PindaWorld PindaWorld - 4 months ago 16
PHP Question

Stuck at the "if" for rank checking message

I am busy on a login script but i am stuck at the moment with the php code "if" line.

I want to give the rank check a own message that the user isn't allowed because he hasn't the right rank for the admin login. At this moment it gives the message of wrong username or password.

My code:

<?php
session_start();
include_once 'dbconnect.php';

if(isset($_SESSION['userSession']))
{
header("Location: home.php");
exit;
}

if(isset($_POST['btn-login']))
{
$email = $MySQLi_CON->real_escape_string(trim($_POST['user_email']));
$upass = $MySQLi_CON->real_escape_string(trim($_POST['password']));

$query = $MySQLi_CON->query("SELECT user_id, user_email, user_pass, user_rank FROM users WHERE user_email='$email'");
$row=$query->fetch_array();
if(password_verify($upass, $row['user_pass']) && ($row['user_rank'] == '2'))
{
$_SESSION['userSession'] = $row['user_id'];
header("Location: home.php");
}
else
{
$msg = "<div class='alert alert-danger'>
<span class='glyphicon glyphicon-info-sign'></span> &nbsp; email or password does not exists!
</div>";
}

$MySQLi_CON->close();

}
?>


I am a little bit new with PHP still.

Answer

Just add an if-Statement in the password check if-Statement in order to check only the rank when the password matches.

if(isset($_SESSION['userSession']))
{
    header("Location: home.php");
    exit;
}

if(isset($_POST['btn-login']))
{
    $email = $MySQLi_CON->real_escape_string(trim($_POST['user_email']));
    $upass = $MySQLi_CON->real_escape_string(trim($_POST['password']));
    $query = $MySQLi_CON->query("SELECT user_id, user_email, user_pass, user_rank FROM users WHERE user_email='$email'");
    $row = $query->fetch_array();

    if(password_verify($upass, $row['user_pass']))
    {
        if($row['user_rank'] == '2'){
            $_SESSION['userSession'] = $row['user_id'];
            header("Location: home.php");
        } else {
            echo "You need a higher rank";
        }
    }
    else
    {
        $msg = "<div class='alert alert-danger'>
                    <span class='glyphicon glyphicon-info-sign'></span> &nbsp; email or password does not exists!
                </div>";
    }

    $MySQLi_CON->close();
}
?>