Helping with user login and admin login

siabanie

Hi guys, I wonder if anyone here can assist me - I am creating a form for user login and admin login on the same page. The only different is that when the User login it will redirect them to the index page where they can only view, and create and edit their own details within the department they are in. And the admin can do everything.

I have created the login form but I do not know how I can create the admin login on it? Can you please help me out.

Here is the login.php form: (Those user who has not register will click the register link redirect them to the registration form and back to login page. But the admin password and username is set e.g. Username: admin. PW: 123456.

<?php

if (isset($_POST['submit'])) {

$username = (isset($_POST['username'])) ? $_POST['username'] : '';
$password = (isset($_POST['password'])) ? $_POST['password'] : '';

if($username && $password) {

    $connect = mysql_connect("localhost", "root", "") or die ("Couldn't connect!");
    mysql_select_db("friendsdb") or die ("Couldn't find the DB");

    $query = mysql_query ("SELECT * FROM `user` WHERE username = '$username'");

    $numrows = mysql_num_rows($query);


    if ($numrows != 0){

        while ($row = mysql_fetch_array($query)) {

            $dbusername = $row['username'];
            $dbpassword = $row['password'];
        }

        //Check to see if they are match!
            if ($username == $dbusername && md5($password) == $dbpassword) {
                echo "You are in! <a href = 'member.php'> Click </a> here to enter the member page!";

                $_SESSION['username'] = $username;
            }
            else    
                echo "Incorrect password!";
        //code of login

    }else
    echo "That user does not exist!";

    //echo $numrows;
}
else
echo "Please enter a username and password!";
}
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
</head>

<body>
<form action="<?php echo $_SERVER['PHP_SELF'];?>" method="post">
<!--form action="login.php" method="post"-->
    Username: <input type="text" name="username" /><br />
    Password: <input type="password" name="password"  /><br />

<input type="submit" name="submit" value="Log in"  />
</form> <p>

<a href="register.php">Register?</a>
</body>
</html>

samuelcook

assuming that you have an admin column in your db to know whether they are admin or not, you can just add one more condition statement to check for admin

<?php

if (isset($_POST['submit'])) {

$username = (isset($_POST['username'])) ? $_POST['username'] : '';
$password = (isset($_POST['password'])) ? $_POST['password'] : '';

if($username && $password) {

    $connect = mysql_connect("localhost", "root", "") or die ("Couldn't connect!");
    mysql_select_db("friendsdb") or die ("Couldn't find the DB");

    $query = mysql_query ("SELECT * FROM `user` WHERE username = '$username'");

    $numrows = mysql_num_rows($query);


    if ($numrows != 0){

        while ($row = mysql_fetch_array($query)) {

            $dbusername = $row['username'];
            $dbpassword = $row['password'];
			$dbadmin	= $row['admin_column'];
        }

        //Check to see if they are match!
            if ($username == $dbusername && md5($password) == $dbpassword) {                    
                $_SESSION['username'] = $username;
				if($dbadmin){
					header('Location: /admin-area/');
				}else{
					header('Location: /member-area');
				}
            }
            else    
                echo "Incorrect password!";
        //code of login

    }else
    echo "That user does not exist!";

    //echo $numrows;
}
else
echo "Please enter a username and password!";
}
?>

siabanie

Thanks samuelcook,

My DB are:

TABLE USER contain fields: id, name, username, password, admin, date.
TABLE PERSON contain fields: id, dept_id, name, surname, address , email, mobile
TABLE DEPT contain fields: id, dept_name
Note: dept.id = person.dept_id

For those a new user they have to register first then once they log in it will redirect them to member-area page which contain create user details (name, surname, address, email, mobile) also they have to choose on the select option what dept are they.

Is my DB there is okay for creating an admin login? Do I have to set the value for admin as 1 and user = 0? or something? There is only one admin here but can be alot of user.

Please explain to me if the code above will work on this. Thanks.

samuelcook

It is my recommendation to have a separate admin table, then just querying each table to check for username, but yes what you have will do, by checking admin=1 user=0, and will probably serve up much faster since you loop through all possible outputs.

siabanie

I see, so if I have separate admin table, is it going to be like this e.g:

Table Admin: fields: id, admin, username, password?

And if I have same table for (user and admin) how the login code will change? Any suggestion please?

bradgrafelman

Unless information about admin users is radically different than regular users, I don't see why you would want to have a separate table for them (in fact, I can think of a few reasons why you wouldn't want that).

siabanie

Thanks bradgrafelman,

I am a little bit confused here - on my USER Table I have fields: id, name, username, password, date and admin.

I want to set the admin username: admin, password: 123456 - but when I click register link and registered the admin into the DB then when back to the login page - and enter all the details; and it say that the user is not exist. I don't understand why?

