I have a pretty simple login script which does as you would expect and checks for a match in the database between an Email and Password combination. Although I am wondering if there is a way that I could edit this script so an Administrator could use a users email like such:
user@hotmail.com
And a master password or something:
master123
To access any account on the system? Here is my current script:
<?
session_start();
require_once("system/db.php");
if($_POST['submit']){
$email_address = $conn->real_escape_string($_POST['email_address']);
$password = md5($_POST['password']);
$stay_logged_in = $_POST['stay_logged_in'];
if (empty($email_address) === true || empty($password) === true) {
header('Location: login.php?loginerror=3');
} else {
$sql1 = "SELECT * from ap_users WHERE email_address = '{$email_address}' LIMIT 1";
$result1 = $conn->query($sql1);
if (!$result1->num_rows == 1) {
header('Location: login.php?loginerror=4');
} else {
$sql2 = "SELECT * from ap_users WHERE email_address = '{$email_address}' AND blocked='0' LIMIT 1";
$result2 = $conn->query($sql2);
if (!$result2->num_rows == 1) {
header('Location: login.php?loginerror=6');
} else {
$sql = "SELECT * from ap_users WHERE email_address = '{$email_address}' AND password = '{$password}' LIMIT 1";
$result = $conn->query($sql);
if (!$result->num_rows == 1) {
header('Location: login.php?loginerror=2');
} else {
mysqli_query($conn, "UPDATE ap_users SET last_login = NOW() WHERE email_address = '{$email_address}'");
if($stay_logged_in == 1){
setcookie("email_address", $email_address, time()+31556926 ,'/');
} else {
setcookie("email_address", $email_address);
}
$length = 76;
$randomString = substr(str_shuffle("0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ"), 0, $length);
$hash = md5($randomString);
mysqli_query($conn, "UPDATE ap_users SET login_hash = '{$hash}' WHERE email_address = '{$email_address}'");
if($stay_logged_in == 1){
setcookie("hash", $randomString, time()+31556926 ,'/');
} else {
setcookie("hash", $randomString);
}
$value = 'yes';
if($stay_logged_in == 1){
setcookie("login", $value, time()+31556926 ,'/');
} else {
setcookie("login", $value);
}
header('Location: check_gateway.php');
}
}
}
}
}
?>
I have tried adding:
if($_POST['password'] != 'master123'){
$sql = "SELECT * from ap_users WHERE email_address = '{$email_address}' AND password = '{$password}' LIMIT 1";
$result = $conn->query($sql);
if (!$result->num_rows == 1) {
header('Location: login.php?loginerror=2');
} else {
} else if($_POST['password'] == 'master123'){
Which didn't quite do the job? Any ideas ?