Admin User Login

bulbul4u

Hey All,

I got admin user login system in asp.net, but I need the same using php.
Could anyone write me the below code using php?

Note: Don't worry about the database connection, because I already got connected to the database.

Dim memberID, pword As String

    memberID = txtUsername.Text
    pword = txtPassword.Text

    lblError.Text = ""

    If memberID = "" Or pword = "" Then
        lblError.Text = "Please enter the username/password"

    Else
        Dim DBConnection As SqlConnection = New SqlConnection()
        Dim DBCommand As SqlCommand = New SqlCommand()

        Dim SQLString As String
        Dim DBConnString As String
        Dim sRight As String

        DBConnString = ConfigurationManager.ConnectionStrings("MyDbConn2").ConnectionString
        DBConnection.ConnectionString = DBConnString
        DBCommand.Connection = DBConnection


        SQLString = "SELECT Rights FROM member " & _
              "WHERE MemberId = '" & memberID & "' " & _
              "AND Password = '" & pword & "'"
        DBCommand.CommandText = SQLString
        DBCommand.CommandType = CommandType.Text

        DBCommand.Connection.Open()
        sRight = DBCommand.ExecuteScalar()

        If Not sRight Is Nothing Then
            'Do processing here'

            Select Case sRight.ToString().Trim()
                Case "administrator"
                    Response.Redirect("menuadministrator.aspx")
                Case "member"
                    Response.Redirect("menumembers.aspx")
            End Select
        Else
            lblError.Text = "Invalid UserName or Password"
        End If
    DBConnection.Close()

    End If

dagon

bulbul4u;10975542 wrote:
I got admin user login system in asp.net, but I need the same using php.
Could anyone write me the below code using php?

No, but if you want to learn to do it your self we will help.

bulbul4u

Sounds good. I will come up with something then you guys can help me edit it.

bulbul4u

I followed one youtube video and got the below code. It is perfects for the members, but I need atleast 3 admins.
How can I add admin so that he can be directed to a different page now?

<?
$host = "localhost";
$username = "myusername";
$password = "mypwd";
$db_name = "mydb";
$tbl_name = "members";

mysql_connect ($host, $username, $password) or die ("can't connect");
mysql_select_db($db_name) or die (mysql_error ());

$myusername = $POST ['myusername'];
$mypassword = $POST ['mypassword'];

$sql = "SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result = mysql_query($sql);

$count = mysql_num_rows ($result);

if($count==1) {
session_register("myusername");
session_register("mypassword");
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
?>

Bjom

This is actually pretty far from perfect, not to say horrible. It's wide open to all forms of attacks, foremost sql injection (and the coding style is questionable too).

Do use mysqli and prepared statements for the DB connection/query part.

Don't use deprecated functions like session_register

To answer your question:

In your DB the information whether someone is an admin or not is stored somewhere, right? Rertrieve it in your select statement then redirect conditionally.

if($isAdmin==1){
    header("location:login_admin.php");

} else {
    header("location:login_user.php");
}

this article might give you some further inspiration as what to do. While the code might not be completely up to date, they touch a few interesting issues.

hth

Bjom

bulbul4u

I have my database tables on phpmyadmin online.
Since I did not know if $IsAdmin will work, I tried the below code. It did not work either.

<?
$host = "localhost";
$username = "myusername";
$password = "mypwd";
$db_name = "mydb";
$tbl_name = "members";

mysql_connect ($host, $username, $password) or die ("can't connect");
mysql_select_db($db_name) or die (mysql_error ());

$myusername = $POST ['myusername'];
$mypassword = $POST ['mypassword'];
$rights = $_POST ['rights'];

$sql = "SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'" rights='$rights'";
$result = mysql_query($sql);

$count = mysql_num_rows ($result);

if($count==1 and $rights='admin') {
session_register("myusername");
session_register("mypassword");
header("location:admin.php");
}
elseif ($count==1 and $rights='user') {
session_register("myusername");
session_register("mypassword");
header("location:user.php");
}

else {
echo "Wrong Username or Password";
}
?>

Admins needs to be directed to admin.php and
users needs to be directed to user.php else
it should say wrong username or password.

bulbul4u

I tried below code and I keep on getting "Wrong Username or Password" even if I enter the right username and password.

<?
$host = "localhost";
$username = "myusername";
$password = "mypwd";
$db_name = "mydb";
$tbl_name = "members";

mysql_connect ($host, $username, $password) or die ("can't connect");
mysql_select_db($db_name) or die (mysql_error ());

$myusername = $POST ['myusername'];
$mypassword = $POST ['mypassword'];
$rights = $_POST ['rights'];

$sql = "SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword' rights='$rights'";
$result = mysql_query($sql);

$count = mysql_num_rows ($result);

if(($count==1)
&& ($rights=='admin')) {
session_register("myusername");
session_register("mypassword");
header("location:admin.php");
}
elseif (($count==1)
&& ($rights='user')) {
session_register("myusername");
session_register("mypassword");
header("location:user.php");
}

else {
echo "Wrong Username or Password";
}
?>

Bjom

Because your query will fail:

password='$mypassword' rights='$rights'

an AND is missing...this should fix it (and gets rid of the * too)

SELECT username, password, rights FROM $tbl_name WHERE username='$myusername' AND password='$mypassword' AND rights='$rights'";

Please use [ php] [ /php] tags around your code.

