I am having troubles with a PHP login script which checks if you A.) Have registered then B.) Have you clicked the activation link (this is called active in my database)
function login($email, $password, $mysqli, $active) {
// Using prepared statements means that SQL injection is not possible.
if ($stmt = $mysqli->prepare("SELECT id, username, password, hash, active
FROM members
WHERE email = ? LIMIT 1")) {
$stmt->bind_param('s', $email); // Bind "$email" to parameter.
$stmt->execute(); // Execute the prepared query.
$stmt->store_result();
// get variables from result.
$stmt->bind_result($user_id, $username, $db_password, $salt, $active);
$stmt->fetch();
// hash the password with the unique salt.
$password = hash('sha512', $password . $salt);
if ($stmt->num_rows == 1) {
// If the user exists we check if the account is locked
// from too many login attempts
if (checkbrute($user_id, $mysqli) == true) {
// Account is locked
// Send an email to user saying their account is locked
return false;
} else {
// Check if the password in the database matches
// the password the user submitted.
if ($db_password == $password) {
// Password is correct!
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
// XSS protection as we might print this value
$user_id = preg_replace("/[^0-9]+/", "", $user_id);
$_SESSION['user_id'] = $user_id;
// XSS protection as we might print this value
$username = preg_replace("/[^a-zA-Z0-9_\-]+/", "", $username);
$_SESSION['username'] = $username;
$_SESSION['login_string'] = hash('sha512', $password . $user_browser);
if ($actve != 1){
return false;
header("location ../error.php?err=Account not activated");
exit();
}else{
return true;
header("location ../index.php");
exit();
}
// Login successful.
return true;
} else {
// Password is not correct
// We record this attempt in the database
$now = time();
if (!$mysqli->query("INSERT INTO login_attempts(user_id, time)
VALUES ('$user_id', '$now')")) {
header("Location: ../error.php?err=Database error: login_attempts");
exit();
}
return false;
}
}
} else {
// No user exists.
return false;
}
} else {
// Could not create a prepared statement
header("Location: ../error.php?err=Database error: cannot prepare statement");
exit();
}
}
function checkbrute($user_id, $mysqli) {
// Get timestamp of current time
$now = time();
// All login attempts are counted from the past 2 hours.
$valid_attempts = $now - (2 * 60 * 60);
if ($stmt = $mysqli->prepare("SELECT time
FROM login_attempts
WHERE user_id = ? AND time > '$valid_attempts'")) {
$stmt->bind_param('i', $user_id);
// Execute the prepared query.
$stmt->execute();
$stmt->store_result();
// If there have been more than 5 failed logins
if ($stmt->num_rows > 5) {
return true;
} else {
return false;
}
} else {
// Could not create a prepared statement
header("Location: ../error.php?err=Database error: cannot prepare statement");
exit();
}
}
yes, I know I am using a template from wikihow. But somewhere in the code even if I set active to 0 or 1 in MySQL it logs you in whatever the value is but has an error msg account not activated. I do not know if there is a return true/false statement missing and I have been troubleshooting for days with no avail.
Without seeing how the login method is used it's hard to know for sure, but based on what you have shared the next thing I would try would be:
correct the typo if ($actve != 1){
Move the three calls that set username user_id and login_string on the $_SESSION in to the else block so that they only get set in the case of the password matching AND the $active variable being 1.
See what happens then.
Related
I am new to development and the last 3 days i have been spending on a piece of code i wrote. This is what it needs to do: It needs to check of the email &password are filled in on the log in form. It also has to check if the data base is set to 'active'. $row returns a boolean. So how is it possible that I get redirected to the error page wether the status in the database is set to active or not?
Can somebody explain and talk me through the code and on what I am doing wrong? I have been searching the internet but can't find the right answer. This is my code:
<?php
include_once 'db_connect.php';
include_once 'functions.php';
sec_session_start(); // Our custom secure way of starting a PHP session.
error_reporting(E_ALL);
ini_set('display_erros', 1);
if (isset($_POST['email'], $_POST['p'])) {
$email = $_POST['email'];
$password = $_POST['p']; // The hashed password.
