user login verification + condition

[Laurent*]

Hello, I'm trying to create a user login page by going through a SQL database and finding if a user exist in the users table. After that I need to decide what page to send the user to either the admin page or the student page. I tried looking through w3 but this was the closes example I found. 

https://www.w3schools.com/php/php_mysql_select.asp

What's been done so far

• Login page HTLM 
• Connection test to the data base success
• Data Base created
• Users table created
• 1 admin and 1 student have been populated in the users table

[justsomeguy]

If you have a username, or whatever your identifier is, then you would use a select query to get the record that has that username, and then check the other fields like password, admin, etc.  If it doesn't return a record at all then the username doesn't exist.

[Laurent*]

How is this? It not stupid code right?

 

<?php
			$servername = "...";
			$username = "...";
			$password = "...";
			$database = "...";

			//Testing search terms
			$testUsername = "G. mane";
			$testPassword = "wrap";
			$testTable = "users";
			
			// Create connection
			$conn = new mysqli($servername, $username, $password, $database);

			// Check connection
			if ($conn->connect_error) {
				die("Connection failed: " . $conn->connect_error);
			} 

			$query = "	SELECT username, password 
						FROM $testTable 
						WHERE username = '$testUsername' AND password = '$testPassword'";
			$result = $conn->query($query);

			if ($result->num_rows > 0) {
				
				//FOUND YOU!
				echo "I Found a user";
			} 
			else 
			{
				echo "User name and password did not match or does not exist";
			}
			
			// Perform queries 
			//mysqli_query($conn,"SELECT * FROM users WHERE");
			//mysqli_query($con,"INSERT INTO Persons (FirstName,LastName,Age) 
			//VALUES ('Glenn','Quagmire',33)");

			mysqli_close($conn);
		?>

 

Edited March 10, 2018 by Ingolme
Removed database information

[Ingolme]

The first thing you should do is try the code yourself to see if it works. I don't see any obvious errors, so I would guess that it does work, but is unsafe on a few levels.

1. I've removed the database information from your post to keep your accounts safe from people reading the forum.
2. Your SQL query is open to SQL injection. Read about prepared statements to keep your database safe from hackers.nencrypted
3. The passwords are openly visible in the database. It is unsafe for the people signing up to your site because you, and anybody with access to your database, know their passwords and you can use that to hack their accounts on other websites since many people use the same password in multiple places.

To solve the password issue, you hash the passwords before storing them into your database using password_hash(). When searching for a user, you have to search by username first, pull out a hashed password and compare it to the data that was sent in the form using password_verify().

[rootKID]

at the mysqli queries in the end, see the $conn part... the middle mysqli_query needs an "n" to the $con+n...

just to help a bit

[Laurent*]

Well one problem is solved but the thread still isn't done. I tried on my own but it not working. I think my problem is with the array because the switch case never works. 

Quote

After that I need to decide what page to send the user to either the admin page or the student page

<!DOCTYPE html>
<html>
<head>
<title>Verifies login request</title>
</head>
	<body>
		<h1>Please wait to be redirected to the appropriate page</h1>
		<?php
			$servername = ".............";
			$username = "...............";
			$password = "..............";
			$database = "..............";

			//Testing search terms
			$testUsername = $_POST['uname'];
			$testPassword = $_POST['psw'];
			$testTable = "users";
			$pagelocation = "LoginPage.php";
			
			// Create connection
			$conn = new mysqli($servername, $username, $password, $database);

			// Check connection
			if ($conn->connect_error) {
				die("Connection failed: " . $conn->connect_error);
			} 

			$query = "	SELECT username, password 
						FROM $testTable 
						WHERE username = '$testUsername' AND password = '$testPassword'";
			$result = $conn->query($query);
			$row = mysqli_fetch_row($result);
			
			if ($result->num_rows > 0) 
			{
					switch ($row["title"])
					{
						case "admin": $pagelocation = "AdminSettingPage.php"; break;
						case "teacher": $pagelocation = "TeacherSettingPage.php";break;
					}
					//Send the user to the admin page
					echo "Sending you to settings page now. ";	
					mysqli_free_result($result);
			} 
			else 
			{
				//Send the user back to the login page.
				echo "I'm sorry, your user & password does not exist. Please go away......";
				//$pagelocation = "LoginPage.php";
			}		

			mysqli_close($conn);
		?>
		
		<!--Send the user where they suppose to go-->
		<a href=></a>
		<meta http-equiv="Refresh" content="5;url=<?php echo $pagelocation; ?>">
		
		
	</body>
</html>

 

[Ingolme]

You did not select "title" from the database in your query.

[justsomeguy]

You definitely need to use prepared statements, that's the first and major thing I would say is wrong with that code.  Also, in an actual system, passwords would never be stored in the database just in plain text.  PHP has functions called password_hash and password_verify that you can use to help store passwords in a more secure format.

[Laurent*]

I really don't have any idea what I can do. All I want is the "title" of the user  who password and username match my query/search/ect. I looked at "prepared statements" on w3 but it just an insert example and my initial problem was getting results. I even changed the array but I'm not getting anything from it. I don't know what the title of the user is and I want to figure out. How can I get the data? This is the  

 

Here what I'm thinking. Getting upset but still persisting.  Be back early tomorrow I need to cool down and think. 

