PHP PDO Deactivate User Account with Status Column?

I’m working on trying to build an attendance application using PHP, PDO and MySQL. I currently have a table called users that just shows a list of users that can log into the application. The table structure is shown below.

image881×256 32.6 KB

I have a status column that shows an integer of 1 or 0. My thoughts are if the column is set to 1, then the user could log in at anytime since their account is active. If the column is set to 0, then the user cannot log in at all unless their status is set to 1 again.

I have a graphical table in my app that shows this column. Only users with the Administrator role can access the table:

And an edit form where the option can be changed:

image1647×136 4.75 KB

But I don’t have anything in PHP code to provide functionality… What’s the best way to do something like this?

The code I currently have follows. First is the graphical users table in my app:

<?php

include('nav/head.php');

if($role_id != '1') {
	header('Location: error.php');
	exit();
}

?>

<!DOCTYPE html>
<html lang="en">

<head>

  <meta charset="utf-8">
  <meta http-equiv="X-UA-Compatible" content="IE=edge">
  <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
  <meta name="description" content="">
  <meta name="author" content="">

  <title>CCRP | Users</title>

  <?php include('nav/header.php') ?>

          <!-- Page Heading -->
          <h1 class="h3 mb-2 text-gray-800">Users List</h1><br>
          <!-- <p class="mb-4">DataTables is a third party plugin that is used to generate the demo table below. For more information about DataTables, please visit the <a target="_blank" href="https://datatables.net">official DataTables documentation</a>.</p> -->

          <!-- DataTables Example -->
          <div class="card shadow mb-4">
            <div class="card-header py-3">
              <h6 class="m-0 font-weight-bold text-primary">Add, Edit or Remove User Accounts</h6>
            </div>
            <div class="card-body">
			<a class="btn btn-success" href="user_new.php"><i class="fa fa-user-plus"></i>&nbsp Add New User</a>
			<br><br>
              <div class="table-responsive">
                <table class="table table-bordered" id="dataTable" width="100%" cellspacing="0">
                  <thead>
                    <tr>
                      <th>User ID</th>
                      <th>User Role</th>
                      <th>First Name</th>
                      <th>Last Name</th>
                      <th>Email Address</th>
                      <th>Username</th>
					  <th>Status</th>
					  <th>Action</th>
                    </tr>
                  </thead>
				  <?php
				  
				  	$stmt = $pdo->prepare("SELECT id, role_id, first_name, last_name, email, username, status FROM users");
					$stmt->execute();
					while($row = $stmt->fetch(PDO::FETCH_ASSOC)) {
				  
				  ?>
				  	<tr>
						<td><?php print($row['id']) ?></td>
						<td>
						
						<?php 
						
						if ($row['role_id'] === '1') {
							echo 'Administrator';
						} elseif ($row['role_id'] === '2') {
							echo 'Operator';
						}
						
						?>
						
						</td>
						<td><?php print($row['first_name']) ?></td>
						<td><?php print($row['last_name']) ?></td>
						<td><?php print($row['email']) ?></td>
						<td><?php print($row['username']) ?></td>
						<td>
						
						<?php 
						
						if ($row['status'] === '1') {
							echo '<strong style="color: #009900;">Active</strong>';
						} elseif ($row['status'] === '0') {
							echo '<strong style="color: #a40000;">Inactive</strong>';
						}
						
						?>
						
						</td>
						<td>							
							<a href="user_edit.php?edit_id=<?php print($row['id']); ?>"><i class="fa fa-user-edit"></i></a>
							<a href="#" data-toggle="modal" data-target="#deleteModal_<?php echo $row['id'];?>">
                  				<i style="color: #a40000;"class="fas fa-trash fa-sm fa-fw mr-2"></i>
                			</a>
							<!-- Delete Modal -->
							<div class="modal fade" id="deleteModal_<?php echo $row['id'];?>" role="dialog" aria-labelledby="exampleModalLabel" aria-hidden="true">
							  <div class="modal-dialog" role="document">
							    <div class="modal-content">
							      <div class="modal-header">
							        <h5 class="modal-title" id="exampleModalLabel">Delete User</h5>
							        <button class="close" type="button" data-dismiss="modal" aria-label="Close">
							          <span aria-hidden="true">×</span>
							        </button>
							      </div>
							      <div class="modal-body">Are you sure you want to delete <?php print($row['first_name'] . ' ' . $row['last_name']);?> from the users list?</div>
							      <div class="modal-footer">
							        <button class="btn btn-secondary" type="button" data-dismiss="modal">Cancel</button>
									<form action="api/users/delete.php" method="post">
									<input type="submit" class="btn btn-danger" name="Delete_User[<?php echo $row['id'];?>]" value="Delete" />
									</form>
							      </div>
							    </div>
							  </div>
							</div>							
						</td>
					</tr>
					<?php } ?>			  
                </table>
              </div>
            </div>
          </div>

