Could really use some help on this. I'm having a problem getting a value from the database assigned as a session variable and with the conditional statements in my checklogin.php script.
Below is the code for the script named checklogin.php. It's your basic, vanilla script that receives a username and password from a basic, vanilla login form and compares it to the database to be sure it's accurate and then logs in the user by assigning their username session variable, then it retrieves from the database the user's role and assigns that to a session variable. Then based on their user role cycle through a conditional statement so that an Approver or Administrator is redirected to a form that displays ALL office file plans for review and someone with User role is directed for a form that displays only the Office File Plans created by the user.
So my problem is that only the username is being assigned to a session variable. There's something wrong with my code such that the user role is NOT being assigned to a session variable. I have other scripts that grab values from the backend database and assign them to a session variable just fine. So I am absolutely stumped as to why it's not working here. Because my conditional statements are dependent on both username and user role, it's not resolving properly. The conditional statement is resolving such that all users regardless of role are being directed the ApproverPlanSelect.php script.
Next, I know mysql_query has be deprecated but my organization uses an earlier version where it still functions. So I'd like to respectfully ask that folks focus on helping me debug the session variable and conditional statement problem versus leaving one sentence "drive-by" comments about deprecated statements.
I really, really appreciate any suggestions. I've been stuck on this for a few weeks now and it has kicked my butt.
<?php
/*checklogin.php....this script receives the username and password from a basic form*/
session_start();
ob_start();
$host='localhost'; /*host name*/
$username='bigbear1';/*fake username*/
$password='fakepw123';/*fake password*/
$db_name='TheDatabase';/*fake database name*/
$tbl_name='members';/*common table name for users*/
/*Connect to server and select database*/
mysql_connect($host,$username,$password) or die("Cannot connect");
mysql_select_db($db_name)or die("Cannot select DB");
/*Define $current_user_name and $mypassword*/
$current_user_name=$_POST['current_user_name'];
$mypassword=$_POST['mypassword'];
/*SQL Injection countermeasures*/
$current_user_name = stripslashes($current_user_name);
$mypassword = stripslashes($mypassword);
$current_user_name = mysql_real_escape_string($current_user_name);
$mypassword = mysql_real_escape_string($mypassword);
$sql = "SELECT * FROM $tbl_name WHERE username='$current_user_name' AND password='$mypassword'";
$result = mysql_query($sql);
/*next count the number of rows generated by the previous query*/
$count=mysql_num_rows($result);
/*if the username and password are correct at least one table row will be counted*/
if ($count >= 1)
{
/*this runs a query and determines the user's role (Approver, Administrator, User) and assigns that role to $current_user_role*/
$query1="SELECT * FROM members WHERE username = '$current_user_name'";
$result1 = mysql_query($query1);
while ($row = mysql_fetch_array($result1));
{
$current_user_role = $row1['role'];
}
/*If the the role is "User", that role is assigned to a session variable and the user is redirected to the NonApproverPlanSelect form where the user can see only the file he/she created*/
if ($current_user_role=='User')
{
$_SESSION['current_user_name'] = $current_user_name;
$_SESSION['current_user_role'] = $current_user_role;
header("location:NonApproverPlanSelect.php");
}
/*If the role is not "User" (i.e. Approver or Administrator), the role is assigned to a session variable and the user is redirected to the ApproverPlanSelect form that displays ALL office file plans regardless who created them.*/
else
{
$_SESSION['current_user_name'] = $current_user_name;
$_SESSION['current_user_role'] = $current_user_role;
header("location:ApproverPlanSelect.php");
}
}
else
{
header(location:bad_login.php");
}
ob_end_flush();
?>
Here is the session_start() statement at the top of the NonApproverPlanSelect.php and ApproverPlanSelect.php scripts. The username is being displayed properly but the user role is not.
<?php
session_start();
if(!isset($_SESSION['current_user_name'])) {
header('Location:view.php');
}
echo "Welcome " . $_SESSION['current_user_name'] . ".<br>";
echo "You are logged in as " . $_SESSION['current_user_role'] . ".<br>";
echo 'href="logout.php"><span>Logout</span</a><li>';
?>
Ok....I figured out and am posting this in case it helps someone. Instead of using the while statement I just needed to pass the query results into a variable via mysql_fetch_array, i.e. $row=mysql_fetch_array(result1) and then assign the column name in the database to $row['role']. Hope this helps some poor soul in the future LOL