it:

switch($user_level){
case 0:
    //Inactive
   header("Location:/login.php?error=inactive");
   break;

case 1:
    //Active
   header("Location:/success.php");
   break;

case 2:
    //Admin
   header("Location:/admin/");
   break;

default:
    //Something went VERY wrong
    header("Location:/superfail.php");
    break;
}

And you know how to use foreach() i presume, quite handy when dealing with arrays.

Oh, and it's not that recomended to have tables named "users" since if you get SQL-injected that is one thing that they might target. Try renaming it to "pagename_users"

halojoy

edit:
I was not aware Xager had posted a similar solution 🙂
I was busy working to see how I would do it.
So did not see his good advice until AFTER posted mine.
... actually you see we post a bit alike, don't we ......

/halojoy

hi.
You have a good code there.
I can not see why it shouldnt work.
You should add some small exit('exit reason'), just to see what is happening.

I suggest we start with this 'fixed code' below
and go from there:

For each user you will be able to use
and Column, FIELD of userdata, to control
-> what userlevel
-> what can be accessed
-> what page will be used for 'user group'

You can set a
$_SESSION['usertype'] = 'admin';
... after login
.. and this can be used in any page for session

Guest (not logged in')
Active
Admin
Inactive

<?php
//For DEBUG make sure we get Error NOTICES
ini_set('display_errors', 1);
error_reporting(2047);

//We activate $_SESSION variables, for use
session_start();

if(!isset($_POST['username'])){
    //form was not submitted
    exit('nothing posted');
}


//get posted values
$postusername = $_POST['username'];
$md5postpass  = md5(stripslashes($_POST['pass']));

$sql = "SELECT * FROM users WHERE username = '".$postusername."'";
$check = mysql_query($sql) or exit(mysql_error());

$check2 = mysql_num_rows($check);
if ($check2 == 0) {
    //Gives error if user dosen't exist
    //header("Location: failed.php");
    exit('no such user');
}

// get user data from DB to $info array
while($info = mysql_fetch_array( $check )){
    $infopass = stripslashes($info['password']);
    if ($infopass !== $md5postpass){
        //gives error if the password is wrong
        //header("Location: failed.php");
        exit('bad pass');
    }
}


// User is LOGGED IN alright!
// We use a switch to determine Action by UserGroup

$usergroup = $info['u_group']; // field 'group' or 'STATUS' in userdata

// Check which Group .. and do action accordingly
switch( $usergroup ) :

case 'admin' :
    //dothis
    $_SESSION['usertype'] = 'admin';
    header( 'location: admin.php' ); // send directly to admin page
    exit();
    break;

case 'inactive' :
    //dothis
    $_SESSION['usertype'] = 'inactive';
    break;

case 'active' :
default       :  //this is also the default, if not 1 of those 3
    //dothis
    $_SESSION['usertype'] = 'active';
    break;

endswitch;

// if not admin, send them all to 'index', after login
header( 'location: index.php' ); // send to index page

// end this script
exit();

?>

painfull

Thanks very much, both of you, for your informative replies.

I will be testing both of these suggestions very soon.

I'll get back to you with the results.

Thanks again...

painfull

This time with my full code.... :s

Are you ready for this... 😐

I have passed this through an online PHP Syntax Checker - no errors. No guarantee it works either 😃 Which it doesn't 🙁

My appologies to both of you, I didn't use the switch:case... because I was still confused after trying them both.

Xager, you had brackets and numbered cases: switch($user_level){ case 0:
Halojoy, you had no brackets and tagged cases: switch( $usergroup ) : case 'admin' :

Being new to PHP, I have no idea which one is technically correct, or if both of them are, or how to relate them to my current code... yep - n00b !

My deciding factor on this page redirection is a variable called 'status', so where to put that into your snipets had me stumped.

However... I have an ALMOST working model from what I had already coded and your help on what the $info variable held for me.... yes, I learned that from your examples... thank you.