        </div>
        <!-- /.container-fluid -->

      </div>
      <!-- End of Main Content -->

	  
	  <?php include('nav/footer.php'); ?>

</html>

Next is the edit form:

<?php

include('nav/head.php');

// Define user data by User ID
if(isset($_GET['edit_id'])) {
	 $id = $_GET['edit_id'];
	 $stmt = $pdo->prepare("SELECT * FROM users WHERE id=:id");
	 $stmt->execute(array(":id" => $id));
	 $rowUser = $stmt->fetch(PDO::FETCH_ASSOC);
} else {
	 $id = null;
	 $rowUser = null;
	 
}	 

?>

<!DOCTYPE html>
<html lang="en">

<head>

  <meta charset="utf-8">
  <meta http-equiv="X-UA-Compatible" content="IE=edge">
  <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
  <meta name="description" content="">
  <meta name="author" content="">
  
  <link rel="stylesheet" type="text/css" href="css/toggle.css">

  <title>CCRP | <?php print($rowUser['first_name'] . " " . $rowUser['last_name']); ?></title>
  
  <?php include('nav/header.php'); ?>
	
	<h1 class="h3 mb-2 text-gray-800"> Edit <?php print($rowUser['first_name'] . " " . $rowUser['last_name']); ?></h1>
	<br>
	<form action="api/users/edit.php" method="post">
			<input type="hidden" class="form-control" id="id" name="id" placeholder="" value="<?php print($rowUser['id']); ?>" maxlength="255" autocomplete="off" readonly/>	
		<div class="form-group">
			<label for="role_id">User Status</label>
			<!-- <input type="text" class="form-control" id="role_id" name="role_id" placeholder="" value="<?php print($rowUser['role_id']); ?>" maxlength="255" autocomplete="off" /> -->
			<?php
			
			if($rowUser['status'] === '1') {
				echo '<select class="form-control" id="status" name="status">
				<option selected value="1">Active</option>
				<option value="0">Inactive</option>
			</select>';
			} elseif ($rowUser['status'] === '0') {
				echo '<select class="form-control" id="status" name="status">
				<option value="1">Active</option>
				<option selected value="0">Inactive</option>
			</select>';
			}
			
			?>
		</div>	
		<div class="form-group">
			<label for="role_id">User Role</label>
			<!-- <input type="text" class="form-control" id="role_id" name="role_id" placeholder="" value="<?php print($rowUser['role_id']); ?>" maxlength="255" autocomplete="off" /> -->
			<?php
			
			if($rowUser['role_id'] === '1') {
				echo '<select class="form-control" id="role_id" name="role_id">
				<option selected value="1">Administrator</option>
				<option value="2">Operator</option>
			</select>';
			} elseif ($rowUser['role_id'] === '2') {
				echo '<select class="form-control" id="role_id" name="role_id">
				<option value="1">Administrator</option>
				<option selected value="2">Operator</option>
			</select>';
			}
			
			?>
		</div>		
		<div class="form-group">
			<label for="first_name">First Name</label>
			<input type="text" class="form-control" id="first_name" name="first_name" placeholder="" value="<?php print($rowUser['first_name']); ?>" maxlength="255" autocomplete="off" />
		</div>
		<div class="form-group">
			<label for="last_name">Last Name</label>
			<input type="text" class="form-control" id="last_name" name="last_name" placeholder="" value="<?php print($rowUser['last_name']); ?>" maxlength="14" autocomplete="off" />
		</div>
		<div class="form-group">
			<label for="email">Email</label>
			<input type="text" class="form-control" id="email" name="email" placeholder="" value="<?php print($rowUser['email']); ?>" autocomplete="off" />
		</div>
		<div class="form-group">
			<label for="username">Username</label>
			<input type="text" class="form-control" id="username" name="username" placeholder="" value="<?php print($rowUser['username']); ?>" autocomplete="off" />
		</div>
		<hr style="background-color: #a40000;">
		<div class="form-group">
			<label for="password">New Password</label>
			<input type="password" class="form-control" id="password" name="password" placeholder="" autocomplete="off" />
		</div>
		<div class="form-group">
			<label for="confirm_pwd">Confirm Password</label>
			<input type="password" class="form-control" id="confirm_pwd" name="confirm_pwd" placeholder="" autocomplete="off" />
		</div>								
			<input type="submit" name="btn_save" class="btn btn-success" value="Save">
			<input type="submit" name="btn_cancel" class="btn btn-danger" value="Cancel">							
	</form>
	&nbsp;
	&nbsp;
	