Here is my register page php:

<?php

require 'includes/application_top.php';

$submitok = (isset($_POST['submitok'])) ? $_POST['submitok'] : ''; 
$fullname = (isset($_POST['fullname'])) ? $_POST['fullname'] : ''; 
$username = (isset($_POST['username'])) ? $_POST['username'] : ''; 
$password = (isset($_POST['password'])) ? $_POST['password'] : ''; 
$repeatpassword = (isset($_POST['repeatpassword'])) ? $_POST['repeatpassword'] : ''; 

$date = date ("Y-m-d");


if ($submitok) {

	//open DB
	$connect =mysql_connect ("localhost","root","");
	mysql_select_db("friendsdb"); //Select DB

	$namecheck = mysql_query ("SELECT username FROM `user` WHERE username = '$username'");
	$count = mysql_num_rows($namecheck);

	//echo $count;
	if ($count != 0) {

		die("Username already taken");

	}

	//check for existance
	if ($fullname&&$username&&$password&&$repeatpassword) {



		if ($password == $repeatpassword){
			//Check char length of usename and fullname
				if (strlen($username) > 25 || strlen ($fullname) > 25){

					echo "Length of username or fullname too long";
				}
				else
				{
					//Check password lenght
						if (strlen ($password) > 25 || strlen($password) < 6){

							echo "Passsword must be between 6 to 25 chars!";
						}
						else
						{
							//register the user!

							//Encrypted pasword
							$password = md5($password);
							$repeatpassword = md5($repeatpassword);
							//echo "Sucesss!";


							$queryreg=mysql_query ("

							INSERT INTO user VALUES ('','$fullname','$username','$password','$date')
							");

							header ("Location: login.php");
							//die ("You have been registered! <a href = 'index_a.php'>Return to login page</a>");
						}
				}

		}else
			echo "Your password do not match!";
	}else
		echo "Please fill in <b>all</b> fields!";

//echo "$username/$fullname/$password";
}
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1" />
<title>Untitled Document</title>
</head>

<body>
<br />
<div align="center">
<h2>New User Registration Form</h2>  

<p><font color="orangered" size="+1"><tt><b>*</b></tt></font>  

  indicates a required field</p>
<form action="register.php" method="POST">  

<table border="0" cellpadding="0" cellspacing="5">  

   <tr>  

       <td align="right">  

           <p>Your full name</p>       </td>  

       <td>  

           <input name="fullname" type="text" maxlength="100" size="25" />  

           <font color="orangered" size="+1"><tt><b>*</b></tt></font>       </td>  

   </tr>  


   <tr>  

       <td align="right">  

           <p>Choose a username</p>       </td>  

       <td>  

           <input name="username" type="text" maxlength="100" size="25" />  

           <font color="orangered" size="+1"><tt><b>*</b></tt></font>       </td>  

   </tr>  

   <tr>  

       <td align="right">  

           <p>Choose a password</p>       </td>  

       <td>  

           <input name="password" type="password" maxlength="100" size="25" />  

           <font color="orangered" size="+1"><tt><b>*</b></tt></font>       </td>  

   </tr>  

   <tr>  

       <td align="right">  

           <p>Repeat your password</p>       </td>  

       <td>  

           <input name="repeatpassword" type="password" maxlength="100" size="25" />  

           <font color="orangered" size="+1"><tt><b>*</b></tt></font>       </td>  

   </tr>  


   <tr>  

       <td align="right" colspan="2">  

           <hr noshade="noshade" />  

			<p><a href="login.php">
			  <input name="submit" type="submit" value="Back"/>
			</a>
			  <input type="reset" value="Reset Form" />  

              <input type="submit" name="submitok" value="Register" />  

          </p>		</td>  

   </tr>  

</table>  

</form> 
</div>
</body>
</html>

samuelcook

its probably this line

$namecheck = mysql_query ("SELECT username FROM `user` WHERE username = '$username'");

Where you are only getting the username. You need to get username,password,admin or simply *

siabanie

I have changed them to these:

$namecheck = mysql_query ("SELECT `username` FROM `user` WHERE `username` = '$username' AND `password` = '$password'");

Also I tried this,

$namecheck = mysql_query ("SELECT *  FROM `user` WHERE `username` = '$username' AND `password` = '$password'");

Still when I back to the login page and enter Username: admin, Password: 123456 - then click log in button - it will give me an error msg "That user does not exist! ".

Do you think I need to add another form selection option on my register form page e.g;

Admin [Yes][No] (Selection option)

EDIT:

I thought we need to 'set' these values of admin username and password in our code?

samuelcook

It has to be something simpler than you think.
It could be because you are using mysql_fetch_array rather than mysql_fetch_assoc on your login page

siabanie

Well I tried that changed to mysql_fetch_assoc but still when I tried to log in once I registered the admin and password.

It gave me error msg "That user does not exist! "

I think there is something wrong and missing.... can anyone please help me out?