Block registered user during login

This is my first post. I started to learn php two days ago and got this far.

I need help with a line of code that does not work. I am a Vietnamese disabled woman in a wheelchair trying to learn php. I try to read manuals in English and translate but translations is not good. My English is okay but not good.

So I please need someone to just correct my code with a replacement or addition. The mysql database BIT data type needs a 1 and not a 0 to be authorized. If not, I also need to show the user that they are not authorized or send them to a different page. Please help me.

<?php session_start(); 
include_once('includes/config.php');

if(isset($_POST['login']))
{
$password=$_POST['password'];
$dec_password=$password;
$useremail=$_POST['uemail'];
$ret= mysqli_query($con,"SELECT id,fname FROM users WHERE email='$useremail' and password='$dec_password' and authorized='1' ");
$num=mysqli_fetch_array($ret);
if($num>0)
{

$_SESSION['id']=$num['id'];
$_SESSION['name']=$num['fname'];
header("location:home.php");

}
else
{
echo "<script>alert('Invalid username or password or your account has been closed.');</script>";
}
}
?>

What exactly is going wrong? Is it letting people log in who are not authorised, or is it refusing to let anyone in at all?

On the face of it, there doesn’t seem to be anything wrong with the code. Have you used var_dump() or echo to show the contents of your form variables to check that information is coming across correctly? Does your query actually return a row? That is, what is in $num? If it does not, does the same query executed in phpmyadmin return a row, or give an error? Could you show some sample data from your table, and perhaps share the code for the form?

Aside from that, there are some issues with the code that you should address while you are learning. They probably won’t be affecting the issue, though one of them might be.

First, instead of copying user-supplied data directly into your query, read up on Prepared Statements and use these, with parameters, to include those values. Among other things it also handles issues with including single-quotes inside your strings which will break your current query.

Second, DO NOT store plain text passwords. PHP has a pair of functions, password_hash() to be used when storing passwords, and password_verify() to be used to check the user-supplied password against the hashed one.

Is it possible that your password is being stored in an encoded or hashed form, but you’re not handling that here? I wonder what the point of the $dec_password variable is, otherwise.

squints

So num is an array…

An Array > 0?

If you’re expecting a BIT value here, I dont see one being pulled from the database. id will be an INT, fname will be a VARCHAR (a string)…

Unless you’re referring to THIS bit of your query:

In which case, dont put the quotes around the 1 if its supposed to be a number. (Though… your database engine should be handling a conversion if its trying to compare a ‘1’ to a BIT, and given that ‘1’ translates to either… 1… or 49… which would end in a 1… it should still work?)

Not going into the code improvements that should be done but, either $num is the expected array or not so wouldn’t a “not empty” condition quote “fix” the code?

if(!empty($num))

I thank you for your lecture and info but long text does me no good much.
It makes no difference if I use quotes around the number 1 for (bit data type ). I still get an error:

Fatal error : Uncaught TypeError: mysqli_fetch_array(): Argument #1 ($result) must be of type mysqli_result, bool given in /home/primehor/emilydiem.com/register/restrict-login.php:10 Stack trace: #0 /home/primehor/emilydiem.com/register/restrict-login.php(10): mysqli_fetch_array() #1 {main} thrown in /home/primehor/emilydiem.com/register/restrict-login.php on line 10

My English is bad. I said it was okay but that wrong. I have to use Google Translate and that works okay with code replacement but not in long notes suggestions I can’t understand. I am not a programmer. I am just trying to fill in. So please just correct a line of code then I may understand. Thank you.

Would you please just correct my code for the error I reported? Only then can I understand.

if(!empty($num))
{

$_SESSION['id']=$num['id'];
$_SESSION['name']=$num['fname'];
header("location:home.php");
exit;
}

etc…

You didn’t mention if you get the JS message 'Invalid username or password or your account has been closed.'

In case you don’t know, your code is looking for $_POST['login'] so an input on your form should have name="login". If you don’t have this then everything inside the if(isset($_POST['login'])) condition will not be used.

Other form inputs are uemail and password, so check that your form has matching input names.

Ah! Now you’ve given us an error message, it’s easier to work out what went wrong. That error message means that your query failed to execute (not that it ran and didn’t find any rows, just that it didn’t run), so it returned false rather than a results object. You need to test your query inside phpmyadmin or some other database tool using the same values to find out why. Is your code connecting to the database correctly?

Now we know the quote is failing, no-one can do that without seeing the layout of your users table, and the sample data you are using to test. Are all your column names correct?

I did notice that, but I figured that if an array was returned, PHP would probably handle it and decide that an array is bigger than zero. I must admit I didn’t test it anywhere.

I’ve mentioned quotes around numbers before, and been told that it doesn’t make any difference. As I always use prepared statements now, it’s not something I encounter often enough to be certain without checking.

