Unable to fetch and compare mysql data in php

Question

I want to check if the 'desig' (designation) of a user stored in user_info database, is 'gm' (GM) or not. Currently, I have two users, one with 'desig' as 'gm' and the other as 'mgr', no matter who logs in, the 'gm.html' page always loads. The correct working should be that if the desig is gm then only it should redirect to gm.html page. (members is a table in user_info db)

<?php
session_start();
if((isset($_SESSION['login']) && $_SESSION['login'] ==true)) {echo "";}
else{
    header("location:login.html");}

$mysql_hostname = 'localhost';
$mysql_usrnm = 'root';
$mysql_pass = '';
$mysql_db = 'user_info'; 
$con = mysqli_connect($mysql_hostname, $mysql_usrnm, $mysql_pass, $mysql_db) or die('Cant connect to database');

mysqli_select_db($con,$mysql_db);

$result = mysqli_query($con, "SELECT desig FROM members WHERE desig='gm'");

if (!$result) {
printf("Error: %s\n", mysqli_error($con));
exit();
}

$desig = mysqli_fetch_array($result) or die("error"); 

if($desig!="gm")
{
        $mysql_db1='customer';
        $con1=mysqli_connect($mysql_hostname, $mysql_usrnm, $mysql_pass, $mysql_db1) or die("Connection died for your sins.");
        echo "Connected";}

        else
        header("location:gm.html");

?>

Answer 1

Your code seems to be hard-coded to only return a GM?

$result = mysqli_query($con, "SELECT desig FROM members WHERE desig='gm'");

I am pretty sure that this is supposed to be picked up based on the user and not simply running a "find me a GM user" for anyone.

If I understand your question correctly, shouldn't there be somewhere in betwen the start and end of this snipped that uses the login information to verify what level a user is it?

if((isset($_SESSION['login']) && $_SESSION['login'] ==true)) 
{
    echo "";
    // Shouldn't you run a query here to see who your user is?
    // For example to get their ID?
}
else
{
    header("location:login.html");
}

    $mysql_hostname = 'localhost';
    $mysql_usrnm = 'root';
    $mysql_pass = '';
    $mysql_db = 'user_info'; 
    $con = mysqli_connect($mysql_hostname, $mysql_usrnm, $mysql_pass, $mysql_db) or die('Cant connect to database');

    mysqli_select_db($con,$mysql_db);

    $result = mysqli_query($con, "SELECT desig FROM members WHERE desig='gm'");
    // Then here, instead of running this, convert it to something similar to:
    $result = mysqli_query($con, "SELECT desig FROM members WHERE userid=$id");

Edit:

Storing the variable is easy - but you have to GET it from somewhere.

You can do this by popping a column in your users table - where you verify the username and password to begin with. I would suggest you look into a basic table like this to store user information. (I would also recommend you store hashes of passwords and the like, but that seems a conversation for another time).

user table:
userID  username    password    userLevel
  1     someUser    somePass    Grunt
  2     someUser1   somePass1   MGR
  3     someUser2   somePass2   MGR
  4     someUser3   somePass3   GM

Armed with this, you can fire off a quick query to the database, verify the username and password, and get their userLevel quite easily.

Once you have the level, you can store it in a session variable if you like and have your code apply logic depending on what is stored in there.

Answer 2

I fixed the problem. There were some logical errors in my code.

 if((isset($_SESSION['login']) && $_SESSION['login'] ==true)) {

    //Selecting the whole row to compare and display different variables
    $sql = "SELECT * FROM members WHERE username = '".$_SESSION['username']."'";
    if(!$sql)
    echo mysql_error();
    $result = mysqli_query($con,$sql);
    $row = mysqli_fetch_array($result, MYSQLI_ASSOC);

    //Using $row variable to fetch and compare the value stored in 'desig' with 'gm'
    if($row["desig"]=='gm')
    header("location:gm.php"); //Opens up different page for gm aka Gen. Mgr.
     }
 else 
 header("location:login.html"); //Redirects to this page if no user is logged in.