$query = "SELECT * FROM `members` WHERE `email` = '$email'AND status = 1 LIMIT 1";
$result = mysqli_query($mysqli, "SELECT COUNT(`ID`) AS count FROM members WHERE email='$email' AND `status`='1'");
$row = mysqli_fetch_assoc($result);
var_dump($row['count'] < 1);
if (login($email, $password, $mysqli) === true && $row === true) {
// Login success
header('Location: ../index2.php');
} else {
// Login failed
header('Location: ../index.php?error=1');
}
} else {
// The correct POST variables were not sent to this page.
echo 'Invalid Request';
}
function login($email, $password, $mysqli) {
// Using prepared statements means that SQL injection is not possible.
if ($stmt = $mysqli->prepare("SELECT id, username, password, salt
FROM members
WHERE email = ?
LIMIT 1")) {
$stmt->bind_param('s', $email); // Bind "$email" to parameter.
$stmt->execute(); // Execute the prepared query.
$stmt->store_result();
// get variables from result.
$stmt->bind_result($user_id, $username, $db_password, $salt);
$stmt->fetch();
// hash the password with the unique salt.
$password = hash('sha512', $password . $salt);
if ($stmt->num_rows == 1) {
// If the user exists we check if the account is locked
// from too many login attempts
if (checkbrute($user_id, $mysqli) == true) {
// Account is locked
// Send an email to user saying their account is locked
return false;
} else {
// Check if the password in the database matches
// the password the user submitted.
if ($db_password == $password) {
// Password is correct!
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
// XSS protection as we might print this value
$user_id = preg_replace("/[^0-9]+/", "", $user_id);
$_SESSION['user_id'] = $user_id;
// XSS protection as we might print this value
$username = preg_replace("/[^a-zA-Z0-9_\-]+/",
"",
$username);
$_SESSION['username'] = $username;
$_SESSION['login_string'] = hash('sha512',
$password . $user_browser);
// Login successful.
return true;
} else {
// Password is not correct
// We record this attempt in the database
$now = time();
$mysqli->query("INSERT INTO login_attempts(user_id, time)
VALUES ('$user_id', '$now')");
return false;
}
}
} else {
// No user exists.
return false;
}
}
}
function checkbrute($user_id, $mysqli) {
// Get timestamp of current time
$now = time();
// All login attempts are counted from the past 2 hours.
$valid_attempts = $now - (2 * 60 * 60);
if ($stmt = $mysqli->prepare("SELECT time
FROM login_attempts
WHERE user_id = ?
AND time > '$valid_attempts'")) {
$stmt->bind_param('i', $user_id);
// Execute the prepared query.
$stmt->execute();
$stmt->store_result();
// If there have been more than 5 failed logins
if ($stmt->num_rows > 5) {
return true;
} else {
return false;
}
}
}
function login_check($mysqli) {
// Check if all session variables are set
if (isset($_SESSION['user_id'],
$_SESSION['username'],
$_SESSION['login_string'])) {
$user_id = $_SESSION['user_id'];
$login_string = $_SESSION['login_string'];
$username = $_SESSION['username'];
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
if ($stmt = $mysqli->prepare("SELECT password
FROM members
WHERE id = ? LIMIT 1")) {
// Bind "$user_id" to parameter.
$stmt->bind_param('i', $user_id);
$stmt->execute(); // Execute the prepared query.
$stmt->store_result();
if ($stmt->num_rows == 1) {
// If the user exists get variables from result.
