Add Mulit Levels to login script

eyesforcode · September 10, 2020, 1:12pm

Hi everyone how do i go about adding the level system in my login script

this

if(mysqli_num_rows($result) != 1){
						echo "<script>alert(' Wrong Username or Password Access Denied !!! Try Again');
						window.location='index.php';
						</script>";
					}else{
						$row = mysqli_fetch_assoc($result);	
						if($row['userlevel'] == 1){
							header('location: admin.php');
						}else if($row['userlevel'] == 2 ){
							header("Location: faculty.php");
						}else if($row['userlevel'] == 3 ){
							header("Location: student.php");
						}
						else if($row['userlevel'] == 4 ){
				  		   header("Location: staff.php");
						}
						else{
							echo "<script>alert('Wrong Username or Password Access Denied !!! Try Again');
						window.location='index.php';
						</script>";
						}
					}

into this login script

<?php
 
// Check if the user is already logged in, if yes then redirect him to welcome page
if(isset($_SESSION["loggedin"]) && $_SESSION["loggedin"] === true){
    header("location: dashboard.php");
    exit;
}

// Define variables and initialize with empty values
$username = $password = "";
$username_err = $password_err = "";
 
// Processing form data when form is submitted
if($_SERVER["REQUEST_METHOD"] == "POST"){
 
    // Check if username is empty
    if(empty(trim($_POST["username"]))){
        $username_err = "Please enter username.";
    } else{
        $username = trim($_POST["username"]);
    }
    
    // Check if password is empty
    if(empty(trim($_POST["password"]))){
        $password_err = "Please enter your password.";
    } else{
        $password = trim($_POST["password"]);
    }
    
    // Validate credentials
    if(empty($username_err) && empty($password_err)){
        // Prepare a select statement
        $sql = "SELECT id, username, password FROM users WHERE username = ?";
        
        if($stmt = mysqli_prepare($link, $sql)){
            // Bind variables to the prepared statement as parameters
            mysqli_stmt_bind_param($stmt, "s", $param_username);
            
            // Set parameters
            $param_username = $username;
            
            // Attempt to execute the prepared statement
            if(mysqli_stmt_execute($stmt)){
                // Store result
                mysqli_stmt_store_result($stmt);
                
                // Check if username exists, if yes then verify password
                if(mysqli_stmt_num_rows($stmt) == 1){                    
                    // Bind result variables
                    mysqli_stmt_bind_result($stmt, $id, $username, $hashed_password);
                    if(mysqli_stmt_fetch($stmt)){
                        if(password_verify($password, $hashed_password)){
                            // Password is correct, so start a new session
                            session_start();
                            
                            // Store data in session variables
                            $_SESSION["loggedin"] = true;
                            $_SESSION["id"] = $id;
                            $_SESSION["username"] = $username;                            
                            
                            // Redirect user to welcome page
                            header("location: dashboard.php");
                        } else{
                            // Display an error message if password is not valid
                            $password_err = "The password you entered was not valid.";
                        }
                    }
                } else{
                    // Display an error message if username doesn't exist
                    $username_err = "No account found with that username.";
                }
            } else{
                echo "Oops! Something went wrong. Please try again later.";
            }
        }
        
        // Close statement
        mysqli_stmt_close($stmt);
    }
    
    // Close connection
    mysqli_close($link);
}
?>

m_hutley · September 10, 2020, 1:24pm

Well, lets look at it a bit.

        $sql = "SELECT id, username, password FROM users WHERE username = ?";

So clearly, you’re going to need the userlevel information out of the database. you’ll need to add it to the query.

mysqli_stmt_bind_result($stmt, $id, $username, $hashed_password);

this binds the result fields of the query (in order!) to variable names. You want to add a field to the query, so you’ll need to add a variable to this list to catch the result!

So here is where your if statement would go. You’ve already written it, but change the variable to match the variable you created in the last block.

You may also want to bind the userlevel into a session variable, if it’s going to be needed in later pages.

mabismad · September 10, 2020, 1:38pm

That code does not enforce user levels and does not stop access to the pages. It is simply a conditional redirection script. Anyone can ‘manually’ enter any of those URLs and open the corresponding page.

The correct way of implementing user levels is to query on each page request to get the current user’s information and permissions, and use this data to determine what the user can see and do on that page.

system · December 10, 2020, 8:38pm

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.