I've made a login script which is working (see code below)
error_reporting(E_ALL);
ini_set('display_errors', 1);
session_start();
$db = mysqli_connect("localhost", "root", "ovlovw8", "reparatie");
if (isset($_POST['submit'])) {
$username = mysqli_real_escape_string($db, $_POST['username']);
$password = mysqli_real_escape_string($db, $_POST['password']);
$password = md5($password);
$sql = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$result = mysqli_query($db, $sql);
if (mysqli_num_rows($result) == 1) {
$_SESSION['message'] = "je bent ingelogd";
$_SESSION['username'] = $username;
header("location: overzicht.php");
} else {
$_SESSION['message'] = "verkeerde inlog gegevens";
}
}
but now i want to add multiple user levels and i've made a script for that aswell but it doesnt work.
error_reporting(E_ALL);
ini_set('display_errors', 1);
session_start();
$db = mysqli_connect("localhost", "root", "ovlovw8", "reparatie");
if (isset($_POST['submit'])) {
$username = mysqli_real_escape_string($db, $_POST['username']);
$password = mysqli_real_escape_string($db, $_POST['password']);
$password = md5($password);
$sql = "SELECT * FROM users WHERE username='$username' AND password='$password'";
$result = mysqli_query($db, $sql);
if (mysqli_num_rows($result) == 1) {
switch ($role) {
case '1':
$_SESSION['message'] = "je bent ingelogd";
$_SESSION['username'] = $username;
$redirect = 'repairs.php';
break;
case '2':
$_SESSION['message'] = "je bent ingelogd";
$_SESSION['username'] = $username;
$redirect = 'lloverzicht.php';
break;
case '3':
$_SESSION['message'] = "je bent ingelogd";
$_SESSION['username'] = $username;
$redirect = 'overzicht.php';
break;
}
header('Location: '.$redirect);
}
}
its basically the same code but it doesnt redirect to the next page.
I hope someone has a suggestion or knows what im doing wrong.
First, some warnings (in accordance with this link):
Little Bobby says your script is at risk for SQL Injection Attacks. Learn about prepared statements for MySQLi. Even escaping the string is not safe! Don't believe it?
You really shouldn't use MD5 password hashes and you really should use PHP's built-in functions to handle password security. Make sure you don't escape passwords or use any other cleansing mechanism on them before hashing. Doing so changes the password and causes unnecessary additional coding.
Now to address your issue:
You need to fetch the result from your database so you can define $role:
if (mysqli_num_rows($result) == 1) {
$row = mysqli_fetch_assoc($result); // fetch the result of your query
$role = $row['role']; // assigned the value of $role
switch ($role) {
case '1':
$_SESSION['message'] = "je bent ingelogd";
$_SESSION['username'] = $username;
$redirect = 'repairs.php';
break;
case '2':
$_SESSION['message'] = "je bent ingelogd";
$_SESSION['username'] = $username;
$redirect = 'lloverzicht.php';
break;
case '3':
$_SESSION['message'] = "je bent ingelogd";
$_SESSION['username'] = $username;
$redirect = 'overzicht.php';
break;
}
header('Location: '.$redirect);
exit();
}
Once done you need to add an exit(); after the redirect so that PHP does not attempt to process any other code you may have following the redirect.