if statement/login problems

[Heavy Metal]

I have this code

PHP Code:

<? 
if(isset($_POST['submit']))
{
  include('includes/connect.htm');
  //did they supply a password and username
  $username=$_POST['username'];
  $password=$_POST['password'];
  $password=md5($password);
  $query = mysql_query("SELECT * FROM users WHERE username = '$username'") or die(mysql_error());
  $data = mysql_fetch_array($query);
  if($password==NULL)
  {
    die("<center><h3>A password was not supplied</h3></center>");
  }else{
    $query = mysql_query("SELECT * FROM users WHERE username = '$username'") or die(mysql_error());
    $data = mysql_fetch_array($query);
    if($data['password'] != $password)
    {
      die("<center><h3>The supplied login is incorrect</h3></center>");
    }else{
      $query = mysql_query("SELECT * FROM users WHERE username = '$username'") or die(mysql_error());
      $data = mysql_fetch_array($query);
      if($data['userlevel'] != "1")
      {
        die("<center><h3>You are not a admin</h3></center>");
      }else{
        $query = mysql_query("SELECT * FROM users WHERE username = '$username'") or die(mysql_error());
        $row = mysql_fetch_array($query);
        $_SESSION['s_username'] = $row['username'];
        echo "<meta http-equiv=\"Refresh\" content=\"0;url=\">";
        return;
      }
    }
  }
}
?><? if(!session_is_registered('s_username')) { ?><p>
<form action="" method="post">
<b>Username: </b><input type="text" size="15" maxlength="25" name="username"><br>

<b>Password: </b><input type="password" size="15" maxlength="25" name="password"><br>

<center><input type="submit" value="Login" name="submit"></center><p>
</form>
<? 
}elseif(session_is_registered('s_username')){
  include('includes/connect.htm');
  $query = mysql_query("SELECT * FROM users WHERE username = '$username'") or die(mysql_error());
  $data = mysql_fetch_array($query);
  if($data['userlevel'] != "1")
  {
    die("<center><h3>You are not a admin.</h3></center>");
  }else{
 ?>
//webpage here
<? 
  }
}
 ?>

It is not working, it is supposed to do the following, if you are not loged in already, it gives you a login form, which when submited is supposed to check against the database, to see wether or not your information is correct, if it is, it sets a session variable with your name in it, and re-directs you to the same page, which will then have you showing as loged in, so the webpage within will show. If, However, you are already loged in, it will simply check your user level from the database. But, the problem is, is that this is doing nothing, i submit it, and it redirects back to the same page, but i still am being shown the login form, please help. Thanks.

[NogDog]

Most important is that you need a session_start(); at the beginning of the script. Secondly, you should not use session_is_registered() in combination with $_SESSION. Instead, just do if(isset($_SESSION['s_username'])).

[Heavy Metal]

sorry, i knew about that, i just wasn't thinking. Also, it is actually giving me a response now, but its the you are not a admin message, which as i'm looking at the table right now, I do in fact have a user level of one, so why isn't this working? I have the table column right, and I added a bit which echo's out the username that it's checking on, and it is the user which has a userlevel of 1. So I'm not sure why this isn't working.

[boeing747fp]

do you have more than 1 row with the same `username` value?

[Heavy Metal]

Nope, sure dont

[boeing747fp]

try echoing the $data['userlevel'] just above

PHP Code:

if($data['userlevel'] != "1") 
      { 
        die("<center><h3>You are not a admin</h3></center>"); 


and see if "1" appears right before your "You are not a admin" error message

[Heavy Metal]

showed up as 1 alright

[boeing747fp]

try

PHP Code:

if(trim($data['userlevel']) != "1") 


[Heavy Metal]

same effect

[boeing747fp]

hmm.. try removing ""s from around your 1

[Heavy Metal]

that didn't work either, does anyone else have any comments on this and how i might fix it?

[Sid3335]

it could very well be the refresh, it will still hold the session data but your final mysql_query will not have a valid $username variable.

[Sid3335]

actually after having another look at your script it has many problems, not least all the mysql_queries you are running.

heres something for you to work with, its not perfect:

PHP Code:

session_start() ;
if(isset($_POST['submit'])) 
{  
  $username=$_POST['username']; 
  $password=$_POST['password']; 
  $password=md5($password); 

  mysql_connect("localhost", "user", "pass") ;
  mysql_select_db("user") ;  
  $query = mysql_query("SELECT * FROM users WHERE username = '$username'") or die(mysql_error()); 
  $data = mysql_fetch_array($query);
   
    if($data['password'] != $password) 
    { 
      exit("<center><h3>The supplied login is incorrect</h3></center>"); 
    }
    
    if($data['userlevel'] != "1") 
    { 
       exit("<center><h3>You are not a admin</h3></center>"); 
    }

    $_SESSION['s_username'] = $data['username'];
} 

if(!isset($_SESSION['s_username'])) 
{ 
?>
<form action="" method="post"> 
<b>Username: </b><input type="text" size="15" maxlength="25" name="username"><br> 

<b>Password: </b><input type="password" size="15" maxlength="25" name="password"><br> 

<center><input type="submit" value="Login" name="submit"></center><p> 
</form> 
<?php
}
elseif(isset($_SESSION['s_username']))
{  
  if($data['userlevel'] != "1") 
  { 
    die("<center><h3>You are not a admin.</h3></center>"); 
  }
  else
  { 
        echo "//webpage here" ; 
  } 
}

[Heavy Metal]

There were so many errors, and i wasn't being told about any of them, so decided to try to re-write my intire code.

[BuezaWebDev]

There were so many errors, and i wasn't being told about any of them, so decided to try to re-write my intire code.

While you're at it, you might want to learn how to OOP.