PHP Multiple User Login Form - Navigation to Different Pages Based on Login Credentials

Question

I am trying to create a login page that will send the user to a different index.php page based on their login credentials. For example, should a user with the "IT Technician" role log in, they will be sent to "index.php", and if a user with the "Student" role log in, they will be sent to the "student/index.php" page.

I can't see what's wrong with my code, but it's not working... I'm getting the "wrong login credentials" message every time I press the login button.

My code for the user login page is here:

<?php
session_start();
if (isset($_SESSION["manager"])) {
header("location: http://www.zuluirminger.com/SchoolAdmin/index.php");
exit();
}
?>

<?php
if (isset($_POST["username"]) && isset($_POST["password"]) && isset($_POST["role"])) {
$manager = preg_replace('#[^A-Za-z0-9]#i', '', $_POST["username"]);
$password = preg_replace('#[^A-Za-z0-9]#i', '', $_POST["password"]);
$role = preg_replace('#[^A-Za-z0-9]#i', '', $_POST["role"]);
include "adminscripts/connect_to_mysql.php";
$sql = mysql_query("SELECT id FROM Users WHERE username='$manager' AND password='$password' AND role='$role' LIMIT 1");
$existCount = mysql_num_rows($sql);
if (($existCount == 1) && ($role == 'IT Technician')) {
    while ($row = mysql_fetch_array($sql)) {
        $id = $row["id"];
    }
    $_SESSION["id"] = $id;
    $_SESSION["manager"] = $manager;
    $_SESSION["password"] = $password;
    $_SESSION["role"] = $role;
    header("location: http://www.zuluirminger.com/SchoolAdmin/index.php");
} else {
    echo 'Your login details were incorrect. Please try again <a href="http://www.zuluirminger.com/SchoolAdmin/index.php">here</a>';
    exit();
}
}
?>

<?php
if (isset($_POST["username"]) && isset($_POST["password"]) && isset($_POST["role"])) {
$manager = preg_replace('#[^A-Za-z0-9]#i', '', $_POST["username"]);
$password = preg_replace('#[^A-Za-z0-9]#i', '', $_POST["password"]);
$role = preg_replace('#[^A-Za-z0-9]#i', '', $_POST["role"]);
include "adminscripts/connect_to_mysql.php";
$sql = mysql_query("SELECT id FROM Users WHERE username='$manager' AND password='$password' AND role='$role' LIMIT 1");
$existCount = mysql_num_rows($sql);
if (($existCount == 1) && ($role == 'Student')) {
    while ($row = mysql_fetch_array($sql)) {
        $id = $row["id"];
    }
    $_SESSION["id"] = $id;
    $_SESSION["manager"] = $manager;
    $_SESSION["password"] = $password;
    $_SESSION["role"] = $role;
    header("location: http://www.zuluirminger.com/SchoolAdmin/student/index.php");
} else {
    echo 'Your login details were incorrect. Please try again <a href="http://www.zuluirminger.com/SchoolAdmin/index.php">here</a>';
    exit();
}
}
?>

And the form that the data is pulled from is shown here:

<form id="LoginForm" name="LoginForm" method="post" action="http://www.zuluirminger.com/SchoolAdmin/user_login.php">
  User Name:<br />
  <input type="text" name="username" id="username" size="50" /><br />
  <br />

  Password:<br />
  <input type="password" name="password" id="password" size="50" /><br />
  <br />

  Log in as:
  <select name="role" id="role">
    <option value="">...</option>
<option value="Head">Head</option> 
<option value="Deputy Head">Deputy Head</option> 
<option value="IT Technician">IT Technician</option> 
<option value="Pastoral Care">Pastoral Care</option> 
<option value="Bursar">Bursar</option> 
<option value="Secretary">Secretary</option> 
<option value="Housemaster">Housemaster</option> 
<option value="Teacher">Teacher</option> 
<option value="Tutor">Tutor</option> 
<option value="Sanatorium Staff">Sanatorium Staff</option> 
<option value="Kitchen Staff">Kitchen Staff</option> 
<option value="Parent">Parent</option> 
<option value="Student">Student</option>
</select><br />
  <br />