<!DOCTYPE html>
<html>
<head>
<title>Verifies login request</title>
</head>
	<body>
		<h1>Please wait to be redirected to the appropriate page</h1>
		<?php
			$servername = "localhost";
			$username = "root";
			$password = "TheMango0*";
			$database = "betacode_database";

			//Testing search terms
			$testUsername = $_POST['uname'];
			$testPassword = $_POST['psw'];
			$testTitle;
			$testTable = "users";
			$pagelocation = "LoginPage.php";
			
			// Create connection
			$conn = new mysqli($servername, $username, $password, $database);

			// Check connection
			if ($conn->connect_error) {
				die("Connection failed: " . $conn->connect_error);
			} 
			
			//I can't figure out how to use this.
			/*$stmt = $conn->prepare("INSERT INTO MyGuests (firstname, lastname, email)  VALUES (:firstname, :lastname, :email)"); 
			$stmt = $conn->prepare("SELECT FROM $testTable (username, password, title) VALUES (:username, :password, :title)");
			$stmt->bindParam(':username', $testUsername);
			$stmt->bindParam(':password', $testPassword);
			$stmt->bindParam(':title', $testTitle);*/
			
			$query = "	SELECT username, password, title
						FROM $testTable 
						WHERE username = '$testUsername' AND password = '$testPassword'";
						
			$result = $conn->query($query);
			$row = mysqli_fetch_row($result);
			
			if ($result->num_rows > 0) 
			{
					//$row = $result->fetch_row();
					switch ($row[6])
					{
						case "admin": $pagelocation = "AdminSettingPage.php"; break;
						case "teacher": $pagelocation = "TeacherSettingPage.php";break;
					}
					//Send the user to the admin page
					echo "Sending you to settings page now. ";	
					mysqli_free_result($result);
			} 
			else 
			{
				//Send the user back to the login page.
				echo "I'm sorry, your user & password does not exist. Please go away......";
				//$pagelocation = "LoginPage.php";
			}
			
			// Perform queries 
			//mysqli_query($conn,"SELECT * FROM users WHERE");
			//mysqli_query($con,"INSERT INTO Persons (FirstName,LastName,Age) 
			//VALUES ('Glenn','Quagmire',33)");

			mysqli_close($conn);
		?>
		
		<!--Send the user where they suppose to go-->
		<a href=></a>
		<meta http-equiv="Refresh" content="5;url=<?php echo $pagelocation; ?>">
		
		
	</body>
</html>

 

[Ingolme]

What you had before would have worked if you had added the `title` field to your select statement. You've replaced it with $row[6] which is probably not going to work.

[Laurent*]

It didn't work, at least not without an error. I thought about most of the night and remembered something I found called "fetch_assoc()". Combined with ingolme bit I managed to get the page working to the minimal requirements. 

Although I'll have a bit of time before the next project after this is completely completed, it appears security might be apart of my later assignments. There is still more to do, Thank you all. 

 

<!DOCTYPE html>
<html>
<head>
<title>Verifies login request</title>
</head>
	<body>
		<h1>Please wait to be redirected to the appropriate page</h1>
		<?php
			$servername = "...........";
			$username = "..............";
			$password = "...............";
			$database = ".......................";

			//Testing search terms
			$testUsername = $_POST['uname'];
			$testPassword = $_POST['psw'];
			$testTitle;
			$testTable = "users";
			$pagelocation = "LoginPage.php";
			
			// Create connection
			$conn = new mysqli($servername, $username, $password, $database);

			// Check connection
			if ($conn->connect_error) {
				die("Connection failed: " . $conn->connect_error);
			} 
			
			
			$query = "	SELECT username, password, title
						FROM $testTable 
						WHERE username = '$testUsername' AND password = '$testPassword'";

			
			//$result = $conn->query($query);
			$result=mysqli_query($conn,$query);
			
			
				if ($result->num_rows > 0) 
				{
					//$row = $result->fetch_row();
					$row = mysqli_fetch_assoc($result);
						
							
						//Print the right message and set the right destination
						switch ($row["title"])
						{
							case "admin":	$pagelocation = "AdminSettingPage.php"; 
											//Send the user to the admin page
											echo "Sending you to settings page now. ";	
							break;
							case "teacher": $pagelocation = "TeacherSettingPage.php";
											//Send the user to the admin page
											echo "Sending you to settings page now. ";	
							break;
						}
				}
			else 
			{
				echo"I'm sorry, your user & password does not exist. Please go away......";
				$pagelocation = "LoginPage.php";
			}
			mysqli_free_result($result);
			mysqli_close($conn);
		?>
		
		<!--Send the user where they suppose to go-->
		<a href=></a>
		<meta http-equiv="Refresh" content="5;url=<?php echo $pagelocation; ?>">
		
		
	</body>
</html>

 

[justsomeguy]

I looked at "prepared statements" on w3 but it just an insert example and my initial problem was getting results.

That doesn't matter, you can use prepared statements with any kind of query.  You use a prepared statement any time you are putting data into the query.  You should never just put a PHP variable in a query like this:

$query = "    SELECT username, password, title
                        FROM $testTable 
                        WHERE username = '$testUsername' AND password = '$testPassword'";

That's a major attack vector for websites.  With that in your code, I could enter a username and password which will always log me in without needing to match any username or password in the database.  If I know the username, like "admin", then I can log in as that user without needing to know their password.  All of that because you are using PHP variables inside the SQL query.  Replace the data with placeholders, use a prepared statement to bind your variables, and you won't have that problem.

$query = "    SELECT username, password, title
                        FROM $testTable 
                        WHERE username = :username AND password = :password";