        </div>
        <!-- /.container-fluid -->

      </div>
      <!-- End of Main Content -->

	<?php include('nav/footer.php'); ?>

</html>

And finally, the edit API:

<?php

include ('../dbconnect.php');

// Update
$stmt = $pdo->prepare("UPDATE users SET role_id = :role_id, first_name = :first_name, last_name = :last_name, email = :email, username = :username, status = :status WHERE id = :id");
$stmt->bindParam(':role_id', $role_id);
$stmt->bindParam(':first_name', $first_name);
$stmt->bindParam(':last_name', $last_name);
$stmt->bindParam(':email', $email);
$stmt->bindParam(':username', $username);
$stmt->bindParam(':status', $status);
$stmt->bindParam(':id', $id);

// Update User Info
if(isset($_POST['btn_save'])) {
  $role_id = $_POST["role_id"];
  $first_name = $_POST["first_name"];
  $last_name = $_POST["last_name"];
  $email = $_POST["email"];
  $username = $_POST["username"];
  $status = $_POST["status"];
  $id = $_POST["id"];  
  $stmt->execute();
  header('Location: ../../users.php');
}

// Return to Users Page
if(isset($_POST['btn_cancel'])) {
  header('Location: ../../users.php');
}

?>

Okay. Let’s start with a tiny bit of streamlining. Mostly for my own sanity.

			if($rowUser['status'] === '1') {
				echo '<select class="form-control" id="status" name="status">
				<option selected value="1">Active</option>
				<option value="0">Inactive</option>
			</select>';
			} elseif ($rowUser['status'] === '0') {
				echo '<select class="form-control" id="status" name="status">
				<option value="1">Active</option>
				<option selected value="0">Inactive</option>
			</select>';
			}

Golden Rule of Programming: If you’re repeating yourself, you’ve missed a trick.

Lets slim that down. I’m going to do it this way because there’s only two options:

				echo '<select class="form-control" id="status" name="status">
				<option'.(($rowUser['status'] === '1') ? ' selected' : '').' value="1">Active</option>
				<option'.(($rowUser['status'] === '0') ? ' selected' : '').' value="0">Inactive</option>
			</select>';

(If there were a lot of options, use a foreach.)

Which functionality? The code to enforce status?

Adjust your login query to only return a result if the status is 1. (or, if you want to be fancy in your error reporting, pull back the row regardless, and then check with PHP for the status column.)

Correct.

Here is my current login API. Where’s a good spot to put it?

<?php

session_start();

// Change this to your connection info.
$DATABASE_HOST = 'localhost';
$DATABASE_USER = 'root';
$DATABASE_PASS = '';
$DATABASE_NAME = 'ccrp_db';
// Try and connect using the info above.
$con = mysqli_connect($DATABASE_HOST, $DATABASE_USER, $DATABASE_PASS, $DATABASE_NAME);
if ( mysqli_connect_errno() ) {
	// If there is an error with the connection, stop the script and display the error.
	die ('Failed to connect to MySQL: ' . mysqli_connect_error());
}

// Now we check if the data from the login form was submitted, isset() will check if the data exists.
if ( !isset($_POST['username'], $_POST['password']) ) {
	// Could not get the data that should have been sent.
	die ('Please fill both the username and password field!');
}

