Php admin area

r2ks

I have a Mysql data base with say 3 login fields username, password and admin ( which is level 0 or 1
if the user logs in i would like a admin user to goto a and a Guest to go to b area this is what i have so far ???

// Create query
 $q = "SELECT * FROM users WHERE USERNAME = '".$USERNAME."' AND PASSWORD = '".md5($PASSWORD)."'and ADMIN= '".$ADMIN."' LIMIT 1"; 
 // Run query
 $r = mysql_query($q);




 if ( $obj = @mysql_fetch_object($r) )
  {
  // Login good, create session variables
  $_SESSION["valid_id"] = $obj->id;
  $_SESSION["valid_user"] = $_POST["username"];
  $_SESSION["valid_time"] = time();
  $_SESSION["valid_admin"] = "$admin";

 // Redirect to member page




 Header("Location: members1.php");
  }
 else
  {
  // Login not successful
  die("Sorry, could not log you in. Wrong login information.<a href=\"index.php\">PLEASE Sign Back in</a>");

   }
   }
else
 {
//If all went right the Web form appears and users can log in
 echo "<form action=\"?op=login\" method=\"POST\">";
 echo "Username: <input name=\"username\" size=\"15\"><br />";
 echo "Password: <input type=\"password\" name=\"password\" size=\"15\"><br />";
 echo "<input type=\"submit\" value=\"Login\">";
 echo "</form>";

 }

djjjozsi

bad.

if you want one user information, never fetch with a while.

its a bad design to select the user + password and admin rights, why is it need to ask $admin?

<?php

$q = sprintf( "SELECT * FROM users WHERE USERNAME = '%s' LIMIT 1" , mysql_real_escape_string( $USERNAME ) ); 
// Run query
$r = mysql_query( $q ) or die( "error..." );
if ( mysql_num_rows( $r ) == 1 ) {
    $row = mysql_fetch_object( $r );
    if ( $row->PASSWORD == md5( $PASSWORD ) ) {
        $_SESSION["un"] = $row->USERNAME;
        $_SESSION["ud"] = $row->userid;
        $_SESSION["time"] = time();
        $_SESSION["admin"] = $row->ADMIN;

    $page=(empty($row->ADMIN) ? "member.php":"admin.php");
    header("Location: $page");

} else
    die( "access denied/wrong password" );
} else
    die( "access denied/no user" );

?>

r2ks

Thank you ( I am a newbie to PHP as you can see ) I tried what you suggested and i get this message

access denied/wrong password
No matter what i do

djjjozsi

$PASSWORD has md5() before? if yes remove the md5() from the IF condition.

before query: print $PASSWORD ;

after the IF condition to test the values:

print md5($PASSWORD) . "<br />";
print "<pre>";
print_r($row);
print "</pre>";