Redirecting users to different pages according to their roles


I have a table users in my database and I have also a login page where user submit their username and password before entering the system, I was wondering how can I redirect different users to different pages using their roles.

Can someone please help?:confused:

In my head a switch would be a nice solution otherwise a collection of IF statements.


// Login code....

switch ($role) {
    case 'user':
        $redirect = 'user.php';
    case 'moderator':
        $redirect = 'moderator.php';
    case 'administrator':
        $redirect = 'administrator.php';

header('Location: ' . $redirect);

IF statement

// Login code...

if ($role == 'user') {
    $redirect = 'user.php';
} else if ($role == 'moderator') {
    $redirect = 'moderator.php';
} else if ($role == 'administrator') {
    $redirect = 'administrator.php';

header('Location: ' . $redirect);

Or a roles table, with a row for each role, and containing the role id, the page for that role, and whatever other info about the roles you need.

// process the script only if the form has been submitted
if (array_key_exists(‘login’, _POST)) { // start the session session_start(); require_once('includes/'); //connect to the database include 'includes/'; //display title include ('includes/'); // clean the _POST array and assign to shorter variables
username = trim(_POST[‘username’]);
password = trim(_POST[‘password’]);
//userrole = _POST[‘userrole’];
userrole = _POST[‘userrole’];

// connect to the database as a restricted user
$conn = dbConnect(‘query’);
// get the username’s details from the database
$sql = “SELECT * FROM users WHERE username = ‘$username’”;
$result = mysql_query($sql);
$row = mysql_fetch_assoc($result);

if (md5($password)== row['password']) { _SESSION[‘authenticated’] = ‘Nkacharani’;
// if no match, destroy the session and prepare error message
else {
$_SESSION = array();
error = 'Invalid username or password'; } // if the session variable has been set, redirect if (isset(_SESSION[‘authenticated’])) {
// get the time the session started
$_SESSION[‘start’] = time();
case ‘admin’:
header(‘Location: front_page.php’);
case ‘clerk’:
header(‘Location: clerk.php’);
case ‘user’:
header(‘Location: user_list.php’);

if (isset($error)) {
echo "<p>error&lt;/p&gt;"; } elseif (isset(_GET[‘expired’])) {
<p>Your session has expired. Please log in again.</p>
<?php } ?>
<h2 align=“center”>Enter your username and password</h2>

	&lt;form id="log"  name="login" method="post" class="details" action=""&gt;

 	&lt;div &gt;

<label class=“fixedwidth”>Username:</label>
<input name=“username” id=“username” type=“text” class=“fixedwidth” />

<div >
<label class=“fixedwidth”>Password:</label>
<input name=“password” id=“password” type=“password” class=“fixedwidth” />
<input type=“hidden” name=“userrole” value="<?php echo $userrole; ?>" />
<div class=“buttonarea”>
<input name=“login” id=“login” type=“submit” value=“User Login” />

Thank you!..
…this is what I had before and I have added the switch code if I enter username and password it is not redirecting anywhere and no any errors messages:(

You have userrole as a hidden field in the form. Not only is this a security risk, but you don’t even give it a value (try doing a print_r of $_POST and you’ll see it’s empty), so the switch will never redirect anywhere.

I did that because I thought it would help me to compare the roles from table users. Can you help me the best way to do it.

I am stack real!(::headbang:

How do you know what role a user has?

I guess what I want to do is; Check the username against its userrole in a table and if the role is admin say I would direct the user to Admin page. So I thought by fetching the userrole as a hidden field I could just use it in switch code to check the user role and redirect user accordingly.

Ok, assuming you have userrole column in your users table, all you have to do is

$userrole = $row['userrole'];

after you’ve fetched the result from your query and before you reach the switch.

Don’t use the hidden field in the form. A malicious user could make himself admin by sending the correct value for that field.

Thank you!..:D, Its done.