$stmt->bind_result($password);
$stmt->fetch();
$login_check = hash('sha512', $password . $user_browser);
if ($login_check == $login_string) {
// Logged In!!!!
return true;
} else {
// Not logged in
return false;
}
} else {
// Not logged in
return false;
}
} else {
// Not logged in
return false;
}
} else {
// Not logged in
return false;
}
}
function esc_url($url) {
if ('' == $url) {
return $url;
}
$url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%#$\|*\'()\\x80-\\xff]|i', '', $url);
$strip = array('%0d', '%0a', '%0D', '%0A');
$url = (string) $url;
$count = 1;
while ($count) {
$url = str_replace($strip, '', $url, $count);
}
$url = str_replace(';//', '://', $url);
$url = htmlentities($url);
$url = str_replace('&', '&', $url);
$url = str_replace("'", ''', $url);
if ($url[0] !== '/') {
// We're only interested in relative links from $_SERVER['PHP_SELF']
return '';
} else {
return $url;
}
}
It seems to work now. I fixed a little bit of the code. And now I'm trying to use mysqli_real_escape_string to prevent SQL injection. Im reading up on SQL injection but I still have a lot to learn. What I did is change the database settings and instead of $row['status'] === true. I changed it to $row['status'] === NULL. I changed it in this way because vardump on status when activated returnen NULL.
if (isset($_POST['email'], $_POST['p'])) {
$email = $_POST['email'];
$password = $_POST['p']; // The hashed password.
$query = "SELECT * FROM `members` WHERE `email` = '". mysqli_real_escape_string($mysqli,$email) ."'AND status = 1 LIMIT 1";
// check the changes around $email and mysqli_real_escape_string use to prevent SQL Injection
$result = mysqli_query($mysqli,$query) or die(mysqli_error($mysqli)); // execute previous written query
$row = mysqli_fetch_assoc($result); // fetch record
//var_dump($row['status'] < 1);
if ($row['status'] === NULL && login($email, $password, $mysqli) === true) {
// Login success
header('Location: ../index2.php');
} else {
// Login failed
header('Location: ../index.php?error=1');
}
} else {
// The correct POST variables were not sent to this page.
echo 'Invalid Request';
}
This question already has answers here:
PHP parse/syntax errors; and how to solve them
(20 answers)
Closed 7 years ago.
I'm receiving the following error from the PHP compiler-
Parse error: syntax error, unexpected 'else' (T_ELSE) in C:\wamp\www\project alpha\functions.php
I've commented the else statement with-//ERROR ON THIS ELSE STATEMENT in the code below. But I can't work out why it is failing.
Can you see a problem with the code?
function login($email, $password, $mysqli) {
// Using prepared statements means that SQL injection is not possible.
if ($stmt = $mysqli - > prepare("SELECT carer_id, username, password
FROM carers
WHERE email = ?
LIMIT 1")) {
$stmt - > bind_param('s', $email); // Bind "$email" to parameter.
$stmt - > execute(); // Execute the prepared query.
$stmt - > store_result();
// get variables from db result.
$stmt - > bind_result($user_id, $username, $db_password);
$stmt - > fetch();
if ($stmt - > num_rows == 1) {
// If the user exists we check if the account is locked
// from too many login attempts
if (checkbrute($user_id, $mysqli) == true) {
// Account is locked
// Send an email to user saying their account is locked
return false;
} else {
// Check if the plain textpassword verified against hashed password in the database (not ==)
if (password_verify($password, $db_password)) {
// Password is correct!
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
// XSS protection as we might print this value
$user_id = preg_replace("/[^0-9]+/", "", $user_id);
$_SESSION['user_id'] = $user_id;
// XSS protection as we might print this value
$username = preg_replace("/[^a-zA-Z0-9_\-]+/",
"",
$username);
$_SESSION['username'] = $username;
$_SESSION['login_string'] = password_hash($db_password.$user_browser, PASSWORD_BCRYPT);
// Login successful.
return true;
} else { //ERROR ON THIS ELSE STATEMENT
// Password is not correct
// We record this attempt in the database
$now = time();
$mysqli - > query("INSERT INTO login_attempts(user_id, time)
VALUES ('$user_id', '$now')");
return false;
}
}
} else {
// No user exists.
return false;
}
}
}
The previous else part is not ended before this else. Close the previous else.