// Prepare our SQL, preparing the SQL statement will prevent SQL injection.
if ($stmt = $con->prepare('SELECT id, password FROM users WHERE username = ?')) {
	// Bind parameters (s = string, i = int, b = blob, etc), in our case the username is a string so we use "s"
	$stmt->bind_param('s', $_POST['username']);
	$stmt->execute();
	// Store the result so we can check if the account exists in the database.
	$stmt->store_result();
}

if ($stmt->num_rows > 0) {
	$stmt->bind_result($id, $password);
	$stmt->fetch();
	// Account exists, now we verify the password.
	// Note: remember to use password_hash in your registration file to store the hashed passwords.
	if (password_verify($_POST['password'], $password)) {
		// Verification success! User has loggedin!
		// Create sessions so we know the user is logged in, they basically act like cookies but remember the data on the server.
		session_regenerate_id();
		$_SESSION['loggedin'] = TRUE;
		$_SESSION['name'] = $_POST['username'];
		$_SESSION['id'] = $id;
		header('Location: ../index.php');
	} else {
		echo 'Incorrect password!';
	}
} else {
	echo 'Incorrect username!';
}
$stmt->close();

?>

I just realized I probably need to convert this to PDO because the login script uses MySQLi… probably not a good idea to combine the two…

PDO would be advisable, but at least you’re using prepared statements with mysqli, so thats a plus.

if ($stmt = $con->prepare('SELECT id, password FROM users WHERE username = ?')) {
Seems like the appropriate place to also ask for the status column, right?

// Account exists, now we verify the password.
…but first we verify that status = 1.

Also, i would advise not to give specific error statements about your login errors.
For example: If i’m randomly guessing usernames and passwords to your site, and you tell me “Incorrect username”, I know the username’s bad and my guesser can move on to the next username.
If you tell me “Incorrect password” then my guesser knows that the username is good, and can start attacking that username to get its password.
If you just say “The username/password was incorrect, or the user is inactive”, then my guesser doesnt know what the problem is, and will have to keep guessing blindly.

Ah, I see what you mean. Okay, I will change that.

True, but I need to change the code overall to use PDO rather than MySQLi. Even though I’m using prepared statements, I would like to keep the code as consistent as possible. That way if something goes wrong in the future, it’ll be easier for me to find the problem and resolve it.

Right… So I change the query from this:

'SELECT id, password FROM users WHERE username = ?'

to this?:

'SELECT id, password, status FROM users WHERE username = ?'

And we do that by saying:

if($rowUser['status'] === '1') {
     //code
}elseif($rowUser['status'] === '0') {
     //code

right?

Also, I’m using num_rows here. That’s not necessary in PDO, is it?

$stmt->fetch(); will return NULL if there are no rows to return. (NOTE: If you change to PDO, this behavior changes. fetch() returns FALSE if there is no data to return. (which is why you see people invoke while($row = $stmt->fetch()), because it will abort the loop as soon as there’s no more data.

So, I’m working on changing the code to match my database connector (which runs via PDO).

I changed the code to this:

<?php

session_start();

// Change this to your connection info.
/*$DATABASE_HOST = 'localhost';
$DATABASE_USER = 'root';
$DATABASE_PASS = '';
$DATABASE_NAME = 'ccrp_db';
// Try and connect using the info above.
$con = mysqli_connect($DATABASE_HOST, $DATABASE_USER, $DATABASE_PASS, $DATABASE_NAME);
if ( mysqli_connect_errno() ) {
	// If there is an error with the connection, stop the script and display the error.
	die ('Failed to connect to MySQL: ' . mysqli_connect_error());
}*/

include('dbconnect.php');

// Now we check if the data from the login form was submitted, isset() will check if the data exists.
if ( !isset($_POST['username'], $_POST['password']) ) {
	// Could not get the data that should have been sent.
	die ('Please fill both the username and password field!');
}

// Prepare our SQL, preparing the SQL statement will prevent SQL injection.
if ($stmt = $pdo->prepare('SELECT id, password, status FROM users WHERE username = ?')) {
	// Bind parameters (s = string, i = int, b = blob, etc), in our case the username is a string so we use "s"
	$stmt->bindParam('s', $_POST['username']);
	$stmt->execute();
}

if ($stmt->num_rows > 0) {
	$stmt->bind_result($id, $password);
	$stmt->fetch();
	// Account exists, now we verify the password.
	// Note: remember to use password_hash in your registration file to store the hashed passwords.
	if (password_verify($_POST['password'], $password)) {
		// Verification success! User has loggedin!
		// Create sessions so we know the user is logged in, they basically act like cookies but remember the data on the server.
		session_regenerate_id();
		$_SESSION['loggedin'] = TRUE;
		$_SESSION['name'] = $_POST['username'];
		$_SESSION['id'] = $id;
		header('Location: ../index.php');
	} else {
		echo 'The username or password provided was incorrect, or the account is disabled.';
	}
} else {
	echo 'The username or password provided was incorrect, or the account is disabled.';
}
$stmt->close();

