View Single Post
  #1 (permalink)  
Old July 2nd, 2015, 04:25 PM
Arioch9000 Arioch9000 is offline
Registered User
Points: 10, Level: 1
Points: 10, Level: 1 Points: 10, Level: 1 Points: 10, Level: 1
Activity: 0%
Activity: 0% Activity: 0% Activity: 0%
 
Join Date: Oct 2014
Location: Alexandria, VA
Posts: 2
Thanks: 0
Thanked 0 Times in 0 Posts
Default Conditional Statement Problem

All:

My conditional statement isn't working properly and I could really use a second set of eyes on this. Basically I have a log in

page. When people log in their user name and password is compared to a db table. Both are verified by a row count, if there's 0

rows produced by the query they are redirected to log in page with an error message. If the count is >= 1 then the script is

supposed to get their role from the same table containing user name and password. Then there are a series of conditional statements

such that if their role is just "user" they are directed to a page for just a user. If their role is not "user" (i.e. Approver or

Administrator), they are redirected to a different page with more functionality. However, my conditional statement is evaluating

every log in as "not a user" so that users are being directed to the page with more functionality that I don't want them to be able

to access.

I'm not quite a beginner anymore but not quite a intermediate either. Also, my organization uses an older version of php so I still

have to use mysql_query versus mysqli_query. I've tried using mysqli and I get an undefined function error. Additionally, this

little app I'm building is on a closed network and will only be used by a very, very small number of people who haven't the slightest

clue how to hack a site so I'm more focused on getting the functionality I need versus guarding against cyber attack.

If you can help and live in the northern virginia area I'll buy you a banana split if you can help me figure this out.

Thanks!


Here is my code.



Code:
<?php
session_start();
ob_start();

/*Receives user input username and password from log-in script and assigns to variables*/
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];

/*SQL injection countermeasures*/
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);


$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);

$sql = "SELECT * FROM members WHERE username='$myusername' AND password='$mypassword'";
$result = mysql_query($sql);

/*Next, count the number of rows generated by the query.  If 1 or more, then username and password are confirmed.  If 0, then the 

user entered an invalid username/password combination and is redirected to a error message log-in page.*/

$count=mysql_num_rows($result);

/*If result matched $username and $mypassword, table row must be 1 or more rows.  Then getting the user role from the query, cycle 

through the conditional statements in order to direct the user to the proper page and register the user name as a session variable.  

This is where the conditional statement is evaluating everyone as "not a user" and sending them to the page with the higher 

functionality that I don't want them to see*/

if ($count>=1 && $result['role'] == 'User')

    {
      $_SESSION['myusername']=$myusername;
      header("location:NonApproverPlanSelect.php");
    }

elseif ($count>=1 && $result['role'] != 'User')

    {
      $_SESSION['myusername']=$myusername;
      header("location:ApproverPlanSelect.php");
    }

else

    {
      header("location:bad_login.php");  
    }  

ob_end_flush();

?>
Reply With Quote