PHP login form does not read user level

Question

I want to make a login form which can be used by normal users and admins. The code should tell the difference between normal users and admins and based on it, start a new session after user is logged in (admin or user session). In my database table, I added "level" column which should determine if user is an admin or not (for ex.: if the user level is 3, then they are admin).

Here is my login.php file:

if (isset($_POST['submit'])) {
    include_once 'database.php';

    $username = $_POST['username'];
    $password = $_POST['password'];
    if (!$username or !$password) {
        header('Location: login.php');
    } else {
        $execution = "SELECT level FROM users WHERE name = '$username' AND password = '$password';";
        $result = mysqli_query($database, $execution);
        if (mysqli_num_rows($result) == 1) {
            session_start();
            $_SESSION['user'] = $username;
            header('Location: login.php');
            exit();
        } elseif (mysqli_num_rows($result) == 3) {
            session_start();
            $_SESSION['admin'] = $username;
            header('Location: index.php');
            exit();
        } else {
            header('Location: login.php');
            exit();
        } 
    }
}

The code does not work because when I try to log in with a user that has LEVEL 3 in database, it still starts the normal user session and does not go through the elseif statement that I wrote above. How do I fix this? Maybe I am doing this completely wrong and there is another way to do this admin/user login thing?

Btw: I do understand that I'm storing passwords in plain text here, but right now I am only experimenting with the code and do not plan to upload it to a website.

Answer 1

Here is your code updated.

You need to get the value of level in order to apply the permissions.

session_start();
    if ($result->num_rows > 0){

         if($row['level'] == 1){
            $_SESSION['user'] = $username;
            header('Location: login.php');
            exit();
         }elseif( $row['level'] == 3){
            $_SESSION['admin'] = $username;
            header('Location: index.php');
            exit();
        }else{
            header('Location: login.php');
            exit();
        }

   }

Hope it helps.

Answer 2

Because you aren't checking the user's level at all.

Your first if block only checks if the result has one row.

Also, you should use prepared statements to prevent injection.

This is the correct code:

if (isset($_POST['submit'])) {
    include_once 'database.php';

    $username = $_POST['username'];
    $password = $_POST['password'];
    if (!$username or !$password) {
        header('Location: login.php');
    } else {
        $execution = mysqli_prepare($database, "SELECT level FROM users WHERE name = ? AND password = ?;";
        mysqli_stmt_bind_param($execution, "ss", $username, $password);
        mysqli_stmt_execute($execution);
        $result = mysqli_stmt_get_result($execution);
        if (mysqli_num_rows($result) == 1) {
            $row = mysqli_fetch_assoc($result);
            session_start();
            if ($row['level'] == 1) {
                $_SESSION['user'] = $username;
                header('Location: login.php');
            }
            elseif ($row['level'] == 3) {
                $_SESSION['admin'] = $username;
                header('Location: index.php');
            }
            exit();
            echo "$result";
        } else {
            header('Location: login.php');
            exit();
        } 
    }
}