?>

But on the app, I see this:

Fatal error: Uncaught PDOException: SQLSTATE[HY093]: Invalid parameter number: parameter was not defined in C:\xampp\htdocs\ccrp\api\login_auth.php:29 Stack trace: #0 C:\xampp\htdocs\ccrp\api\login_auth.php(29): PDOStatement->execute() #1 {main} thrown in C:\xampp\htdocs\ccrp\api\login_auth.php on line 29

PDO’s bindParam has a different set of arguments. Take a look at Example 2.

Okay, I made that change, now we get to the num_rows part which you mentioned earlier:

Notice: Undefined property: PDOStatement::$num_rows in C:\xampp\htdocs\ccrp\api\login_auth.php on line 32
The username or password provided was incorrect, or the account is disabled.
Fatal error: Uncaught Error: Call to undefined method PDOStatement::close() in C:\xampp\htdocs\ccrp\api\login_auth.php:51 Stack trace: #0 {main} thrown in C:\xampp\htdocs\ccrp\api\login_auth.php on line 51

So you said:

So I need to create a while loop instead of the if statement at the end?

No, you’re only expecting a single row, so an if($row = $stmt->fetch()) { is sufficient. (or even fetch and check that $id isnt empty)

What about bind_result? Apparently that doesn’t exist in PDO?

Fatal error: Uncaught Error: Call to undefined method PDOStatement::bind_result() in C:\xampp\htdocs\ccrp\api\login_auth.php:33 Stack trace: #0 {main} thrown in C:\xampp\htdocs\ccrp\api\login_auth.php on line 33

(Spitballing, but I think this works.) fetch into a variable list instead.

	$stmt->bind_result($id, $password);
	$stmt->fetch();

=>
list($id,$password,$status) = $stmt->fetch(PDO::FETCH_ASSOC);

That appeared to remove the error, but now there’s a problem with this statement:

$stmt->close();

The username or password provided was incorrect, or the account is disabled.
**Fatal error** : Uncaught Error: Call to undefined method PDOStatement::close() in C:\xampp\htdocs\ccrp\api\login_auth.php:50 Stack trace: #0 {main} thrown in  **C:\xampp\htdocs\ccrp\api\login_auth.php**  on line  **50**

I removed stmt->close(); and that removed the error.

However, the login script doesn’t work anymore. It keeps saying The username or password provided was incorrect, or the account is disabled when I login (even with the correct information).

You dont need to close PDO statements. Garbage collection will mop them up at the end.

Show me your current version of the script, because we’ve made a lot of changes to it now, and what you’re describing is a logic error.

Here is the script after the changes we made:

<?php

session_start();

// Change this to your connection info.
/*$DATABASE_HOST = 'localhost';
$DATABASE_USER = 'root';
$DATABASE_PASS = '';
$DATABASE_NAME = 'ccrp_db';
// Try and connect using the info above.
$con = mysqli_connect($DATABASE_HOST, $DATABASE_USER, $DATABASE_PASS, $DATABASE_NAME);
if ( mysqli_connect_errno() ) {
	// If there is an error with the connection, stop the script and display the error.
	die ('Failed to connect to MySQL: ' . mysqli_connect_error());
}*/

include('dbconnect.php');

// Now we check if the data from the login form was submitted, isset() will check if the data exists.
if ( !isset($_POST['username'], $_POST['password']) ) {
	// Could not get the data that should have been sent.
	die ('Please fill both the username and password field!');
}