The only thing it does wrong now is sends EVERYONE to the first 'if' clause - the Admin page. I've shuffled them around - and whichever 'if' I put first - everyone goes. So my code is not 'checking' the 'status'. It KNOWS the status, because I threw an - echo "Your status is $_STATUS<p>"; on the target page, it shows the correct status for each person logged in... including inactive - who SHOULDN'T be able to login - DOH! 😕

If a live test would help you see what is happening, I can arrange to have this page on a server for you to look at. Thank you.

So here's my code. I hope it's not just one big balls-up, which has to be re-written :s

<html>

<head>
<meta name="GENERATOR" content="Microsoft FrontPage 5.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>AllStars - Login</title>
<script type="text/javascript">
window.onload=function() {
document.forms[0][0].focus();
}
</script>
</head>

<body>
<p align="center"> </p>
<p align="center"> </p>
<p align="center"> </p>
<p align="center"> </p>
<p align="center"><font face="Tahoma" size="6">
<a href="index.php">
<img border="0" src="star_logo.gif" width="284" height="292"></a></font></p>
<p align="center"><font face="Tahoma" size="6">Please Login</font></p>

<form action="<?php echo $_SERVER['PHP_SELF']?>" method="post">
<table border="0" width="100%" height="74">
<tr>
<td width="38%" height="22"> </td>
<td width="6%" height="22">Username:</td>
<td width="14%" height="22"><input type="text" name="username" maxlength="40" size="20"></td>
<td width="53%" height="22"> </td>
</tr>
<tr>
<td width="38%" height="22"> </td>
<td width="6%" height="22">Password:</td>
<td width="14%" height="22"><input type="password" name="pass" maxlength="50" size="20"></td>
<td width="53%" height="22"> </td>
</tr>
<tr>
<td width="38%" height="26"> </td>
<td width="6%" height="26"> </td>
<td width="14%" height="26">
<p align="center">
<input type="submit" name="submit" value="Login" style="float: right"></td>
<td width="53%" height="26"> </td>
</tr>
</table>
</form>
</body>

</html>

<?php
header("Cache-Control: no-cache, must-revalidate"); // HTTP/1.1
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT"); // Date in the past

// Connects to your Database
mysql_connect("localhost", "login", "password") or die(mysql_error());
mysql_select_db("this_DB") or die(mysql_error());

//Checks if there is a login cookie
if(isset($_COOKIE['ID_my_site']))

//if there is, it logs you in and directes you to the members page
{
$username = $COOKIE['ID_my_site'];
$pass = $COOKIE['Key_my_site'];
$check = mysql_query("SELECT * FROM users WHERE username = '$username'")or die(mysql_error());
while($info = mysql_fetch_array( $check ))
{
if ($pass != $info['password'])
{
}
else
{
header("Location: main.php");
}
}
}

//if the login form is submitted
if (isset($_POST['submit'])) 
	{ //if form has been submitted
	// makes sure they filled it in
	if(!$_POST['username'] | !$_POST['pass'])
		{
		header("Location: failed.php");
		exit;
		}

	// checks it against the database

	if (!get_magic_quotes_gpc())
		{
		$_POST['email'] = addslashes($_POST['email']);
		}
	$check = mysql_query("SELECT * FROM users WHERE username = '".$_POST['username']."'")or die(mysql_error());

	//Gives error if user dosen't exist
	$check2 = mysql_num_rows($check);
	if ($check2 == 0)
		{
		header("Location: failed.php");
		exit;
		}
	else
		{
		while($info = mysql_fetch_array( $check ))
			{
			$_STATUS = $info['status'];

			$_POST['pass'] = stripslashes($_POST['pass']);
			$info['password'] = stripslashes($info['password']);
			$_POST['pass'] = md5($_POST['pass']);

			//gives error if the password is wrong
			if ($_POST['pass'] != $info['password'])
				{
				header("Location: failed.php");
				exit;
				}
			else
				if($_STATUS = 'admin')
					{
					$_POST['username'] = stripslashes($_POST['username']); 
					$hour = time() + 3600; 
					setcookie(ID_my_site, $_POST['username'], $hour); 
					setcookie(Key_my_site, $_POST['pass'], $hour);
					header("Location: admin.php");
					}
				elseif($_STATUS = 'active')
					{
					$_POST['username'] = stripslashes($_POST['username']); 
					$hour = time() + 3600; 
					setcookie(ID_my_site, $_POST['username'], $hour); 
					setcookie(Key_my_site, $_POST['pass'], $hour);
					header("Location: main.php");
					}
				elseif($_STATUS = 'inactive')
					{
					echo "inactive.php";
					exit;
					}




