html - Requesting admin permission when logging the user in using php -
i wrote code of registration form , logging in form using php.but every time run code says invalid username when invalid or says account isn;t approved bu admin yet.can please show me how make possible admin approval user when logs in.i want user approved admin.notice admin must log in in same form user.here registration form:
here login form:
<html > <head> <title></title> </head> <body> <?php print ("<form action='logincontroltest.php' method='post'> <p>username <input type='text' name='username' /> </p> <p>password <input type='password' name='password' > <p/> <input type='submit' value='log in'/> </form>"); if( !($database=mysql_connect("localhost","root",""))||!(mysql_select_db("st_login",$database)) ) print("could not connect"); if(isset($_post['username'])&&isset($_post['password']) ) { $username=$_post['username']; $password=$_post['password']; if ( !empty($username) &&!empty($password) ) { $query = " select * `login` `username`='$username' , `password`='$password' "; if($result=mysql_query($query,$database)) { $user=mysql_fetch_assoc($result); if($user==false){ echo "invalid username"; } elseif($user['admin']==1) { echo"admin logged in"; header("location: admin.php"); } elseif($user['approval']==1) { $_post['user']=$user['username']; echo "user logged in"; header("location: faqja2.php"); } else{ echo "your account is'nt approved admin yet"; } } die (mysql_error()); } else echo "fill in blank fields"; } ?> </body> </html>the code works correctly! , here phpmyadmin database i've created:
if understood correctly, can use "approval" column 0|1 boolean (int) flag.
then adding where clause
(nota: must first created in insert before can work).
i.e.:
$query = "insert login (firstname, lastname, username, password, cv, email, approval) values ('$firstname', '$lastname', '$username','$password','$cv','$email', 0)"; then, select: (sidenote: 1 means approved, set message respectively).
$query = "select * `login` `username`='$username' , `password`='$password' , `approval` = 1"; // or 0, depending on query. $result = mysql_query($query, $database); // may have use following instead // if present method of checking not work // has been commented out /* if(mysql_num_rows($result) > 0){ echo "your account has been approved."; } else{ echo "your account isn't approved admin yet."; } */ if($result=mysql_query($query, $database)){...} also check errors against queries.
add or die(mysql_error()) mysql_query() , error reporting.
you can add in other parts of code have given you.
i suggest @ answer though: https://stackoverflow.com/a/29778421/
- it uses pdo prepared statement , safe password hashing function.
notes sql injection , password storage.
your present code open sql injection. use mysqli_* prepared statements, or pdo prepared statements.
passwords
i noticed may storing passwords in plain text. not recommended.
use 1 of following:
- crypt_blowfish
crypt()bcrypt()scrypt()- on openwall
- pbkdf2
- pbkdf2 on php.net
- php 5.5's
password_hash()function. - compatibility pack (if php < 5.5) https://github.com/ircmaxell/password_compat/
other links:
important sidenote column length:
if , when decide use password_hash(), compatibility pack or crypt, important note if present password column's length lower 60, need changed (or higher). manual suggests length of 255.
you need alter column's length , start on new hash in order take effect. otherwise, mysql fail silently.
Comments
Post a Comment