I have used a login system on my website using sessions.
This is how it looks,
<?php
session_start();
ob_start();
include 'includes/db.php';
$idadm=$_POST['idadm'];
$passadm=$_POST['passadm'];
$idadm = stripslashes($idadm);
$passadm = stripslashes($passadm);
$idadm = mysql_real_escape_string($idadm);
$passadm = mysql_real_escape_string($passadm);
$sql="SELECT * FROM admin WHERE aid='$idadm' and password='$passadm'";
$result = $conn->query($sql);
$count = $result->num_rows;
if($count == 1) {
$_SESSION['idadm'] = $idadm;
$_SESSION['passadm'] = $passadm;
if ($_SESSION['idadm'] == 'admin') {
header("location:admin/index.php");
} else {
header("location:subadmin/index.php");
}
} else {
header("location:index.php");
}
ob_end_flush();
?>
db.php has the database credentials.
This is the code that is on top of the protected pages,
<?php
session_start();
if (!isset($_SESSION['idadm'])) {
header('location:/index.php');
die;
}
?>
The login script works fine except for one problem, logged in users can access both admin and subadmin pages.
There is only one admin user and the ID for that user in the database is 'admin'. Admin should be able to access only 'admin/index.php' and other users should be able to access 'subadmin/index.php'.
How do I modify the script to make this happen?