PHP Multiple Restricted Access

Question

I am trying in my PHP to make it to where if the Account database value matches 0 or 1 or 2 or 3 then it makes the login go to a certain page but so far it doesn't log me in and it doesn't take me to the page. Before I had a log in page but it sent it to a universally restricted page, but what I want is depending on what the User signed up for then he gets put this value(which I have already implemented) that if this page were to work than it would send him to one of four restricted sites upon login. What I can't get is the value to get pulled and used to send him upon login to the specific page.I am using Mysqli. Here is the code:

  <?php require 'connections/connections.php'; ?>
   <?php
   if(isset($_POST['Login'])){
        $Username = $_POST['Username'];
        $Password = $_POST['Password'];

        $result = $con->query("select * from user where Username='$Username'
        AND Password='$Password'");
        $row = $result->fetch_array(MYSQLI_BOTH);
        $AccountPerm = $con->query("SELECT * FROM `user` WHERE Account =
         ?");
        session_start();
        $AccountPerm = $_SESSION['Account'];
        if($AccountPerm == 0){
                header("Location: account.php");
        }
        if($AccountPerm == 1){
                header("Location: Account1.php");
        }
        if($AccountPerm == 2){
                header("Location: Account2.php");
        }
        if($AccountPerm == 3){
                header("Location: Account3.php");
        }
}

?>

Answer 1

so far it doesn't log me in

Just to be sure, your Account.php, Account1.php, Accout2.php and Account3.php rely on $_SESSION['Account'] right? (The code below assume so)

As for your problem with both login and redirecting you forget a line :

$_SESSION['Account'] = $row['Account'];

Also, I removed

$AccountPerm = $con->query("SELECT * FROM `user` WHERE Account =
     ?");

You code should look like :

<?php require 'connections/connections.php'; // NOTE: I don't close the php tag here ! See the "session_start()" point in the "Reviews" section below

if(isset($_POST['Login'])){
    $Username = $_POST['Username'];
    $Password = $_POST['Password'];

    // TODO: Sanitize $Username and $Password against SQL injection (More in the "Reviews" section)
    $result = $con->query("select * from user where Username='$Username'
    AND Password='$Password'");
    // TODO: Check if $result return NULL, if so the database couldn't execute your query and you must not continue to execute the code below.

    $row = $result->fetch_array(MYSQLI_BOTH);
    // TODO: Check if $row is NULL, if so the username/password doesn't match any row and you must not execute code below. (You should "logout" the user when user visit login.php, see the "Login pages" point in the "Reviews" section below)

    session_start();
    $_SESSION['Account'] = $row['Account']; // What you forgot to do
    $AccountPerm = $_SESSION['Account'];
    if($AccountPerm == 0){
            header("Location: account.php");
    }
    if($AccountPerm == 1){
            header("Location: Account1.php");
    }
    if($AccountPerm == 2){
            header("Location: Account2.php");
    }
    if($AccountPerm == 3){
            header("Location: Account3.php");
    }
}

?>

Reviews

• session_start()
  Should be call at the top of your code. (It will probably end-up in aa shared file like connections.php that you will include in all of your file). One reason is that session_start() won't work if you send ANY character to the user browser BEFORE calling session_start() .

  For exemple you close php tag after including connections.php , you may not know but you newline is actually text send to the browser !

  To fix this you just have to not close your php tag, such as in

   <?php require 'connections/connections.php'; ?> if(isset($_POST['Login'])){ 

• Login page
  Make sure to logout (unset $_SESSION variables that you use to check if user is logged) the user in every case except if he enter the right username/password combinaison.
  If the user is trying to login it may be a different user from the last time and we don't want him to be logged as somebody else if his username/password is wrong.

• MySQL checks : You should always check what the MySQL function returned to you before using it ! (see the documentation !) Not doing so will throw php error/notification.

• SQL injection : You must sanitize $Username/$Password before using them into your query.

  Either you append the value with $con->real_escape_string() such as

   $result = $con->query("SELECT * FROM user WHERE Account = '" . $con->real_escape_string($Username) . "' AND Password = '" . $con->real_escape_string($Password) ."') 

  or you use bind parameter, such as explained in this post ( THIS IS THE RECOMMENDED WAY )

• No multiple account pages

  Your login page should redirect only to accout.php and within this page split the logic according with the $_SESSION['Account'] value.

  Nothing stop you from including account1.php, account2.php, ... within account.php.
  If you do so put your account1.php, account2.php, account3.php in a private folder that the user can't browse in.
  (One of the method is to create a folder (such as includes ) and put a file name .htaccess with Deny from all in it)