Also do switch to prepared statements. It's the only way to be safe.

$isAdmin: this is just a variable. You chose to call yours $rights. So you actually do exactly what I suggested 🙂.

Bjom

Actually seems a bit strange that you get the "rights" information from the $_POST array. You store it in the DB, right?

So you don't need to post it around. Simplify your query to this:

SELECT username, password, rights FROM $tbl_name WHERE username='$myusername' AND password='$mypassword';

And retrieve the value for rights from $result

bulbul4u

when I try to use SELECT username, password, rights FROM $tbl_name WHERE username='$myusername' AND password='$mypassword'; the php closing (?>) tag does not remain red. I tried below but still get the wrong username password message even if I enter the right info.

And yes I have a table call "members" in phpmyadmin. It has 4 fields (id, username, password, and rights). For rights, there is either admin/member.

<?php
$host = "localhost";
$username = "myusername";
$password = "mypwd";
$db_name = "mydb";
$tbl_name = "members";

mysql_connect ($host, $username, $password) or die ("can't connect");
mysql_select_db($db_name) or die (mysql_error ());

$myusername = $POST ['myusername'];
$mypassword = $POST ['mypassword'];
$rights = $_POST ['rights'];

$sql = "SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword' and rights='$rights'";
$result = mysql_query($sql);

$count = mysql_num_rows ($result);

if(($count==1)
&& ($rights=='admin')) {
session_register("myusername");
session_register("mypassword");
session_register("rights");
header("location:admin.php");
}
elseif (($count==1)
&& ($rights=='member')) {
session_register("myusername");
session_register("mypassword");
session_register("rights");
header("location:user.php");
}

else {
echo "Wrong Username or Password";
}

Bjom

Please use the [php ] [/php ] tags around code here in the forum. it makes it easier to read.

I'll have a look after you edited 😉

bulbul4u

<?php
$host = "localhost";
$username = "myusername";
$password = "mypwd";
$db_name = "mydb";
$tbl_name = "members";

mysql_connect ($host, $username, $password) or die ("can't connect");
mysql_select_db($db_name) or die (mysql_error ());

$myusername = $_POST ['myusername'];
$mypassword = $_POST ['mypassword'];
$rights = $_POST ['rights'];

$sql = "SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword' and rights='$rights'";
$result = mysql_query($sql);

$count = mysql_num_rows ($result);

if(($count==1)
&& ($rights=='admin')) {
session_register("myusername");
session_register("mypassword");
session_register("rights");
header("location:admin.php");
}
elseif (($count==1)
&& ($rights=='member')) {
session_register("myusername");
session_register("mypassword");
session_register("rights");
header("location:user.php");
}

else {
echo "Wrong Username or Password";
}

?>

bulbul4u

Below is what happens when I try to do what you said.

<?php
$host = "localhost";
$username = "scoutsadmin";
$password = "Tr@ck3r!";
$db_name = "scouts";
$tbl_name = "members";

mysql_connect ($host, $username, $password) or die ("can't connect");
mysql_select_db($db_name) or die (mysql_error ());

$myusername = $_POST ['myusername'];
$mypassword = $_POST ['mypassword'];


$sql = "SELECT username, password, rights FROM $tbl_name WHERE username='$myusername' AND password='$mypassword';
$result = mysql_query($sql);

$count = mysql_num_rows ($result);

if(($count==1)
&& ($rights=='admin')) {
session_register("myusername");
session_register("mypassword");
session_register("rights");
header("location:admin.php");
}
elseif (($count==1)
&& ($rights=='member')) {
session_register("myusername");
session_register("mypassword");
session_register("rights");
header("location:user.php");
}

else {
echo "Wrong Username or Password";
}

?>

Bjom

you are missing a " at the end of your SQL string - and that was actually already wrong in what I had posted. sorry

PS: actually it wasn't. I posted the naked SQL string not the php command. So you need to add the proper quotes.

bulbul4u

I added " and the ?> became red. But now when I enter the username and password nothing happens. Now it doesn't even say wrong username or password.

Bjom

you need to trace possible errors

$result = mysql_query($sql) or trigger_error(mysql_error(), E_USER_ERROR);

bulbul4u

I tried to trace, but it still doesn't show me any error message or anything. It just opens up a blank page (checklogin.php).