Login system with 3 levels of users PHP

Question

In my login system code i have 3 users.

But other users can access my admin page.

I want that my admin page can be accessible only for users that has the user level =1 that is the admin.

my code.

<?php
session_start();
include 'includes/dbh.php';
//You can add more params here for more register options
$email= $_POST['email'];
$password= $_POST['password'];


$sql =("SELECT * FROM usuarios WHERE email='$email' 
AND password='$password'");
$result = $conn->query($sql);
if(!$row = $result->fetch_assoc()) {
$_SESSION['errorLogin']="Usuario ou senha inválida";
echo "".$_SESSION['errorLogin'];
header("Location: login.php");

}else{


$_SESSION['userName']=          $row ['nome'];
$_SESSION['userLName']=         $row ['sobrenome'];
$_SESSION['userLevel']=         $row ['userLevel'];
$_SESSION['useremail']=         $row ['email'];
$_SESSION['password']=          $row ['password'];
$_SESSION['userContact']=       $row ['contato'];
$_SESSION['userContact2']=      $row ['contato2'];
$_SESSION['role']=              $row ['login'];
  if($_SESSION['userLevel'] == 1){
   header("Location: adm/painel.php");
   }else{ header("Location: cliente.php"); 

   }
   if($_SESSION['userLevel'] == 2){
   header("Location: rep_page.php");
   }else{ header ("Location: rep_page.php");}

   if($_SESSION['userLevel'] == 3){
   header("Location: cliente.php");

   }else{
   echo "Your not logged in";

   }
   }
   ?>

why other two users can access my admin page? whats wrong?

Do you check on your admin page if the user has the right to access the admin page? — Charlotte Dunois, Jul 26 '16 at 18:33
so, what's inside painel.php ? and what type is the userLevel column? either way, you've been given answers below, so you'll need to ask them — Funk Forty Niner, Jul 26 '16 at 18:39
Passwords should be hashed. You should use parameterized queries to prevent SQL injections. — chris85, Jul 26 '16 at 18:39
[Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! [Don't believe it?](http://stackoverflow.com/q/38297105/1011527) — Jay Blanchard, Jul 26 '16 at 19:51
**Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. — Jay Blanchard, Jul 26 '16 at 19:51

score 2 · Accepted Answer · answered Jul 26 '16 at 18:43

2

you have to put the same checking code starting of each page. what i mean is in the admin_panel.php, place like this.

if($_SESSION['userLevel'] == 1){
 //here please place the entire page code
}else{ 
 echo "you have no access this page";
}

answered Jul 26 '16 at 18:43

Jees K Denny

566
5
26

Can i after that echo print the msg and sent the user to login page? – James Allan Jul 26 '16 at 18:58
yup `header("Location:logout.php");` – Jees K Denny Jul 26 '16 at 19:00
like i want to print the msg and afew sec later send user to login. – James Allan Jul 26 '16 at 19:02
1

do one thing, create a error session like this. ` $_SESSION['error']="sorry you are at wrong page"; ` in the login page starts with checking the error session, `if(isset($_SESSION['error'])){ echo $_SESSION['err'];}` – Jees K Denny Jul 26 '16 at 19:05

COp · Answer 2 · 2016-07-26T18:40:49.227

1

I think your problem is if and else statements.In your code if userLevel is NOT 1 it headers it to cliente.php without looking at code after that.

  if($_SESSION['userLevel'] == 1){
   header("Location: adm/painel.php");
   }elseif($_SESSION['userLevel'] == 2){
   header("Location: rep_page.php");
   }elseif($_SESSION['userLevel'] == 3){
   header("Location: cliente.php");
   }else{
   echo "Your not logged in";
   }

edited Jul 26 '16 at 18:40

answered Jul 26 '16 at 18:35

COp

35
12

1

Answers should have an explanation. – chris85 Jul 26 '16 at 18:38

Jose Manuel Abarca Rodríguez · Answer 3 · 2016-07-26T18:41:24.343

header does not stop the execution of the script, you have to add exit right after:

if($_SESSION['userLevel'] == 1){
   header("Location: adm/painel.php");
   exit;                                     //◄■■■■■■■■■■■■■■■■■■■■■
   }else{ header("Location: cliente.php"); 
          exit;                              //◄■■■■■■■■■■■■■■■■■■■■■
   }

Find all your headers and add exit after them.

Login system with 3 levels of users PHP

3 Answers3