-2

I want to restrict registered user from login in with not just username and password, it should:

  • if the user voting_status='a', allow the user to login with their username and password
  • if the voting_status='b' it should restrict the user from login in and echo "you're not allowed to login" else username/password incorrect.

But I don't know how to go about it, because I'm a novice in coding. I really need assistance. This is what I've been able to do so far.

<?php
define('DB_HOST', 'localhost');
define('DB_NAME', 'university portal');
define('DB_USER','root');
define('DB_PASSWORD','password007');

$con=mysql_connect(DB_HOST,DB_USER,DB_PASSWORD) or die("Failed to connect to MySQL: " . mysql_error());
$db=mysql_select_db(DB_NAME,$con) or die("Failed to connect to MySQL: " . mysql_error());
/*
$ID = $_POST['user'];
$Password = $_POST['pass'];
*/
function SignIn()
{
    session_start();   //starting the session for user profile page
    if(!empty($_POST['UserName']))   //checking the 'user' name which is from Sign-In.html, is it empty or have some text
    {
        $query = mysql_query("SELECT Username, Password, voting_staus  
                                FROM voters 
                            where Username = '$_POST[UserName]', 
                                Password = '$_POST[password]' 
                                voting_status = 'a' ") 
                    or die(mysql_error());

        $row = mysql_fetch_array($query) or die(mysql_error());

        if(!empty($row['Username']) AND !empty($row['Password'])){
            if($row['voting_status']){
                $_SESSION['Username'] = $row['Password'];
                echo "SUCCESSFULLY LOGIN TO USER PROFILE PAGE...";

            }
        }
        elseif($row[voting_status]=='b') {
            echo "You are not allow to Login Here";
        } else {
            echo "SORRY... YOU ENTERD WRONG ID AND PASSWORD... PLEASE RETRY...";
        }
    }
}

if(isset($_POST['submit'])) {
    SignIn();
}

?>
jhamon
  • 3,603
  • 4
  • 26
  • 37
Daniel Chuks
  • 1
  • 1
  • Every time you use [the `mysql_`](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php) database extension in new code **[a Kitten is strangled somewhere in the world](http://2.bp.blogspot.com/-zCT6jizimfI/UjJ5UTb_BeI/AAAAAAAACgg/AS6XCd6aNdg/s1600/luna_getting_strangled.jpg)** it is deprecated and has been for years and is gone for ever in PHP7. If you are just learning PHP, spend your energies learning the `PDO` or `mysqli` database extensions and prepared statements. [Start here](http://php.net/manual/en/book.pdo.php) – RiggsFolly Feb 10 '17 at 12:13
  • Your script is at risk of [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Have a look at what happened to [Little Bobby Tables](http://bobby-tables.com/) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – RiggsFolly Feb 10 '17 at 12:15
  • You can add a column to the `voters` table to indicate if user is allowed to login and check `if(!empty($row['IsAllowed']) )` – Chandan Rai Feb 10 '17 at 12:16
  • Some sensible code indentation would be a good idea. It helps us read the code and more importantly it will help **you debug your code** [Take a quick look at a coding standard](http://www.php-fig.org/psr/psr-2/) for your own benefit. You may be asked to amend this code in a few weeks/months and you will thank me in the end. – RiggsFolly Feb 10 '17 at 12:18

1 Answers1

0

Please made these changes

if(!empty($_POST['UserName'])&& !empty($_POST['password']) )   //checking the 'user' name which is from Sign-In.html, is it empty or have some text
    {
        $query = mysql_query("SELECT Username, Password, voting_staus  
                                FROM voters 
                            where Username = '$_POST[UserName]' and 
                                Password = '$_POST[password]' 
                                 ")

And change this

        if($row['voting_status'] == 'a'){  // change by mo
            $_SESSION['Username'] = $row['Password'];
            echo "SUCCESSFULLY LOGIN TO USER PROFILE PAGE...";

I made changes in your query remove , with and in where condition and remove voting_status. You have using wrong spelling for status in your query

Mohtisham Zubair
  • 723
  • 5
  • 15