1

I currently have two tables, Users and Customers both with a username and password columns. Users are created on the admin end and customers can register to the website however, there is only one login page and I need to be able to extract the username and password from each of the different tables and redirect the user to the correct pages respectively. Here's what we have so far; 

 if (isset($_POST['submitted'])){
    unset($_POST['submitted']);
    //sanitise those inputs.
    $username = $db->quote($_POST['username']);

    //select the user with the correct name
    $q = "select users.*, customers.* from users INNER JOIN customers on customers.username=users.username WHERE users.username = $username || customers.username = $username";


    $rows = $db->query($q);

    //if the password matches then redirect
    foreach ($rows as $row) { 
        if ($row["password"] == $_POST['password']) { //password matches

            //set some session variables for using later
            $_SESSION['username'] = $_POST['username'];
            $_SESSION['userid'] = $row['userid'];
                            $_SESSION['customerid'] = $row['customerid'];
                            $_SESSION['role'] = $row['role'];

            //redirect to either the staff or user home page based on the login
            if ($row["role"] == "customer"){

                    header( 'Location: customerHome.php' );

                                } else if ($row["role"] == "staff" || $row["role"] == "admin" ) {

                    header( 'Location: staffHome.php' );
                }

                                    else { 

                                        header( 'Location: customerHome.php' );
                                    }
        } 
    }


    //if the redirect doesn't happen then there was an error with the password, so display this and the form
    //echo '<h1> There was a problem with your user name or password </h1>';
            echo"<script language='javascript'>
        window.onload = function(){
            var divs = document.getElementById('error');
            divs.innerHTML = '<p style = \"color:#FF0000\">There was a problem with your username or password, please try again!</p>';
        }
        </script>";

}

I think the issue is with the SQL statement which selects the fields as it just keeps throwing/ jumping to the error message. Thanks for the help.

Hydra
  • 61
  • 2
  • 11
  • what's the issue with your code? – Dimi Mar 14 '17 at 20:16
  • you have error ... ? what's the problem ? – ScaisEdge Mar 14 '17 at 20:18
  • The SQL statement is incorrect I'm guessing as it isn't logging in. – Hydra Mar 14 '17 at 20:26
  • **Never store plain text passwords!** Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). Make sure you ***[don't escape passwords](http://stackoverflow.com/q/36628418/1011527)*** or use any other cleansing mechanism on them before hashing. Doing so *changes* the password and causes unnecessary additional coding. – Jay Blanchard Mar 14 '17 at 20:39
  • [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Mar 14 '17 at 20:39
  • Are all users in both tables, or can they be in just one of them? `JOIN` only returns rows that match between both tables. – Barmar Mar 14 '17 at 20:48
  • There's different users in each table, in the users table there are staff users and in the customers table is only for customers – Hydra Mar 14 '17 at 21:02
  • Its fine guys, I got it working! :D – Hydra Mar 14 '17 at 23:05

0 Answers0