How to give login permission

PHP
1

I am trying to set some more rules for my login page, such as if the person has not activated his or her account, then I shouldn’t log him or her in… I am not sure why these codes here work but if I do it the other way, it doesn’t work… The following codes work

<?php

session_start();

if (!isset($_POST['submit'])) {
   header("Location: ../index.php?=error");
   exit();
} else {
     include 'dbh.php';

     $uid = mysqli_real_escape_string($conn, $_POST['uid']);
     $pwd = mysqli_real_escape_string($conn, $_POST['password']);
    
      // include error handlers:
      // Check to see if the inputs are empty

     //Check to see if user has activated his or her account before logging in
     
     $sql = "SELECT user_activate FROM users ";
     $result = mysqli_query($conn, $sql);
     $resultCheck = mysqli_num_rows($result);
     if ($resultCheck > 0) {
         while ($row = mysqli_fetch_assoc($result)) {
             if ($row['user_activate'] == 0) {
                 header("Location: ../index.php?=notactivated");
                 exit();
             }
         }
     }




      if(empty($uid) || empty($pwd)) {
      	header("Location: ../signup.php=?empty");
      	exit();
      } else {

      	
        // Check to see if the username exists in the database

        $sql = "SELECT * FROM users WHERE user_uid='$uid' OR user_email='$uid'";
        $result = mysqli_query($conn, $sql);
        $resultCheck = mysqli_num_rows($result);
        if ($resultCheck < 1) {
        	header("Location: ../index.php?login=error");
        	exit();
        } else {
             // Does the password match the password in the database?

        	if ($row = mysqli_fetch_assoc($result)) { // insert database results into an array
        		// De-hasing the password
        		$hashedPwdCheck = password_verify($pwd, $row['user_password']);
        		if ($hashedPwdCheck == false) {
                header("Location: ../signup.php=?empty");
      	        exit();
        		} elseif ($hashedPwdCheck == true) {
                   // Log in the user here
        		  $_SESSION['u_id'] = $row['user_id']; 
        		  $_SESSION['u_first'] = $row['user_first'];   
        		  $_SESSION['u_last'] = $row['user_last'];   
        		  $_SESSION['u_email'] = $row['user_email'];
        		  $_SESSION['u_uid'] = $row['user_uid'];  
             
        		  header("Location: ../index.php?login=success");
        	      exit();

        		}

        	}
        }

      }

}

But if I were to just update these lines only:

 $sql = "SELECT * FROM users WHERE user_uid='$uid' OR user_email='$uid' AND email_activate='0'";

Then it doesn’t work…

2

First off, you need to stop putting variables in the query. Use prepared statements. Try stepping away from the code for a minute and thinking through the logic. Also, specify the column names you want. Do not select *.

  1. Select the relevant columns that you will need.
  2. Verify the correct password has been entered. If so move on to the next check.
  3. Verify that the account is active, if not handle it the way you want, otherwise log the person in
3

I never remember precedence (mainly because I don’t try to) and always use parentheses.

Is it
user_uid or user_email – and – email_activate
or is it
user_uid – or – user_email and email_activate

http://php.net/manual/en/language.operators.precedence.php

4

I guess this will help you

<?php

session_start();

if (isset($_POST['submit'])) {

    include 'dbh.php';

    $uid = mysqli_real_escape_string($conn, $_POST['uid']);
    $pwd = mysqli_real_escape_string($conn, $_POST['password']);

    //Check to see if user has activated his or her account before logging in
    $sql = "SELECT user_id, active, password FROM users WHERE user_id = '".$uid."' AND active = '1'";
    $result = mysqli_query($conn, $sql);

    // if row is returned user is active and exists
    if (mysqli_num_rows($result) > 0) {

        // get user data
        $userQuery = mysqli_fetch_assoc($result);
       
        // verify password
        if (password_verify($pwd, $userQuery['password'])) {

            // password is valid do something

        } else {
            // password is invalid
        }

    } else {

        // user not active
    }
}
5

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.