It SHOULDNT make a difference (because most if not all databases should do type conversions where possible), but… shrug

If $con had failed, query would have thrown an error before fetch_array could.

Or echo mysqli_error($con); after the query.

1 Like

I have uploaded the database photo, the error message, and said that it all works just fine until I add the “authorized” code. I just sent a payment for a premium account and hope to learn lots here. But unless someone just changes my code to make it work and shows me where to put it, I am afraid none of this will work. Maybe this was a bad idea to come here but I am trying - and getting nowhere. Sorry to say, just to be honest. If you expect me to act like a novice developer, then you are mistaken. I am not even that far along.

Please just copy my code, all of it and make the change when allowing checking for a 0 or 1 for “authorized”.

Emily

We cant see PHP code from the front end. That’s not how PHP works.

Your query, at the moment, only pulls records where authorized is 1:

$ret= mysqli_query($con,"SELECT id,fname FROM users WHERE email='$useremail' and password='$dec_password' and authorized='1' ");
                                                                                                             ^^^^^^^^^^^^^^

If you want to specifically catch users who are not authorized but do have a valid email and password, remove the check for authorized from the query, and then change this:

if($num>0) {
$_SESSION['id']=$num['id'];
$_SESSION['name']=$num['fname'];
header("location:home.php");

}

into

if($num !== false && $num['authorized'] == 0) {
   //Do Whatever you're going to do when they're not authorized.
   //The Email and password were correct, but authorized was 0.
} elseif($num !== false) {
   //If the code gets here, You know that authorized was 1, and there is data, so their email and password matched.
   $_SESSION['id']=$num['id'];
   $_SESSION['name']=$num['fname'];
   header("location:home.php");
}

(and then keep the else. The else is the case where the email/password was incorrect.)

Because the problem is that your query throws an error when you try to execute it, I can’t see any way that I can help you unless you provide the database layout and sample data that I’ve requested. I hope someone else can sort the issue out for you.

Thank you m_hutley. It looks like we are on the right path.
I hope I substituted your code corrected. But I got an error:
Parse error : Unclosed ‘{’ on line 5 in /home/primehor/emilydiem.com/register/restrict-login.php on line 92

Seems it may be a simple error but I don’t see a problem on line 5. Here is the code:

<?php session_start(); include_once('includes/config.php'); // Code for login if(isset($_POST['login'])) { $password=$_POST['password']; $dec_password=$password; $useremail=$_POST['uemail']; $ret= mysqli_query($con,"SELECT id,fname FROM users WHERE email='$useremail' and password='$dec_password'"); $num=mysqli_fetch_array($ret); // if($num>0) I removed this line. Hope that was correct. { if($num !== false && $num['authorized'] == 0) { //Do Whatever you're going to do when they're not authorized. //The Email and password were correct, but authorized was 0. header("location:not-authorized.php"); } elseif($num !== false) { //If the code gets here, You know that authorized was 1, and there is data, so their email and password matched. $_SESSION['id']=$num['id']; $_SESSION['name']=$num['fname']; header("location:home.php"); } else { echo ""; } } ?>

But I am learning.
It looks like:

if($num !== false && $num[‘authorized’] == 0) {

Means if the number is question does not equal 0 then abort (with an explantion. I am learning but looking forward to see if I did something wrong when using your code to replace mine. Notice that I removed “if($num>0)” on line 11 and hope that is correct. I get an error both ways.

I dont see how that any { i gave you could be on line 5, given the other lines of code there, but… the error says that there is a { on line 5 that is missing it’s matching }.

Hard to see in posted code but the field authorized is not called in the query.

Oh. Right. Silly me. :person_facepalming:

The query will need to SELECT authorized in addition to id and fname, in order to work with it. This isnt the issue the user is currently facing, but it would be their next one.

I think the issue is with the line that the OP removed. They removed:

// if($num>0) I removed this line. Hope that was correct. { 

but they didn’t remove the corresponding }, hence the error message. But, because they haven’t formatted the code, I don’t know if the { has been left on the commented-out line, or placed on a separate line after it. I suspect the former, otherwise they would be balanced. Perhaps the OP can edit their post to format the code correctly.

Edit window closes at 4h after posting. Only the mods can modify the post at this point.

I think based on the error it’s more likely there’s a line break in there, and they removed the if($num>0), but left the { intact, which would generate the “Unclosed open-bracket” error they reported.

Of course, mine would cause the opposite error, if there is such a thing, closing without opening.

It’s actually the same error, just the opposite symbol (“PHP Parse Error: Unmatched } on line …”)

There has been no code posted that solves the problem. So, one final time:

My original code works fine. But it will be confusing to the user because my code looks at the user credentials, email and password, and “authorized” on the same line. I don’t know how to handle them separately. I would need the full code I can test. The entire php code, not just parts of it. That is the only way I can understand.

Otherwise I will need to abandon this question.