Login Script to redirect based on "role"

I have a php script that uses mysql to authenticate a user during login. on the database I have three fields. Username, Password and Role. I want to be able to redirect to a page after login to the approriate “role”

The role is provided to the user when the username is created.

There are five “roles” there for five different pages that the user can be redirected to.

The HTML Form to submit login credentials


<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<BODY background="http://helpdesk.utahimaging.com/images/default/uiabackground.jpg" bgproperties="fixed">
    <body id="ifldasb2">
<br><br><br><br><center><img src="http://helpdesk.utahimaging.com/images/default/uiafinal.gif" alt="Utah Imaging Associates" width="499" height="94" /></center>
<br><br><br><br>
<center><strong>Radiology Requisition Login </strong></center>
<br><br>
<table width="300" border="0" align="center" cellpadding="0" cellspacing="1" bgcolor="#CCCCCC">
<tr>
<form name="form1" method="post" action="checklogin.php">
<td>
<table width="100%" border="0" cellpadding="3" cellspacing="1" bgcolor="#FFFFFF">
<tr>
<td width="78">Username</td>
<td width="6">:</td>
<td width="294"><input name="myusername" type="text" id="myusername"></td>
</tr>
<tr>
<td>Password</td>
<td>:</td>
<td><input name="mypassword" type="password" id="mypassword"></td>
</tr>
<tr>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td><input type="submit" name="Submit" value="Login"></td>
</tr>
</table>
</td>
</form>
</tr>
</table>

</body>
</html>

The php script

<?php
$host="localhost"; // Host name
$username=""; // Mysql username
$password=""; // Mysql password
$db_name="RadReq"; // Database name
$tbl_name="members"; // Table name

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect");
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row

if($count==1){
// session Register $myusername, $mypassword and redirect to file "login_success.php"
session_register("myusername");
session_register("mypassword");
header("location:login_success.php");
}
else {
echo "Wrong Username or Password";
}
?>


//Get result set 
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

$r = mysql_fetch_array($result);
$_SESSION['role'] = $r['role'];  //set role to session - This will be needed to restricted pages pertaining to role.

$link = 'http://www.abc.com';
if($r['role'] == 'admin')
{
  $link .= "?role=admin";
}
else if($r['role'] == 'mod')
{
  $link .= "?role=mod";
}
header("Location: ".$link."");

I hope this is what you are looking - There can be many ways - depends what you need to do. Its just an example to get you started!

Good Luck

So I updated the script using your example, the problem is it is still sending all users to the admin screen…



<?php
$host="localhost"; // Host name 
$username=""; // Mysql username 
$password=""; // Mysql password 
$db_name="RadReq"; // Database name 
$tbl_name="members"; // Table name 

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form 
$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword']; 
$role = $result['role'];

// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

if($role =Administrator){
 $link = 'newuser.html';}
else {if ($role =Clinic)
 $link = 'rrform.html';}
 
// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row


if($count==1){
// session Register $myusername, $mypassword and redirect to file "login_success.php"
$_session["myusername"] = $myusername;
$_session["mypassword"] = $mypassword;
$_session["role"] = $result['role'];
header("Location: ".$link."");
}

else {
echo "Wrong Username or Password";
}

?>

if($role =Administrator){
 $link = 'newuser.html';}
else {if ($role =Clinic)
 $link = 'rrform.html';}

Try


if($role == 'Administrator'){
 $link = 'newuser.html';}
else if ($role == 'Clinic') {
 $link = 'rrform.html';}

(Note the extra = and the ‘’ around the values for the ifs)

I actually originally had my code like that but with the double == it would just leave me at a blank page


//correct code
if($role == 'Administrator'){
 $link = 'newuser.html';}
else {if ($role == 'Clinic')
 $link = 'rrform.html';}

So I put this code in and it does not process the information. I just sit at my .php page that is blank.

After removing one of the two == then I get redirected to the admin page for all users.

Try this code…


<?php
$host="localhost"; // Host name 
$username=""; // Mysql username 
$password=""; // Mysql password 
$db_name="RadReq"; // Database name 
$tbl_name="members"; // Table name 

// Connect to server and select databse.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// username and password sent from form 
$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword']; 


// To protect MySQL injection (more detail about MySQL injection)
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);


// Mysql_num_row is counting table row
$count=mysql_num_rows($result);
// If result matched $myusername and $mypassword, table row must be 1 row


if($count==1){
$result=mysql_fetch_array($result);
$role = $result['role'];

//page link on the basis of user role you can add more  condition on the basis of ur roles in db
if($role =='Administrator'){
 $link = 'newuser.html';
 }
elseif($role =='Clinic')
 $link = 'rrform.html';
 }
 
// session Register $myusername, $mypassword and redirect to file "login_success.php"
$_session["myusername"] = $myusername;
$_session["mypassword"] = $mypassword;
$_session["role"] = $role;
header("Location: ".$link."");
}

else {
echo "Wrong Username or Password";
}

?>


“I put this in and it comes up blank”
Stick an echo after the header, to see if it’s just redirecting you nowhere.
If you STILL get a blank screen, you’ve got other problems.\

PS: _session is NOT the same as _SESSION .

Thank You Guys… After taking the last two posts I was able to get it to work

by changing



if($role =='Administrator'){
$link = 'newuser.html';
}
elseif($role =='Clinic){
$link ='rrform.html';
}

// SESSION Register
$_SESSION["mysusername"] = $myusername;
$_SESSION["password"] = $mypassword;
$_SESSION["role"] = $role;

you’re missing a close quote at the end of Clinic, there.

And at the end of 'rrform.html; (should be ‘rrform.html’; )

That one is actually there - it just gets mangled by the forum’s hilighting code as it tries to deal with the unclosed quote.

1 Like