.............
} else {
// Check if the plain textpassword verified against hashed password in the database (not ==)
if (password_verify($password, $db_password)) {
// Password is correct!
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
// XSS protection as we might print this value
$user_id = preg_replace("/[^0-9]+/", "", $user_id);
$_SESSION['user_id'] = $user_id;
// XSS protection as we might print this value
$username = preg_replace("/[^a-zA-Z0-9_\-]+/",
"",
$username);
$_SESSION['username'] = $username;
$_SESSION['login_string'] = password_hash($db_password . $user_browser, PASSWORD_BCRYPT);
// Login successful.
return true;
}
} else { //ERROR ON THIS ELSE STATEMENT
// Password is not correct
// We ...............
I committed a HUGE sin and did some copy and paste programming. I know, I know. BAD programmer! Unfortunately, I am not well versed in PHP and MySQL (although I have enrolled in several Udemy classes to remedy that), and I needed a log in system right away. So, I used the tut found here. Now, it works great, but I need the page to redirect to a user specific page on log in, instead of to a single static page as found in the tut.
I added a column to my database at the end called page and populated it with the full URL I want for each user, and tried to change the code to get the value of the page column along with several other solutions from my little knowledge of PHP and things I found online and on SO, but I cannot seem to get the value from the database column "page" for the redirect. It just shows a blank page.
Here is the code that seems to be relevant:
<?php
include_once 'db_connect.php';
include_once 'functions.php';
sec_session_start();
if (isset($_POST['email'], $_POST['p'])) {
$email = $_POST['email'];
$password = $_POST['p'];
if (login($email, $password, $mysqli) == true) {
// Login success
header('Location: ../selection.php');
exit();
} else {
// Login failed
header('Location: ../error.php?error=1');
}
} else {
// The correct POST variables were not sent to this page.
echo 'Invalid Request';
}
and (I am not actually sure if this is relevant, but I didn't want anyone to have to go to the tutorial if I could prevent it)
<?php
include_once 'psl-config.php';
function sec_session_start() {
$session_name = 'sec_session_id'; // Set a custom session name
$secure = SECURE;
// This stops JavaScript being able to access the session id.
$httponly = true;
// Forces sessions to only use cookies.
if (ini_set('session.use_only_cookies', 1) === FALSE) {
header("Location: ../error.php?err=Could not initiate a safe session (ini_set)");
exit();
}
// Gets current cookies params.
$cookieParams = session_get_cookie_params();
session_set_cookie_params($cookieParams["lifetime"],
$cookieParams["path"],
$cookieParams["domain"],
$secure,
$httponly);
// Sets the session name to the one set above.
session_name($session_name);
session_start(); // Start the PHP session
session_regenerate_id(); // regenerated the session, delete the old one.
}
function login($email, $password, $mysqli) {
// Using prepared statements means that SQL injection is not possible.
if ($stmt = $mysqli->prepare("SELECT id, username, password, salt
FROM members
WHERE email = ?
LIMIT 1")) {
$stmt->bind_param('s', $email); // Bind "$email" to parameter.
$stmt->execute(); // Execute the prepared query.
$stmt->store_result();
// get variables from result.
$stmt->bind_result($user_id, $username, $db_password, $salt);
$stmt->fetch();
// hash the password with the unique salt.
$password = hash('sha512', $password . $salt);
if ($stmt->num_rows == 1) {
// If the user exists we check if the account is locked
// from too many login attempts
if (checkbrute($user_id, $mysqli) == true) {
// Account is locked
// Send an email to user saying their account is locked
return false;
} else {
// Check if the password in the database matches
// the password the user submitted.
if ($db_password == $password) {
// Password is correct!
