Improving a login system

Question

I have four different types of users login in to my website like admin, superadmin, company, and employees. Each of them have different set of pages to see but some common pages as well. Now I am having four different tables to manage them with same login screen for admin and superadmin. When either admin or superadmin logs in I will go and check two tables one by one before giving access. I have a separate login screens for company and employees. Is this the accepted way of doing it?

Actually, I want this to be changed to a single table with all users in it and a role table to differentiate the roles. I believe a four-table concept is really bad. I can't simply make it to one table because the previous developer had a habit of saving user comments and user activities in text files which is used on website.

Am I right in the way I think that a four-table login system is bad? Is storing logs in a text file that are directly used in website a good idea or not?

Answer 1

You have 4 tables? Just use one user table and a field that can either be 'admin', 'superadmin', 'company' or 'employees'. Then you can have unlimited types of accounts. (I would do number codes like 1,2,3 or 4 instead of string codes or ENUM type field).

But yeah, your single table idea is fine. If you want a role table, do a foreign key to your role field and link it to your role table. You can have a single login too instead of different ones for different users and check for privileges based off that foreign key value.

Answer 2

Here's my suggestion,

Instead of using four tables for your users, it would be better to use one.

You can create you basic user table like this (change rank to what suits your site/script):

ID username password email bla bla bla rank

So instead of using four tables, you can make your PHP script check if the user has the desired access level.

Here's a simple function to protect pages from lower access level users:

function required_level($level){
    $user_level = mysql_return(mysql_query("SELECT $rank FROM `Accounts` WHERE `user_id` =  $user_id"));
    if($user_level<$level){
        header("Location:index.php");
    }
}

Then on each page you want to protect from lower level users accessing it. You can just call required_level(4); and the page will only allow users with this level or over to access the page.

Example:

• Bob is a employee so he has a user rank of 1,
• Joe is a superadmin so he has a user rank of 4

Both users login normally, and both try to access admin.php.

admin.php starts with required_level(4); so Bob would be redirected to the home page (you can also pass an error) but, Joe would be bale to access this page because his rank is the same or above what is required to access this page.

So, here's my super long explanation on what you can do! I hope this helps and gives you some ideas on how to make your user tables better and easier to create protect pages :)

Answer 3

First of all, you can do the whole thing with a single table. In that table you should have fields like username, password, typeofuser and other necessary information.

Retrieve user information like:

$username = $_POST['username'];  //Retrieving a username from HTML login form
$row = mysql_query(sprintf("SELECT * FROM table WHERE username ='%s'", mysql_real_escape_string($username)));  //Retrieving a row from the database
$res = mysql_fetch_array($row);
$type = $row['typeofuser']; //Retrieving whether it is administrator, super administrator, user, etc.
if ($type == "admin")
    header(Loction:adminpge);

Similarly, you can check any type of user and can redirect to another page.