-1

first of all this is my first post ever and there is a high probability that my explanation will suck, but nevertheless I shall try with best hopes of someone being able to help me out here.

Basically, what I want to achieve is that nobody can access the contents of adminpage.php except users that just logged in (with user_role: admin, but I only have admin user in a table with no extra users). I have a table created with a column user_role (which is admin) and everything works except the fact that conditional if in the code below does not trigger even if the condition has been met (or at least I think it has, but obviously not). So I am always getting the else part echoed:

adminpage.php

<?php 
    session_start();
    
    $_SESSION['user_role']= $user_role; 

    //If this page needs admin access then put this code
    if( $_SESSION['user_role'] == 'admin'){
        echo "Log in was successful! Welcome, Admin!";
    } else {
        echo "Access denied, log in as admin!";
        } 
?>

So, yeah, it's like it is skipping the if and jumps right to else and after I log in. It just gives me "Access denied, log in as admin". I want this message showing when someone tries to write down that link where the file adminpage.php is and access it, which is happening but it also happens when I log in with the right data.

other code files:

connection.php (I have changed the values of dbusername, dbpassword etc. because of obvious reasons)

<?php
  
$conn = "";
   
try {
    $servername = "myservername";
    $dbname = "mydbname";
    $username = "myusername";
    $password = "mypassword";
   
    $conn = new PDO(
        "mysql:host=$servername; dbname=mydbname",
        $username, $password
    );
      
   $conn->setAttribute(PDO::ATTR_ERRMODE,
                    PDO::ERRMODE_EXCEPTION);
}
catch(PDOException $e) {
    echo "Connection failed: " . $e->getMessage();
}
  
?>

validate.php

<?php
  
include_once('connection.php');
   
function test_input($data) {
      
    $data = trim($data);
    $data = stripslashes($data);
    $data = htmlspecialchars($data);
    return $data;
}
   
if ($_SERVER["REQUEST_METHOD"]== "POST") {
      
    $adminname = test_input($_POST["adminname"]);
    $password = test_input($_POST["password"]);
    $_SESSION['user_role']= $user_role;
    $stmt = $conn->prepare("SELECT * FROM adminlogin");
    $stmt->execute();
    $users = $stmt->fetchAll();
      
    foreach($users as $user) {
          
        if(($user['adminname'] == $adminname) && 
            ($user['password'] == $password)) {
                header("Location: adminpage.php");
        }
        else {
            echo "<script language='javascript'>";
            echo "alert('WRONG INFORMATION')";
            echo "</script>";
            die();
        }
    }
}
  
?>

And of course, there is also admin.html where the form for the log in is.

Just to clear things out, I do not need any security measures as of now. All I am interested in is this specific issue I am having.

Hopefully I explained well enough. Please let me know if I failed in any way or if I didn't follow the rules of SO. Thank you!

EDIT: I am not sure if this will mean anything, but all of this is on a web hosting, not localhost. Thanks

CroPsychooo
  • 1
  • 1
  • 1. **Hash your passwords**. 2. Get rid of `test_input()`, its a bad function if you don't know why you're using it. 3. Why do you fetch *all* users? Fetch only for that username, and verify the password. – Qirel May 08 '22 at 14:04
  • 4. You don't start a session in `validate.php`. 5. You never set `$user_role`. – Qirel May 08 '22 at 14:05
  • 6. In your first file, you do `$_SESSION['user_role']= $user_role;`, which is assigning it to an undefined variable. – Qirel May 08 '22 at 14:06
  • So how should I assign the variable then? Sorry Im kinda lost :( – CroPsychooo May 08 '22 at 15:21

0 Answers0