I am creating a website where there are three different levels of access
In the login form, I managed to check if the password(SHA1) matches the one in the database (which is encrypted), but didn't check the user id.
When the user or staff / admin are registered, their details are stored into separate tables which have more details( Name, DateOfBirth, ... ).
how would I implement this in my code?
$result = mysql_query( $qs ) or die( mysql_error() );
while( $row = mysql_fetch_array( $result ) ){
$stored_password = $row['Password'];
if( $stored_password == sha1( $pw ) ){
$_SESSION['Status'] = $row['Status'];
if( $_SESSION['Status'] == 0 ){
echo "<h1>User Menu Loading...</h1>";
echo"<META HTTP-EQUIV='Refresh' Content='1;URL=http://***/'>";
}else{
echo "<h1>Incorrect Password.</h1>";
echo"<META HTTP-EQUIV='Refresh' Content='1;URL=http://**/login.php'>";
}
}
Is there a way all these three types of users can login via the login page and can retrieve the data from two different tables?
I have tried many ways but keep getting a blank screen or it says
incorrect password
even though the password is correct.
variables
$un = $_POST['User_ID'];
$sf = $_POST['Staff_ID'];
$pw = $_POST['Password'];
$st = $_POST['Status'];
if not then I think I should create separate login areas.
thank you ( I am currently changing mysql to mysqli )
ADDED MOST RECENT TRY OF $qs
$qs="SELECT Cadets.Cadet_ID, Cadets.Password, Cadets.Status,
Staff.Staff_ID, Staff.Password, Staff.Status,
FROM Cadets, Staff
WHERE Cadets.Cadet_ID ='$un' AND Staff.Staff_ID = '$sf'";
I'll update my answer as you edit your question to include more info.
A) You should not use the mysql library, as it is insecure and deprecated (soon to be removed): Why shouldn't I use mysql_* functions in PHP? You should use mysqli or PDO library.
B) sha1 is not secure, you should use something like password_hash() or crypt() but I guess sha1 is fine for educational purposes.
C) Question 1: You don't need to check for the ID.
You use while ($row = mysql_fetch_array($result)) { but since you are looking for a unique username/combination, there should only be one result or none:
if ($record = mysql_fetch_array($result)) {
You seem to be only checking if the password is correct, but you should really be checking for a unique combination of username AND password (what if two users have the same passwords? sha1() is not helping you there.
So you should have something like:
$qs = "SELECT * FROM users WHERE username = '$username' AND password = '" . sha1($pw) ."'"
Or if you use the actual staff ID as the username:
$qs = "SELECT * FROM users WHERE username = '$id' AND password = '" . sha1($pw) ."'"
D) You won't be able to see this message echo "<h1>User Menu Loading...</h1>"; as you have a redirect immediately after
E) Question 2: you need to clarify a bit more, are there 2 or 3 tables (since you mention there are 3 types of users).