How to login by using info from database table?

aimen · October 12, 2017, 5:06pm

Hi so I have two files. The first one login.php has the form for where the user inputs their info. The second document is login.backend.php basically it receives the info of the form from login.php then checks if the value=“submit”. Now the part where i’m stuck at. In the database table named users I have made it so that the user_type can equal to 1 or 0. 1 is for admin and 0 is for user. If in the table the value is 1 then I want to confirm that that is what the user has inputted into the form through the selection option tag. So basically:

if user_email in table = user’s input and user_pass = user’s input then
if user_type in table = 1 then
redirect to admin.php
else
redirect to login.php
endif
endif

==========================================

Here is the code for the login.php file. I am aware that there are < missing, I just didnt know how to make the code appear otherwise. NOTE: thanks to SamA74 i was able to make the code visible so there are no longer any missing >.

<form class="login-form" action="backend/login.backend.php" method="get">
			<select name="type">
	 		     <option value="">Sign in as</option>
	  		     <option value="admin">user</option>
 			     <option value="user">admin</option>
			</select>
			<input type="email" name="email" id="email" placeholder="Email" required>
			<input type="password" id="pass" name="pass" placeholder="Password" required>
			<button type="submit" name="submit1">Login</button>
</form>

==========================================

Here is the code for login.backend.php:

<?php

	require_once ('dbh.backend.php');
	$email = $_GET['email'];
	$pass = $_GET['pass'];

		$login = "SELECT * FROM users where user_email = '$email' AND user_pass = '$pass'";
		$result = mysqli_query($connection, $login);
		$adminlogin = "SELECT * FROM users where user_type = '$admin'";
		
if(isset($_GET['submit1'])){

		$type = $_GET['type'];

		if (mysqli_num_rows($result) > 0 AND mysqli_num_rows($adminlogin) == 1)
					{
						echo '<script type="text/javascript"> window.location ="../admin.php"; </script>';
					}

			else 
					{
						echo '<script type="text/javascript"> window.location ="../index.php"; </script>';

		 			}
    	}

	mysqli_close();
?>

aimen · October 12, 2017, 5:19pm

Edit: i have figured it out. This is what i ended up with.

<form class="login-form" action="backend/login.backend.php" method="post">
			<select name="type">
	 		<option value="">Sign in as</option>
	  		<option value="0">user</option>
 			<option value="1">admin</option>
			</select>
			<input type="email" name="email" id="email" placeholder="Email" required>
			<input type="password" id="pass" name="pass" placeholder="Password" required>
			<button type="submit" name="submit1">Login</button>
		</form>

And for the login.backend.php i wrote:

<?php

	require_once ('dbh.backend.php');
	$email = $_POST['email'];
	$pass = $_POST['pass'];
	$type = $_POST['type'];

		$login = "SELECT * FROM users where user_email = '$email' AND user_pass = '$pass' AND user_type = '$type'";
		$result = mysqli_query($connection, $login);
		
if(isset($_POST['submit1'])){

		if (mysqli_num_rows($result) > 0)
					{
						echo '<script type="text/javascript"> window.location ="../admin.php"; </script>';
					}

			else 
					{
						echo '<script type="text/javascript"> window.location ="../index.php"; </script>';

		 			}
    	}

	mysqli_close();
?>

SamA74 · October 12, 2017, 5:35pm

To format code as code you can highlight it and use the </> button from the toolbar.
Or place three backticks on a row of their own before and after the block.

Also please post PHP questions in the PHP forum. Although there may be a degree of crossover with “Databases” when using mysqli, this predominately a PHP problem.

aimen · October 12, 2017, 5:39pm

oh thank you!

droopsnoot · October 12, 2017, 5:46pm

The code you have written suggests that you are storing the password in plain text in the database table. This is obviously a bad thing, presumably your next job is to add encryption to it.

I must say it’s unusual for the user to have to pick whether it’s a normal or admin login. I’d have expected that to be stored in the users table somewhere, and the decision made in the code - if the user is an admin, then log them in as an admin user, otherwise log them in as a normal user.

SamA74 · October 12, 2017, 6:07pm

In addition to that, now I actually look at the code, it’s not really a login system. It does not appear to log that anyone logs in. It just checks their credentials, then forwards them to another page depending in the result (via javascript for some reason).

So what’s to stop anyone just navigating straight to ../admin.php and bypassing the the login altogether?

SpacePhoenix · October 12, 2017, 6:35pm

Also the code leaves the OP a sitting duck for SQL Injection attacks

SamA74 · October 12, 2017, 6:51pm

It’s been mentioned in the OP’s other topics.
But this script is a hacker’s dream, unchallenged access to the Admin area, plain text passwords, then queries ripe for injection to harvest those passwords from the DB (though in reality you don’t even need the passwords to get in, as per my first comment, so…)

system · January 12, 2018, 1:51am

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.