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
// XSS protection as we might print this value
$user_id = preg_replace("/[^0-9]+/", "", $user_id);
$_SESSION['user_id'] = $user_id;
// XSS protection as we might print this value
$username = preg_replace("/[^a-zA-Z0-9_\-]+/",
"",
$username);
$_SESSION['username'] = $username;
$_SESSION['login_string'] = hash('sha512',
$password . $user_browser);
// Login successful.
return true;
} else {
// Password is not correct
// We record this attempt in the database
$now = time();
$mysqli->query("INSERT INTO login_attempts(user_id, time)
VALUES ('$user_id', '$now')");
return false;
}
}
} else {
// No user exists.
return false;
}
}
}
function checkbrute($user_id, $mysqli) {
// Get timestamp of current time
$now = time();
// All login attempts are counted from the past 2 hours.
$valid_attempts = $now - (2 * 60 * 60);
if ($stmt = $mysqli->prepare("SELECT time
FROM login_attempts
WHERE user_id = ?
AND time > '$valid_attempts'")) {
$stmt->bind_param('i', $user_id);
// Execute the prepared query.
$stmt->execute();
$stmt->store_result();
// If there have been more than 5 failed logins
if ($stmt->num_rows > 5) {
return true;
} else {
return false;
}
}
}
function login_check($mysqli) {
// Check if all session variables are set
if (isset($_SESSION['user_id'],
$_SESSION['username'],
$_SESSION['login_string'])) {
$user_id = $_SESSION['user_id'];
$login_string = $_SESSION['login_string'];
$username = $_SESSION['username'];
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
if ($stmt = $mysqli->prepare("SELECT password
FROM members
WHERE id = ? LIMIT 1")) {
// Bind "$user_id" to parameter.
$stmt->bind_param('i', $user_id);
$stmt->execute(); // Execute the prepared query.
$stmt->store_result();
if ($stmt->num_rows == 1) {
// If the user exists get variables from result.
$stmt->bind_result($password);
$stmt->fetch();
$login_check = hash('sha512', $password . $user_browser);
if ($login_check == $login_string) {
// Logged In!!!!
return true;
} else {
// Not logged in
return false;
}
} else {
// Not logged in
return false;
}
} else {
// Not logged in
return false;
}
} else {
// Not logged in
return false;
}
}
function esc_url($url) {
if ('' == $url) {
return $url;
}
$url = preg_replace('|[^a-z0-9-~+_.?#=!&;,/:%#$\|*\'()\\x80-\\xff]|i', '', $url);
$strip = array('%0d', '%0a', '%0D', '%0A');
$url = (string) $url;
$count = 1;
while ($count) {
$url = str_replace($strip, '', $url, $count);
}
$url = str_replace(';//', '://', $url);
$url = htmlentities($url);
$url = str_replace('&', '&', $url);
$url = str_replace("'", ''', $url);
if ($url[0] !== '/') {
// We're only interested in relative links from $_SERVER['PHP_SELF']
return '';
} else {
return $url;
}
}
I looked at the PHP.net docs, and have tried several solutions I found online, but nothing I have found seems to be working. Do I need to create a function for this? I know I need a better fundamental knowledge of PHP and MySQL for sure.
Let me know if you need more info on this.
Thanks!
Change your login function to also get the page-column (SELECT id, ..., page FROM ...)
Next, change the bind_result: add a parameter after $salt: ..., $salt, $page
Change the return true to return $page;
Now back in your script that calls the login function, change
if (login($email, $password, $mysqli) == true) {
// Login success
header('Location: ../selection.php');
to
$page = login($email, $password, $mysqli);
if ($page !== false) {
// Login success
header('Location: '. $page);
Make sure that your page-column contains valid values at all times though.
I'm trying to make a login script for a project that I have. I came accross an open source and i typed some and copy/paste some. I went through the whole thing. I found that the login Function on the if statement where it says mysql->prepare is just skipping. I do not know if it is something with the database or an error on the script.
The place where I got the script was this
http://www.wikihow.com/Create-a-Secure-Login-Script-in-PHP-and-MySQL
my test page is ertechs.t15.org is the login.php for logging in.
username is test_user#example.com and the password is 6ZaxN2Vzm9NUJT2y.
