redirect into three different level website from login

[Sigmahokies]

Hi everyone, I am still learning changing PHP by mysqli to PDO. I'm not get used with PDO because it is little complex to understand, but maybe few weeks I will understand how PDO works. 

Now, I am trying to make redirect with type account in website and database. I am trying to identify type of three - administrator, license, and scorer page. I set up the test to make it work, seem it went dead end, it won't go to admin or license or scorer page. What did I do wrong? maybe something is missing.

here my code:

	<?php
/**
 * Created by PhpStorm.
 * User: Gary.Taylor
 * Date: 7/5/2018
 * Time: 10:10 PM
 */
	session_start();
require('access.php');
	if(isset($_POST['submitted'])) {
    $username = $_POST['username'];
    $password = $_POST['password'];
	if($username && $password) {
    $login = $GaryDB->prepare("select username, password, Administrator from account Where username = '.$username.' and password = '.$password.' and Administrator = X");
    $login->execute();
	    $count = $login->fetch();
    if($count == 1) {
        $_SESSION['username'] = $username;
        header('location:admin.php');
    }
}
elseif ($username && $password) {
    $login = $GaryDB->prepare("select username, password, License from account Where username = '.$username.' and password = '.$password.' and License = X");
    $login->execute();
	    $count = $login->fetch();
    if($count == 1) {
        $_SESSION['username'] = $username;
        header('location:license.php');
    }
}
elseif ($username && $password) {
    $login = $GaryDB->prepare("select username, password, Scorer from account Where username = '.$username.' and password = '.$password.' and Scorer = X");
    $login->execute();
	    $count = $login->fetch();
    if($count == 1) {
        $_SESSION['username'] = $username;
        header('location:scorer.php');
    }
}
else{
    header('location:denied.html');
}
	
}
	

[Ingolme]

The issue is not related to PDO. The reason your code is not working is that your logic is wrong.  This is the structure your code has:

$username = $_POST['username'];
$password = $_POST['password'];
if($username && $password) {

} elseif ($username && $password) {

} elseif ($username && $password) {

} else{

}

You're making the exact same comparison three times in a row. If the comparison is true, only the first one will run, if the comparison is false then only the else block will run.

The solution to your problem is to do one single query and pull out values from all three fields: Administrator, License, and Scorer. After these values have been pulled out, read these values and make a decision based on them.

You are using prepared statements wrong, you should not put variables into the SQL string, put placeholders and then assign values to the placeholders, as shown in the tutorial page: https://www.w3schools.com/php/php_mysql_prepared_statements.asp  If you do not fix that, your page is wide open to being hacked, people will be able to log in without knowing the username or password.

You are also making the mistake of storing passwords in plain text in your database. This is a bad idea because if anybody manages to reveal the contents of your database, every single user will have had their password revealed which will be used to hack into their accounts on any number of sites. In PHP, you should use password_hash() and password_verify() when managing passwords. If those are not available, you will need another form of cryptographic hashing, such as PHP's crypt() function.

[Html]

Unlikely, that anyone gaining access to accounts would be possible, since a lot of free services are now designed with features that don't make it easy as it may of been, like ten years ago for anyone to login to an account.

But yes, certainly if a site is going to be online 24/7 should have some kind of encryption, or hash, the examples files I have from the youtube video tutorial I got from, which went nowhere had a basic hash use.

[justsomeguy]

Unlikely, that anyone gaining access to accounts would be possible, since a lot of free services are now designed with features that don't make it easy as it may of been, like ten years ago for anyone to login to an account.

You'd be surprised.  Just last month I heard about another new service that only did authentication, not authorization.  Once you log in with your account then you could switch to any other account you wanted if you knew how to.  Common sense is still not common.