0

Hi I am new to PHP and Mysql. I need help with a logon on script I am currently writing. I have the script working fine. But I am wanting to add an additional requirement for logging in.

In the table I have:

user_id | username | password | first_name | department
-------------------------------------------------------

I am currently authenticating users by using just there username and passsword but I want to add another requirement of "department". There are two entries in the department column either "user" or "manager". I want to only allow access to a manager how can I add this in?

The mysql query i am using is: 

$query = "SELECT * FROM users WHERE username='".mysql_real_escape_string($uname)."' AND password='".mysql_real_escape_string($passencrypt)."'";
Improve this question

5 Answers 5

Reset to default
1
  1. Don't ever save pure passwords in db! You should use hashes or encryption.
  2. Don't use mysql_* functions because they are depracated and will be removed in future. Use mysqli or PDO instead.
  3. Also remember to bind parameters just changing mysql to mysqli doesn't make your scripts secure.

Adding roles as you mentioned it can be solved on 2 ways.

First is simple but not good to extend and second is better but needs more effort.

Add department as tinyint to DB with 1 = user, 2 = manager

PDO solution

 $sth = $dbh->prepare('SELECT * FROM users WHERE username=? AND password=md5(?) AND department=?);
 $sth->bindParam(1, $user, PDO::PARAM_STR);
 $sth->bindParam(2, $pass, PDO::PARAM_STR);
 $sth->bindParam(3, $department, PDO::PARAM_INT);
 $sth->execute();

Read more about PDO http://www.php.net/manual/en/pdo.construct.php

Second solution is to use roles and resources. Here is good explanation of how to use it: http://framework.zend.com/manual/1.12/en/zend.acl.introduction.html

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

+1 for pointing out PDO, password storing and parameter escaping (binding).
0 
$query = "SELECT * FROM users WHERE username='".mysql_real_escape_string($uname)."' AND password='".mysql_real_escape_string($passencrypt)."'";

is okay then simply in php you just check 

$row = mysql_fetch_array($result);

if($row['department']=="manager"){
   //complete login
}else{
   //logout
}
Improve this answer

Comments

0

You could either check the value of DEPARTMENT in the resultset and take appropriate action, or filter it out of the query altogether. This will do that:

$query = "SELECT * FROM users WHERE department='manager' AND username='".mysql_real_escape_string($uname)."' AND password='".mysql_real_escape_string($passencrypt)."'";

But keep in mind that that means you are not making any distinction between a non-existent user, an incorrect password, or a user who is not a manager.

Improve this answer

Comments

0

You just need to add an extra clause to your WHERE

$query = "SELECT * FROM users WHERE username='".mysql_real_escape_string($uname)."' AND password='".mysql_real_escape_string($passencrypt)."' AND delartment = 'manager'";

In this way only member wich have department as manager will be matched by your query

Then I would like to remember you that mysql_ functions are deprecated so i would advise you to switch to mysqli or PDO

Improve this answer

Comments

0

you can do this:

if (isset($_POST['manager']))
{
$query = "SELECT * FROM users WHERE username = '$uname' AND password = '$passencrypt'";
}
elseif (isset($_POST['user'])
{...}

of course you will have to replace the three dots within the last pair of braces with whatever you want to do when it is not the manager who signs in.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.