Check Username is in database php & get data from two tables to login

Question

I am creating a website where there are three different levels of access

• 0 = normal
• 1 = staff
• 2 = admin

In the login form, I managed to check if the password(SHA1) matches the one in the database (which is encrypted), but didn't check the user id.

When the user or staff / admin are registered, their details are stored into separate tables which have more details( Name, DateOfBirth, ... ).

Questions

1. how would I implement this in my code?

    $result = mysql_query( $qs ) or die( mysql_error() ); while( $row = mysql_fetch_array( $result ) ){ $stored_password = $row['Password']; if( $stored_password == sha1( $pw ) ){ $_SESSION['Status'] = $row['Status']; if( $_SESSION['Status'] == 0 ){ echo "<h1>User Menu Loading...</h1>"; echo"<META HTTP-EQUIV='Refresh' Content='1;URL=http://***/'>"; }else{ echo "<h1>Incorrect Password.</h1>"; echo"<META HTTP-EQUIV='Refresh' Content='1;URL=http://**/login.php'>"; } } 

2. Is there a way all these three types of users can login via the login page and can retrieve the data from two different tables?

I have tried many ways but keep getting a blank screen or it says

incorrect password

even though the password is correct.

variables

$un = $_POST['User_ID'];
$sf = $_POST['Staff_ID'];
$pw = $_POST['Password'];
$st = $_POST['Status'];

if not then I think I should create separate login areas.

thank you ( I am currently changing mysql to mysqli )

EDIT

ADDED MOST RECENT TRY OF $qs

$qs="SELECT Cadets.Cadet_ID, Cadets.Password, Cadets.Status, 
        Staff.Staff_ID, Staff.Password, Staff.Status, 
 FROM   Cadets, Staff
 WHERE  Cadets.Cadet_ID ='$un' AND Staff.Staff_ID = '$sf'";

Answer 1

Q.1) To check the user id : First check the userid in the database and then check for password

$db=new mysqli("host", "sqlusername","sqlpassword","database");
$stmt = $db->prepare("select * from your_table_name where user_ID = ?");
$stmt->bind_param("s",$un);
$stmt->execute();
$result=$stmt->get_result();

Q.2) Yes. There is a way to do so. But question is a bit incomplete add some codes.

Answer 2

I'll update my answer as you edit your question to include more info.

A) You should not use the mysql library, as it is insecure and deprecated (soon to be removed): Why shouldn't I use mysql_* functions in PHP? You should use mysqli or PDO library.

B) sha1 is not secure, you should use something like password_hash() or crypt() but I guess sha1 is fine for educational purposes.

C) Question 1: You don't need to check for the ID.
You use while ($row = mysql_fetch_array($result)) { but since you are looking for a unique username/combination, there should only be one result or none:

if ($record = mysql_fetch_array($result)) {

You seem to be only checking if the password is correct, but you should really be checking for a unique combination of username AND password (what if two users have the same passwords? sha1() is not helping you there.

So you should have something like:

$qs = "SELECT * FROM users WHERE username = '$username' AND password = '" . sha1($pw) ."'"

Or if you use the actual staff ID as the username:

$qs = "SELECT * FROM users WHERE username = '$id' AND password = '" . sha1($pw) ."'"

D) You won't be able to see this message echo "<h1>User Menu Loading...</h1>"; as you have a redirect immediately after

E) Question 2: you need to clarify a bit more, are there 2 or 3 tables (since you mention there are 3 types of users).