  <input type="submit" name = "button" id="button" value="Log In" onclick="javascript:return validateLoginForm();" />
  </h3>
</form>

Once logged in (and should the correct page be loaded, the validation code I have at the top of the script looks like this:

<?php
session_start();
if (!isset($_SESSION["manager"])) {
header("location: http://www.zuluirminger.com/SchoolAdmin/user_login.php");
exit();
}

$managerID = preg_replace('#[^0-9]#i', '', $_SESSION["id"]);
$manager = preg_replace('#[^A-Za-z0-9]#i', '', $_SESSION["manager"]);
$password = preg_replace('#[^A-Za-z0-9]#i', '', $_SESSION["password"]);
$role = preg_replace('#[^A-Za-z0-9]#i', '', $_SESSION["role"]);

include "adminscripts/connect_to_mysql.php";
$sql = mysql_query("SELECT id FROM Users WHERE username='$manager' AND password='$password' AND role='$role' LIMIT 1");
$existCount = mysql_num_rows($sql);
if ($existCount == 0) {
header("location: http://www.zuluirminger.com/SchoolAdmin/index.php");
exit();
}
?>

Just so you're aware, the database table has the following fields: id, username, password and role.

Any help would be greatly appreciated!

Many thanks, Zulu

Answer 1

This is a classic debugging situation, in which you can temporarily output intermediate data is see what is going wrong. There are a few improvements you can make to the code to make this easier.

• In your main login page, you appear to be connecting to the database twice, and doing a SELECT twice, and doing user input filtering twice. This is unnecessary. Reduce this to one block - it will make your code much more compact.

• Rather than putting code inside mysql functions, I think this is better:

  $sql = "
      SELECT id FROM Users
      WHERE
          username='$manager'
          AND password='$password'
          AND role='$role'
      LIMIT 1
  ";
  //echo $sql; exit();
  mysql_query($sql);
  

Now you can uncomment the echo line and see if the SQL is correct. Run it against the database manually to check, and then remove it when you're happy.

• Also, see how I indented the SQL string? It is much more readable this way.
• Use header('Location: ...') i.e. with an upper-case 'L'. Your way will work, but this way is more correct.
• After a redirect, always do exit(). This is because PHP will keep on running the script normally until the server realises that the user has disconnected - and you want to be kind to your server :).
• You don't need to redirect to a fully-qualified URL. It is fine to redirect to "/SchoolAdmin/index.php", which will save you hard-wiring your website address.

• You don't need to check all the $_POST vars before you do your database op. It's fine just to do this:

  if ($_POST) {
      // Form operation
  }
  

Much neater, and does the same thing!

• Addendum: rather than referencing values like 'IT Technician' in your code, use define('ROLE_IT_TECH', 'IT Technician'); in a common include file. You can then reference it in your login code and in your login form, so you know you are always using the same value in all use-cases.
• Addendum 2: use include_once rather than include, so PHP ignores any repeated include statements.

Answer 2

You are hitting this section everytime your code runs because you are doing an if else

if (($existCount == 1) && ($role == 'IT Technician')) {
}
else {
     echo 'Your login details were incorrect. Please try again <a href="http://www.zuluirminger.com/SchoolAdmin/index.php">here</a>';
exit();
}

Everytime your code is run and your role is not IT Technician, then you're sending an error message and stopping the application completely...no matter if it is a student, warthog, or no role.

Although there is a lot to improve, initially I'd suggest deleting the duplicated sections (IT Adminstrator vs Student) and instead retreiving the row from the database rather than letting the user submit it.

SELECT id FROM Users WHERE username='$manager' AND password='$password' LIMIT 1

if ( count($sql) == 1 ) {
     if ( $sql['role'] == 'IT Adminstrator' ) {
          header('admin_url.php');
     } elseif ( $sql['role'] == 'Student' ) {
          header('student_url.php');
     };
};