All:
My conditional statement isn't working properly and I could really use a second set of eyes on this. Basically I have a log in
page. When people log in their user name and password is compared to a db table. Both are verified by a row count, if there's 0
rows produced by the query they are redirected to log in page with an error message. If the count is >= 1 then the script is
supposed to get their role from the same table containing user name and password. Then there are a series of conditional statements
such that if their role is just "user" they are directed to a page for just a user. If their role is not "user" (i.e. Approver or
Administrator), they are redirected to a different page with more functionality. However, my conditional statement is evaluating
every log in as "not a user" so that users are being directed to the page with more functionality that I don't want them to be able
to access.
I'm not quite a beginner anymore but not quite a intermediate either. Also, my organization uses an older version of php so I still
have to use mysql_query versus mysqli_query. I've tried using mysqli and I get an undefined function error. Additionally, this
little app I'm building is on a closed network and will only be used by a very, very small number of people who haven't the slightest
clue how to hack a site so I'm more focused on getting the functionality I need versus guarding against cyber attack.
If you can help and live in the northern virginia area I'll buy you a banana split if you can help me figure this out.
Thanks!
Here is my code.
Code:
<?php
session_start();
ob_start();
/*Receives user input username and password from log-in script and assigns to variables*/
$myusername=$_POST['myusername'];
$mypassword=$_POST['mypassword'];
/*SQL injection countermeasures*/
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql = "SELECT * FROM members WHERE username='$myusername' AND password='$mypassword'";
$result = mysql_query($sql);
/*Next, count the number of rows generated by the query. If 1 or more, then username and password are confirmed. If 0, then the
user entered an invalid username/password combination and is redirected to a error message log-in page.*/
$count=mysql_num_rows($result);
/*If result matched $username and $mypassword, table row must be 1 or more rows. Then getting the user role from the query, cycle
through the conditional statements in order to direct the user to the proper page and register the user name as a session variable.
This is where the conditional statement is evaluating everyone as "not a user" and sending them to the page with the higher
functionality that I don't want them to see*/
if ($count>=1 && $result['role'] == 'User')
{
$_SESSION['myusername']=$myusername;
header("location:NonApproverPlanSelect.php");
}
elseif ($count>=1 && $result['role'] != 'User')
{
$_SESSION['myusername']=$myusername;
header("location:ApproverPlanSelect.php");
}
else
{
header("location:bad_login.php");
}
ob_end_flush();
?>
Conditional Statement Problem