			}
		}
	}

Xager

Reason because everyone is sent to admin is because your are using = which is setting the value instead of checking. Anyways, here is my suggestion:

switch($_STATUS){
    case "admin":
        $_POST['username'] = stripslashes($_POST['username']);
        $hour = time() + 3600;
        setcookie(ID_my_site, $_POST['username'], $hour);
        setcookie(Key_my_site, $_POST['pass'], $hour);
        header("Location: admin.php");
        break;

case "active":
    $_POST['username'] = stripslashes($_POST['username']);
    $hour = time() + 3600;
    setcookie(ID_my_site, $_POST['username'], $hour);
    setcookie(Key_my_site, $_POST['pass'], $hour);
    header("Location: main.php");
    break;

case inactive:
    header("Location: inactive.php");
    break;

default:
    header("Location: failed.php");
}

And instead of using if and else around the whole code just do if's with a exit;

EDIT: I just noticed that you are using html code before the php code which means you cannot use header(), this has to be called before any HTML

painfull

Thank you Xager, for picking out that mistake and for clarifying your code.

That worked a treat!

I also moved the php code to outside the <body> and it's working perfectly.

Now, on to create an Admin page that can edit users 😃

Wish me luck!

Thanks agian!

halojoy

painfull wrote:
Thank you Xager, for picking out that mistake and for clarifying your code.
That worked a treat!

I also moved the php code to outside the <body> and it's working perfectly.
Now, on to create an Admin page that can edit users 😃
Wish me luck!
Thanks agian!

Glad you did it .. with the good help of Xager ( welcome as a Helper, Xager 🙂 )

There is a link in 'Thread Tools' .. Marked Resolved.
If you need more assistance with your coding .. make another topic.

Regarding
switch() { or: switch () :
They are both CORRECT. Use what you fancy the best.

Regards
halojoy

Xager

halojoy wrote:
Glad you did it .. with the good help of Xager ( welcome as a Helper, Xager 🙂 )

Thank you =)
A a forum like this you learn alot and at the same time you can help people 😃

halojoy

Xager wrote:
Thank you =)
A a forum like this you learn alot and at the same time you can help people 😃

🙂

True True
.. I have learnt so much here
.. and I give it back to others ... 'SHARING', you know
regars
halojoy

painfull

Hi guys,

Hope you get this now that we've marked 'Resolved'.

Thank you both, again, very much... I now have a beautifully working login page which re-directs correctly! As a (self)test I have put echos on the target pages that pull data both from the database and from the session cookies.

Halojoy - I've managed to stumble my way through learning to use sessions!

Wonderful stuff!!

I have one last question for this thread if I may....

I was wondering if I still need to set cookies as users logged in successfuly... or should I rely on sessions now? I know I can set and destroy both, but I'm not sure which one is more secure. I know the code for sessions is smaller 😃

Thanks very much... hope you get this. I tried to PM you - not allowed 🙁

Cheers

Xager

Sessions are safer then cookies since a user can't access them.

If you want a "Stay logged in" feature just generate a random string which is stored in the database and in the cookie, if both the cookie and the DB string match then the user is logged in.

Never store a hash in the cookie as people can brute force or check a rainbow table for it.

halojoy

painfull wrote:
Halojoy - I've managed to stumble my way through learning to use sessions!
Wonderful stuff!!

Thanks very much... hope you get this.

I tried to PM you - not allowed 🙁
Cheers, P.

Yes, I use SESSION whenever want to serve online users, logged in or not.
You can store his/her personal preferences, userlevel, language .. whatever.
And so use this data to make a custom page for him/her.
There are plenty of Topics discussing and coding SESSION

if you search our board.

If you mean me, PM should be possible.
I got a personal request for information/advice, yesterday from another person!
I may not be able to answer all my PM,
but then .. you can ask in forum.
Make a new topic for each new subject.
Thanks!

Regards 🙂
halojoy