Multi level login page redirect users to different pages based on user role php

Question

I need to redirect users to different pages based on the roles given to them in the database. Only the username and password is submitted on the login page.

it show me the error : Your login session data is not on record in the database. please help me how to fix this problem.

Login page

       <?php
       session_start();
       if(isset($_SESSION["admin"])){
        header("location: index.php");
        exit();
       }
       ?>
       <?php
       if(isset($_POST["username"]) && isset($_POST["password"])){
       $admin = preg_replace('#[^A-Za-z0-9]#i', '',$_POST["username"]);
       $password = preg_replace('#[^A-Za-z0-9]#i', '',$_POST["password"]);


        include"include/connect_to_mysql.php";// Connect to server and select databse.
        $sql=mysql_query("SELECT * FROM admin WHERE username='$admin' AND     password='$password' LIMIT 1");
        $exitCount=mysql_num_rows($sql);
        if($exitCount==1){
        $row = mysql_fetch_array($sql);
        $id = $row['id'];
        $role = $row['user_role'];

        if($role =='admin'){
        $link = 'index.html';
        }
        elseif($role =='hsr'){
        $link = 'http://www.google.com';
        }
        $_SESSION["id"] = $id;
        $_SESSION["admin"] = $admin;
        $_SESSION["password"] = $password;
        $_SESSION["role"] = $role;
        header("location: ".$link."");
        exit();
        }else {
       echo "Wrong Username or Password";
       }
       }
       ?>

index page

       <?php
        session_start();
        if(!isset($_SESSION["admin"])){
        header("location: login.php");
        exit();
       }
       $adminID = preg_replace('#[^0-9]#i','',$_SESSION["id"]);
       $admin = preg_replace('#[^A-Za-z0-9]#i', '',$_SESSION["admin"]);
       $password = preg_replace('#[^A-Za-z0-9]#i', '',$_SESSION["password"]);
       $role = preg_replace('#[^A-Za-z0-9]#i', '',$_SESSION["role"]);

       include"include/connect_to_mysql.php";
       $sql=mysql_query("SELECT * FROM admin WHERE id='$adminID' AND username='$admin'    AND password='$password' LIMIT 1");
       $exitCount=mysql_num_rows($sql);
       if($exitCount==0){
        echo "Your login session data is not on record in the database.";
        exit();
        }
        ?>

Answer 1

The code seems fine, it's most likely a problem with the query results. My advice would be to output the values of your code step-by-step starting with the query until you find where the problem stems from:

$query = "SELECT * FROM admin WHERE id='$adminID' AND username='$admin' AND password='$password' LIMIT 1";
echo 'Query: ' . $query;
exit;

This will tell you if the query is fine and running it on the database will ensure a user exists with the given criteria. From there you can see if it is a data issue or database issue, and work forward to a solution.

PS: It's frowned upon to store passwords in their original form, in case your database is exposed. So potentially consider hashing your passwords and comparing the hashes on login.

PPS: It's always bad to store too much data in the user session, the id should suffice. And extra bad for storing the password in there.

Goodluck.