if (isset($_POST['login_btn'])) {
$username = mysqli_real_escape_string($db, $_POST['username']);
$password = mysqli_real_escape_string($db, $_POST['password']);
if (empty($username)) {
array_push($errors, "Username is Required");
}
if (empty($password)) {
array_push($errors, "Password is Required");
}
if (count($errors) == 0) {
$password = md5($password);
$query = "SELECT * FROM request WHERE username='$username' AND password='$password' ";
$results = mysqli_query($db, $query);
if (mysqli_num_rows($results) == 1){
$logged_in_user = mysqli_fetch_assoc($results);
if ($logged_in_user['user_type'] == 'admin') {
$_SESSION['user'] = $logged_in_user;
$_SESSION['success'] = "Welcome Admin";
header('location: admin/home.php');
}elseif($logged_in_user['user_type'] == 'employee') {
$_SESSION['user'] = $logged_in_user;
$_SESSION['success'] = "Welcome Employee";
header('location: admin/employee.php');
}else{
$_SESSION['user'] = $logged_in_user;
$_SESSION['success'] = "Welcome User";
header('location: index.php');
}
}else {
array_push($errors, "Wrong username/password combination");
}
}
}
if (isset($_POST['login_btn'])) {
$username = mysqli_real_escape_string($db, $_POST['username']);
$password = mysqli_real_escape_string($db, $_POST['password']);
if (count($errors) == 0) {
$password = md5($password);
$query = "SELECT * FROM request WHERE username='$username' AND password = '$password'";
$check_user=mysqli_query($db,$query);
if (mysqli_num_rows($check_user)==1){
$approved_by_admin = mysqli_fetch_assoc($check_user);
if($approved_by_admin ["status"] =='approved'){
echo '<script type = "text/javascript">';
echo 'alert("Login Success!")';
echo 'window.location.href = "index.php"';
echo '</script>';
}
elseif($approved_by_admin ["status"] =='pending'){
echo '<script type = "text/javascript">';
echo 'alert("Your account is still pending for approval!")';
echo 'window.location.href = "login.php"';
echo '</script>';
}
}else{
echo "Wrong Combination";
}
}
}
My query for approve and pending is not working.
If i remove query for admin, employee and user it will work but this will not work the echo 'window.location.href = "index.php"';
Basically my code is not working since it will just continue to login even if the user's status is pending and not approved by the admin.
The 2nd part of if (isset($_POST['login_btn'])) { for pending and approve is not working
CodePudding user response:
You need to integrate the test for approval into the existing login process. It makes no sense to have two separate processe sets of code, because
a) it's inefficient to query the same data twice from the database, and b) the first part of the code will have already set up the redirects before you even start checking with the second part.
This will make more sense, I think:
if (isset($_POST['login_btn'])) {
$username = mysqli_real_escape_string($db, $_POST['username']);
$password = mysqli_real_escape_string($db, $_POST['password']);
if (empty($username)) {
array_push($errors, "Username is Required");
}
if (empty($password)) {
array_push($errors, "Password is Required");
}
if (count($errors) == 0) {
$password = md5($password);
$query = "SELECT * FROM request WHERE username='$username' AND password='$password' ";
$results = mysqli_query($db, $query);
if (mysqli_num_rows($results) == 1){
$logged_in_user = mysqli_fetch_assoc($results);
if ($logged_in_user['user_type'] == 'admin') {
$_SESSION['user'] = $logged_in_user;
$_SESSION['success'] = "Welcome Admin";
header('location: admin/home.php');
exit();
}elseif($logged_in_user['user_type'] == 'employee') {
$_SESSION['user'] = $logged_in_user;
$_SESSION['success'] = "Welcome Employee";
header('location: admin/employee.php');
exit();
}else{
if($logged_in_user["status"] =='approved'){
$_SESSION['user'] = $logged_in_user;
$_SESSION['success'] = "Welcome User";
header('location: index.php');
exit();
}
else {
echo '<script type="text/javascript">';
echo 'alert("Your account is still waiting for approval!")';
echo 'window.location.href = "login.php"';
echo '</script>';
}
}
}else {
array_push($errors, "Wrong username/password combination");
}
}
}
P.S. You should always exit(); immediately after you set a Location header, then there is no danger of protected content being accidentally leaked from later in the script.
P.P.S. Please don't store passwords using the obsolete, insecure md5 algorithm - that is a security risk. Learn about PHP's built-in, up-to-date, secure password hashing and verification functions instead.
P.P.P.S. While mysqli_real_escape_string will protect against most SQL injections, it's not foolproof. Prepared statements and parameters are a more secure and up-to-date way to write queries safely. See How can I prevent SQL injection in PHP for a thorough guide.