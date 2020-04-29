PDO would be advisable, but at least you’re using prepared statements with mysqli, so thats a plus.

if ($stmt = $con->prepare('SELECT id, password FROM users WHERE username = ?')) {

Seems like the appropriate place to also ask for the status column, right?

// Account exists, now we verify the password.

…but first we verify that status = 1.

Also, i would advise not to give specific error statements about your login errors.

For example: If i’m randomly guessing usernames and passwords to your site, and you tell me “Incorrect username”, I know the username’s bad and my guesser can move on to the next username.

If you tell me “Incorrect password” then my guesser knows that the username is good, and can start attacking that username to get its password.

If you just say “The username/password was incorrect, or the user is inactive”, then my guesser doesnt know what the problem is, and will have to keep guessing blindly.