PHP with MYSQL DB Role based login redirect

Question

I've read quite a few different posts, but none seem to be helping me nail this script I'm writing for a login page.

Basically I want it to do the 'normal' login check username and password against a MYSQL DB/table then based on the users assigned role forward to a specific web page. The DB has four columns id, username, password, and a ROLE column. In the ROLE column in the DB I have Superuser, Manager, Site1 or Site2 against the user names.

The script runs and at the moment dumps out on a syntax error, but I think thats my fault with not using {}'s correctly around the switch($row["ROLE"]) line. Previously I got the script running, but it wasn't matching the ROLE's and I was getting the echo "Wrong Login or password" message, so I know I'm close.

Here is my checklogin PHP script so far:

<?php

ob_start();
$host="XXXXXX"; // Host name 
$username="XXXXXX"; // Mysql username 
$password="XXXXXX"; // Mysql password 
$db_name="XXXXXX"; // Database name 
$tbl_name="XXXXXX"; // Table name 

// Connect to server and select database.
mysql_connect("$host", "$username", "$password")or die("cannot connect"); 
mysql_select_db("$db_name")or die("cannot select DB");

// Define $myusername and $mypassword 
$myusername=$_POST['myusername']; 
$mypassword=$_POST['mypassword']; 

// To protect MySQL injection
$myusername = stripslashes($myusername);
$mypassword = stripslashes($mypassword);
$myusername = mysql_real_escape_string($myusername);
$mypassword = mysql_real_escape_string($mypassword);
$sql="SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){

$row = mysqli_fetch_array($rslt, MYSQLI_ASSOC);

switch($row["ROLE"])

$sql="SELECT ROLE FROM $tbl_name WHERE username={$myusername} and password={$mypassword}";

{
    case 'Superuser':
    header("location:http://www.XXXXXX.com/1/index.html");   
    break;

case 'Manager':
    header("location:http://www.XXXXXX.com/2/index.html");   
break;

case 'Site1':
    header("location:http://www.XXXXXX.com/3/index.html");   
break;

case 'Site2':
    header("location:http://www.XXXXXX.com/4/index.html");   
break;

default:
echo "Wrong Login or password";
}
}

else {
header("location:login_fail.php");
}
ob_end_flush();
?> 

Any help or advice gladly welcomed.

Simon

Update1: Ok when I modified the code and remove the $sql=SELECT... line the script runs fine no syntax issue but doesn't match the ROLE of the logged in username and displays Wrong Login or password.

If I add back in and modify the $sql="Select.. line:

switch($row['ROLE']) 
$sql="SELECT ROLE FROM $tbl_name WHERE username='$myusername' and password='$mypassword'"; 

I get the following syntax error:

Parse error: syntax error, unexpected '$sql' (T_VARIABLE), expecting ':' or '{' XXXXX on line 37

Hmmm...

Update2:

Ok I think I've tidied this up a bit as per comments below:

$sql="SELECT * FROM $tbl_name WHERE myusername='$myusername' and mypassword='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){

$row = mysql_fetch_array($rslt, MYSQL_ASSOC);


switch($row['ROLE'])

$sql="SELECT ROLE FROM $tbl_name WHERE myusername='$myusername' and mypassword='$mypassword'";

{


     case 'Superuser':
     header("location:

Now this chucks the syntax error:

Parse error: syntax error, unexpected '$sql' (T_VARIABLE), expecting ':' or '{' in /XXXXX on line 37

Which relates to:

 $sql="SELECT ROLE FROM $tbl_name WHERE myusername='$myusername' and mypassword='$mypassword'";

---

Update3:

Ok having re read the comments below I've now changed the code dumping some of the offending lines (see below).

$sql="SELECT * FROM $tbl_name WHERE myusername='$myusername' and mypassword='$mypassword'";
$result=mysql_query($sql);

// Mysql_num_row is counting table row
$count=mysql_num_rows($result);

// If result matched $myusername and $mypassword, table row must be 1 row
if($count==1){

// ??
$row = mysql_fetch_array($rslt, MYSQL_ASSOC);


switch( $row['ROLE']){

case 'Superuser':
header("location:http://

Problem I have now is I don't seem to be matching against the values in the ROLE column of the DB table and I'm not sure why. I'm pulling all the values back with the *.

As ever thoughts and observations welcomed.

---

Update 4:

Chaps still fighting with this tried this method below using 'elseif' but not working. The script runs but doesn't go beyond option 1 (Superuser) even if the ROLE is set as Manager. Any ideas?

$sql = "SELECT * FROM $tbl_name WHERE username='$myusername' and password='$mypassword'"; 
$result = mysql_query($sql); 

// Mysql_num_row is counting table row 
$count = mysql_num_rows($result); 

// If result matched $myusername and $mypassword, table row must be 1 row 
if($count == 1){ 
// Register $myusername, $mypassword and redirect to file"login_success.php" 
$_SESSION['username'] = $myusername; 
$_SESSION['password'] = $mypassword; 

$result = mysql_fetch_array($result); // get the result set from the query

$redirect = trim($result['ROLE']); // get the redirect column's value

if ($redirect == '') 
{echo "No redirect value set";} 

elseif ($redirect="Superuser"){header("Location: http://www.xxxx.com/1/index.html");}

elseif ($redirect="Manager"){header("Location: http://www.xxxx.com/2/index.html");}

elseif ($redirect="User1"){header("Location: http://www.xxxx.com/3/index.html");}

elseif ($redirect="User2"){header("Location: http://www.xxxx.com/4/index.html");}

    exit; 
}
else 
{ echo "Wrong Username or Password"; } 

ob_end_flush();
?>

Is my issue that I'm not matching the column of ROLE's value in the DB??

PS I have no syntax errors now ;)

---

Update 5: Fixed it!!

My issue was using elseif instead of if and not using == in my code lines, so it should look like this...

 if ($redirect=="Superuser"){header("Location: http://www.xxxxx.com/1/index.html");}

Now I can sleep. Thanks all for input.

Answer 1

You have syntax errors in PHP and SQL:

switch($row['ROLE']) {
   $sql = ".."; // illegal. a switch can contain only `case` and `default` clauses.

And then your SQL in that illegal line is wrong as well:

$sql="SELECT ROLE FROM $tbl_name WHERE username={$myusername} and password={$mypassword}";
                                                ^-----------^              ^-----------^

You are missing quotes around the two insert variables, which means your query will be

SELECT ... WHERE username=fred and password=hunter42

Unless you have fred and hunter42 fields in your table, that query will fail with "unknown fields"

---

You are also mixing mysql and mysqli functions. They are NOT interchangeable, and connections/results from one are utterly useless/meaningless in the other. Plus you have variable name mismatches:

$result=mysql_query($sql);
^^^^^^^--- note this variable
             ^---note the lack of an "i"

$row = mysqli_fetch_array($rslt, MYSQLI_ASSOC);
            ^----note the "i"
                           ^^^^--note the different variable