Thanks in advance.
and this is where i'm having the problem. this function
function login($email, $password, $mysqli) {
echo "Function login";
// Using prepared statements means that SQL injection is not possible.
$prep_smt = "SELECT id, username, password, salt FROM members WHERE email = ? LIMIT 1";
$smt = $mysqli->prepare($prep_smt);
if ($stmt)
{
echo "Tst passed";
$stmt->bind_param('s', $email); // Bind "$email" to parameter.
$stmt->execute(); // Execute the prepared query.
$stmt->store_result();
// get variables from result.
$stmt->bind_result($user_id, $username, $db_password, $salt);
$stmt->fetch();
// hash the password with the unique salt.
$password = hash('sha512', $password . $salt);
echo "password= =".$password;
if ($stmt->num_rows == 1) {
echo "row";
// If the user exists we check if the account is locked
// from too many login attempts
if (checkbrute($user_id, $mysqli) == true) {
echo "brute true";
// Account is locked
// Send an email to user saying their account is locked
return false;
} else {
echo "pass match";
// Check if the password in the database matches
// the password the user submitted.
if ($db_password == $password) {
echo "pass correct";
// Password is correct!
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
// XSS protection as we might print this value
$user_id = preg_replace("/[^0-9]+/", "", $user_id);
$_SESSION['user_id'] = $user_id;
// XSS protection as we might print this value
$username = preg_replace("/[^a-zA-Z0-9_\-]+/",
"",
$username);
$_SESSION['username'] = $username;
$_SESSION['login_string'] = hash('sha512',
$password . $user_browser);
// Login successful.
return true;
} else {
echo "Password Failed";
// Password is not correct
// We record this attempt in the database
$now = time();
$mysqli->query("INSERT INTO login_attempts(user_id, time)
VALUES ('$user_id', '$now')");
return false;
}
}
} else {
echo "user doesnt exist";
// No user exists.
return false;
}
echo "whatever";
}
echo "end Function Login";
}
$smt = $mysqli->prepare($prep_smt);
if ($stmt)
Notice the missing t in $stmt?
Is there anyway that I'll be able to add user access level through this process code? I have my register code, which will allow normal user to register. I will set the admin only through PHPMyAdmin. How can I define admin user access level with this process page?
CODE: login_process.php
<?php
error_reporting(E_ALL);
ini_set("display_errors", 1);
include_once 'includes/db_connect.php';
include_once 'includes/functions.php';
sec_session_start(); // Our custom secure way of starting a PHP session.
if (isset($_POST['email'], $_POST['p'])) {
$email = $_POST['email'];
$password = $_POST['p']; // The hashed password.
if (login($email, $password, $mysqli) == true) {
// Login success
header('Location: ./protected_page.php');
} else {
// Login failed
header('Location: ./index.php?error=1');
}
}
else {
// The correct POST variables were not sent to this page.
echo 'Invalid Request';
}
?>
Code: Login function
function login($email, $password, $mysqli) {
// Using prepared statements means that SQL injection is not possible.
if ($stmt = $mysqli->prepare("SELECT id, username, password, salt
FROM members
WHERE email = ?
LIMIT 1")) {
$stmt->bind_param('s', $email); // Bind "$email" to parameter.
$stmt->execute(); // Execute the prepared query.
$stmt->store_result();
// get variables from result.
$stmt->bind_result($user_id, $username, $db_password, $salt);
$stmt->fetch();
// hash the password with the unique salt.
$password = hash('sha512', $password . $salt);
if ($stmt->num_rows == 1) {
// If the user exists we check if the account is locked
// from too many login attempts
if (checkbrute($user_id, $mysqli) == true) {
// Account is locked
// Send an email to user saying their account is locked
return false;
} else {
// Check if the password in the database matches
// the password the user submitted.
if ($db_password == $password) {
// Password is correct!