// Prepare our SQL, preparing the SQL statement will prevent SQL injection.
if ($stmt = $pdo->prepare('SELECT id, password, status FROM users WHERE username = ?')) {
	// Bind parameters (s = string, i = int, b = blob, etc), in our case the username is a string so we use "s"
	$stmt->bindParam(1, $_POST['username']);
	$stmt->execute();
}

if ($row = $stmt->fetch()) {
	list($id, $password) = $stmt->fetch(PDO::FETCH_ASSOC);
	// Account exists, now we verify the password.
	// Note: remember to use password_hash in your registration file to store the hashed passwords.
	if (password_verify($_POST['password'], $password)) {
		// Verification success! User has loggedin!
		// Create sessions so we know the user is logged in, they basically act like cookies but remember the data on the server.
		session_regenerate_id();
		$_SESSION['loggedin'] = TRUE;
		$_SESSION['name'] = $_POST['username'];
		$_SESSION['id'] = $id;
		header('Location: ../index.php');
	} else {
		echo 'The username or password provided was incorrect, or the account is disabled.';
	}
} else {
	echo 'The username or password provided was incorrect, or the account is disabled.';
}

?>

okay, lets rearrange slightly and go into debug mode…

	$stmt->execute();
}

if ($row = $stmt->fetch()) {
	list($id, $password) = $stmt->fetch(PDO::FETCH_ASSOC);

=>

	$stmt->execute();
        echo $stmt->errorCode();
}
$row = $stmt->fetch(PDO::FETCH_ASSOC);
print_r($row);
if ($row) {
	list($id, $password, $status) = $row;

This is the output I get:

00000Array ( [id] => 1 [password] => $2y$10$f5M.FvqJtxA54LBst.zvhemjMWN2LL9YiI5wdpb7F2I7Dw7OvUGBm [status] => 1 )
Notice: Undefined offset: 0 in C:\xampp\htdocs\ccrp\api\login_auth.php on line 36

Notice: Undefined offset: 1 in C:\xampp\htdocs\ccrp\api\login_auth.php on line 36

Notice: Undefined offset: 2 in C:\xampp\htdocs\ccrp\api\login_auth.php on line 36
The username or password provided was incorrect, or the account is disabled.

Full code:

<?php

session_start();

// Change this to your connection info.
/*$DATABASE_HOST = 'localhost';
$DATABASE_USER = 'root';
$DATABASE_PASS = '';
$DATABASE_NAME = 'ccrp_db';
// Try and connect using the info above.
$con = mysqli_connect($DATABASE_HOST, $DATABASE_USER, $DATABASE_PASS, $DATABASE_NAME);
if ( mysqli_connect_errno() ) {
	// If there is an error with the connection, stop the script and display the error.
	die ('Failed to connect to MySQL: ' . mysqli_connect_error());
}*/

include('dbconnect.php');

// Now we check if the data from the login form was submitted, isset() will check if the data exists.
if ( !isset($_POST['username'], $_POST['password']) ) {
	// Could not get the data that should have been sent.
	die ('Please fill both the username and password field!');
}

// Prepare our SQL, preparing the SQL statement will prevent SQL injection.
if ($stmt = $pdo->prepare('SELECT id, password, status FROM users WHERE username = ?')) {
	// Bind parameters (s = string, i = int, b = blob, etc), in our case the username is a string so we use "s"
	$stmt->bindParam(1, $_POST['username']);
		$stmt->execute();
        echo $stmt->errorCode();
}

$row = $stmt->fetch(PDO::FETCH_ASSOC);
print_r($row);
if ($row) {
	list($id, $password, $status) = $row;
	// Account exists, now we verify the password.
	// Note: remember to use password_hash in your registration file to store the hashed passwords.
	if (password_verify($_POST['password'], $password)) {
		// Verification success! User has loggedin!
		// Create sessions so we know the user is logged in, they basically act like cookies but remember the data on the server.
		session_regenerate_id();
		$_SESSION['loggedin'] = TRUE;
		$_SESSION['name'] = $_POST['username'];
		$_SESSION['id'] = $id;
		header('Location: ../index.php');
	} else {
		echo 'The username or password provided was incorrect, or the account is disabled.';
	}
} else {
	echo 'The username or password provided was incorrect, or the account is disabled.';
}

?>

Oh derp. Not associative, Marc. You need an enumerated.

Replace FETCH_ASSOC with FETCH_NUM and try again.

That’s what it was.

Now back to the original issue.

I changed the query already, so skip this.

So, the statement would be something like:

if ($status === '1') {
	header('Location: ../index.php');
} else {
	header('Location: ../login.php');
}

right?

One way to do it. Personally, i’d do this:

if (password_verify($_POST['password'], $password)) {

=>
if (password_verify($_POST['password'], $password) && $status === '1') {