user level

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
jauson
Forum Contributor
Posts: 111
Joined: Wed Oct 05, 2011 12:59 am

user level

Post by jauson »

Please help me to boost the security of my user level access I made. heres my script.

Code: Select all

<?php

if (isset($_POST['username'])&&isset($_POST['password'])){

$username = $_POST['username'];
$password = $_POST['password'];

	if (!empty($username)&&!empty($password)){

	$query = "SELECT * FROM `employeedetails` WHERE `username`='".mysql_real_escape_string($username)."' AND `password`='".mysql_real_escape_string($password)."' AND `access_level`='1'";
	$result = mysql_query($query);
		
		if($rows = mysql_num_rows($result) == 1){
			
			$user_id = mysql_result($result, 0, 'employeeID');
			$_SESSION['user_id'] = $user_id;
			header("Location: index.php");	

	} else if ($rows = mysql_num_rows($result) == 0){			
		
			$query = "SELECT * FROM `employeedetails` WHERE `username`='".mysql_real_escape_string($username)."' AND `password`='".mysql_real_escape_string($password)."' AND `access_level`='2'";
			$result = mysql_query($query);
			
				if($rows = mysql_num_rows($result) == 1){
					
					$user_id = mysql_result($result, 0, 'employeeID');
					$_SESSION['user_id'] = $user_id;
					header("Location: maindex.php");	
					
				} else if($rows = mysql_num_rows($result) == 0){
				
						$query = "SELECT * FROM `employeedetails` WHERE `username`='".mysql_real_escape_string($username)."' AND `password`='".mysql_real_escape_string($password)."' AND `access_level`='3'";
						$result = mysql_query($query);
						
						if($rows = mysql_num_rows($result) == 1){
							
								$user_id = mysql_result($result, 0, 'employeeID');
								$_SESSION['user_id'] = $user_id;
								header("Location: rindex.php");	
								
					} else if($rows = mysql_num_rows($result) == 0) {
						
						$query = "SELECT * FROM `employeedetails` WHERE `username`='".mysql_real_escape_string($username)."' AND `password`='".mysql_real_escape_string($password)."' AND `access_level`='4'";
						$result = mysql_query($query);
						
						if($rows = mysql_num_rows($result) == 1){
						
						$user_id = mysql_result($result, 0, 'employeeID');
						$_SESSION['user_id'] = $user_id;
						header("Location: index.php");	
						
						} else if($rows = mysql_num_rows($result) == 0) {
						echo 'Username and Password Not Found.';
					}
				}
			}
		}
	} else {
 
  echo '<html>
		<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
		<head><link type="text/css" rel="stylesheet" href="css/board.css"/></head>
		<body>
		<div class="error">
		Username and Password should not be blank. 
		<div class="warning">
		<img src="images/warning.png"/>
		</div>
		</div>
		</body>
		</html>';
	}
}
Last edited by Benjamin on Fri Nov 18, 2011 4:09 am, edited 1 time in total.
Reason: Added [syntax=php||htm||css||javascript||sql||etc] - Please use [syntax] tags when posting code in the forums! Thanks.
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: user level

Post by Celauran »

The first and most obvious problem is that you appear to be storing passwords as plain text. Don't do that. Salt them, pepper them, and hash them using a nice, slow algorithm.

Why do you have a bunch of different queries with different access levels? Wouldn't it be easier to request the access level from the database and get rid of all those nested conditionals?
jauson
Forum Contributor
Posts: 111
Joined: Wed Oct 05, 2011 12:59 am

Re: user level

Post by jauson »

Celauran wrote:The first and most obvious problem is that you appear to be storing passwords as plain text. Don't do that. Salt them, pepper them, and hash them using a nice, slow algorithm.

Why do you have a bunch of different queries with different access levels? Wouldn't it be easier to request the access level from the database and get rid of all those nested conditionals?

Obviously I dont have an idea to implement a nice and simple queries for different user. that is why I created my own script which is not recommended for dynamic page like this.
Post Reply