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
// XSS protection as we might print this value
$user_id = preg_replace("/[^0-9]+/", "", $user_id);
$_SESSION['user_id'] = $user_id;
// XSS protection as we might print this value
$username = preg_replace("/[^a-zA-Z0-9_\-]+/",
"",
$username);
$_SESSION['username'] = $username;
$_SESSION['login_string'] = hash('sha512',
$password . $user_browser);
// Login successful.
return true;
} else {
// Password is not correct
// We record this attempt in the database
$now = time();
$mysqli->query("INSERT INTO login_attempts(user_id, time)
VALUES ('$user_id', '$now')");
return false;
}
}
} else {
// No user exists.
return false;
}
}
}
Example Code:
if (login($username="admin_username") {
// Login admin success
header('Location: ./protected_page.php');
} else (login($email, $password, $mysqli) == true){
// Login success
header('Location: ./user.php');
}
} else {
// Login failed
header('Location: ./index.php?error=1');
}
Well, it depends on how you are storing the data in your database but if your user table has columns : user_name, password, user_type.
when you check if user_name and the password match on your login function you could do :
SELECT user_name, password, user_type FROM users WHERE user_name = '".$email."' AND password = '".$password"'";
Then you check the number of returned rows, if 0 is returned then the credentials don't match, you don't log the user in. If they match, then you can use the user_level to redirect where you want.
If you can post your login function I could explain you showing the changes to do into the code.
edit : adding fixed functions after he posted he login function.
Login validation :
include_once 'includes/db_connect.php';
include_once 'includes/functions.php';
sec_session_start(); // Our custom secure way of starting a PHP session.
if (isset($_POST['email'], $_POST['p'])) {
$email = $_POST['email'];
$password = $_POST['p']; // The hashed password.
if (login($email, $password, $mysqli) == true) {
// Login success
//Redirecting to admin protected page for instance
if( isset($_session['user_type']) and $_session['user_type'] == 'admin' )
header('Location: ./protected_page.php');
else {
//redirect to normal logged user
header('Location: ./normal_user_logged.php');
}
} else {
// Login failed
header('Location: ./index.php?error=1');
}
}
else {
// The correct POST variables were not sent to this page.
echo 'Invalid Request';
}
?>
Login function :
function login($email, $password, $mysqli) {
// Using prepared statements means that SQL injection is not possible.
if ($stmt = $mysqli->prepare("SELECT id, username, password, salt, user_type
FROM members
WHERE email = ?
LIMIT 1")) {
$stmt->bind_param('s', $email); // Bind "$email" to parameter.
$stmt->execute(); // Execute the prepared query.
$stmt->store_result();
// get variables from result.
$stmt->bind_result($user_id, $username, $db_password, $salt, $user_type);
$stmt->fetch();
// hash the password with the unique salt.
$password = hash('sha512', $password . $salt);
if ($stmt->num_rows == 1) {
// If the user exists we check if the account is locked
// from too many login attempts
if (checkbrute($user_id, $mysqli) == true) {
// Account is locked
// Send an email to user saying their account is locked
return false;
} else {
// Check if the password in the database matches
// the password the user submitted.
if ($db_password == $password) {
// Password is correct!
// Get the user-agent string of the user.
$user_browser = $_SERVER['HTTP_USER_AGENT'];
// XSS protection as we might print this value
$user_id = preg_replace("/[^0-9]+/", "", $user_id);
$_SESSION['user_id'] = $user_id;
// XSS protection as we might print this value
$username = preg_replace("/[^a-zA-Z0-9_\-]+/",
"",
$username);
$_SESSION['username'] = $username;
$_SESSION['login_string'] = hash('sha512',
$password . $user_browser);
// Login successful.
$_SESSION['user_type'] = $user_type;
return true;
} else {
// Password is not correct
// We record this attempt in the database
$now = time();
$mysqli->query("INSERT INTO login_attempts(user_id, time)
VALUES ('$user_id', '$now')");
return false;
}
}
} else {
// No user exists.
return false;
}
}
}