admin and user login form

Question

Hi can anyone see what im doing wrong. Im using the one login for both user and admin and it is directing me to the admin page but when i enter a users name and password its saying username and password incorrect. Have messed with this for hours.

PHP FILE:

<?php

if(isset($_POST['Submit']))   //Check if the login form has been submitted
{   
    include ('dbconnection.php');

    //Get the values from the new user form
    $pw = md5($_POST['Password']); //Note use of MD5 hash function
    $username = $_POST['UserName'];

    //Set up and execute the INSERT query
    $query = "SELECT * FROM users Where UserName = '$username' AND Password ='$pw' AND Role = 'User' ";
    $result=mysql_query($query);  //Get the query result
    $num=mysql_numrows($result);  //Get number of records returned 


    if ($num)  //Logon is successful - redirect to restricted home page
    {
        session_start();
        $_SESSION['UserId']=$username; //Save the username in a session variable
        mysql_close($connection); //close database connection
            header("Location: Index.php?Successful"); //display the restricted page

    }
    else    //Logon has failed - reload the logon page
    {
    mysql_close($connection);//close database connection
        header("Location: Emersrecipes.php?err"); //id user does not exist in db directs back to login page with an error   

    }
}
?>

<?php

if(isset($_POST['Submit']))   //Check if the login form has been submitted
{   
    include ('dbconnection.php');

    //Get the values from the new user form
    $pw = md5($_POST['Password']); //Note use of MD5 hash function
    $username = $_POST['UserName'];

    //Set up and execute the INSERT query
    $query = "SELECT * FROM users Where UserName = '$username' AND Password ='$pw' AND Role = 'Administrator' ";
    $result=mysql_query($query);  //Get the query result
    $num=mysql_numrows($result);  //Get number of records returned 


    if ($num)  //Logon is successful - redirect to restricted home page
    {
        session_start();
        $_SESSION['UserId']=$username; //Save the username in a session variable
        mysql_close($connection); //close database connection
            header("Location: Admin\admin.php?Successful"); //display the restricted page

    }
    else    //Logon has failed - reload the logon page
    {
    mysql_close($connection);//close database connection
        header("Location: Emersrecipes.php?err"); //id user does not exist in db directs back to login page with an error   

    }
}
?>

HTML FORM

<div class = 'grd6'>

            <article>
            <p>Welcome today is <?php echo date ('M j, Y');?></P>
            </article>
            <form class = 'loginform' method="post" action="<?php echo $_SERVER['PHP_SELF'];?>" name="loginform">
            <h2>User Login Form</h2>
            Username:<input name="UserName" type="text"   size="30" maxlength="30" placeholder='Enter Your Name' required/><br />
            Password:<input name="Password" type="Password" placeholder= 'Enter your password' required  size="30" maxlength="30" /><br /><p>
            <input name="Submit" type="Submit" value="Login" />
            <?php include ('php\Login.php')?>
            </form>     
            </div>

Answer 1

you can minify your code like this

if(isset($_POST['Submit']))
{   
include ('dbconnection.php');
$pw = md5($_POST['Password']); 
$username = mysql_real_escape_string($_POST['UserName']);
//mysql_real_escape_string wont save you from sql injection so user PDO/mysqli

$query = "SELECT * FROM users Where UserName = '$username' AND Password ='$pw'";
$result=mysql_query($query);  
$num=mysql_numrows($result);  

if ($num>0) 
{
  $row= mysql_fetch_assoc($result);
  if($row['role']=='Administrator')
  {
   //Admin login
  }   
  if($row['role']=='User')
  {
   //user login
  }
}