php user login script

Question

<?php
if(isset($_POST['submit'])) {
    $UserName = mysql_real_escape_string($_POST['UserName']);
    $password = mysql_real_escape_string($_POST['password']);
    $checkbox = isset($_POST['remember_me']);

    if(user_exists ($UserName, $db_connect)) {
       $result = mysqli_query ($db_connect, "SELECT password FROM users WHERE UserName = '$UserName'");
       $retrievepassword = mysqli_fetch_assoc($result);

        if(md5($password) !== $retrievepassword['password']) {
            $alert = "Invalid Password";
        } else {
            $_SESSION['UserName'] = $UserName;

            if($checkbox == "on") {
                setcookie("UserName", $UserName, time()+3600);
            }

            header("location: profile.php");
        }
    } else {
        $alert = "Username doesn't exit in database";
    }
}
?>

I've made the following login script which is working fine and now I want to check the user's status before login, if user is active, it will login and if it's request is pending or rejected, it will display an error. I've done the 1st part and confused about the other part where I've to check for the status.

Can anybody help me according to my code?

Don't use `md5`: http://us1.php.net/manual/en/faq.passwords.php#faq.passwords.fasthash — djthoms, Jun 28 '17 at 05:23
Your code is likely vulnerable to [**SQL injection**](https://en.wikipedia.org/wiki/SQL_injection) attacks. You should use prepared statements with bound parameters, via either the [**mysqli**](https://secure.php.net/manual/en/mysqli.prepare.php) or [**PDO**](https://secure.php.net/manual/en/pdo.prepared-statements.php) drivers. [**This post**](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) has some good examples. — Alex Howansky, Jun 29 '17 at 18:25

Ravi · Answer 1 · 2017-06-28T05:39:48.600

There are two ways :

Either add condition in your where to check whether user is active or not.
Or, once you validated user for correct user/password, then validate through if condition and navigate to correct page accordingly.

Also, correct your SQL to use prepared statement.

$stmt = $dbConnection->prepare('SELECT * FROM users WHERE 
UserName = ?  AND password = ?');
$stmt->bind_param('s', $UserName);
$stmt->bind_param('s', md5($password));
$stmt->execute();

score 0 · Answer 2 · answered Jun 28 '17 at 04:53

0

I am assuming that you have a column in your DB that stores the user's status. Sooo .. The answer to your question is, after checking if the username is existing in you DB, check if the status is "active" or not. If no, then just display the error message. You may think of another way to query your data, like:

SELECT * FROM USERS WHERE USERNAME = 'username' AND PASSWORD = 'password' AND STATUS = true

So that you can determine right away if it is active or not if it does not return anything.

I hope this helps. :)

answered Jun 28 '17 at 04:53

Z Mars

159
1
14

sql is prone to sql injection. – Ravi Jun 28 '17 at 05:40
I understand. So maybe he can use the solution where you have to verify first if username and password is existing. Then he can check for the status right after. :) – Z Mars Jun 28 '17 at 05:55

score 0 · Answer 3 · answered Jun 28 '17 at 05:16

You can check status after checking valid password and return appropriate message. Try below code :

if(user_exists ($UserName, $db_connect))
{
$result = mysqli_query ($db_connect, "SELECT password,status FROM users WHERE 
name = '$UserName'");   
$retrievepassword = mysqli_fetch_assoc($result);
if(md5($password) !== $retrievepassword['password'])
{
$alert = "Invalid Password";
}
else
{
      //check Status
      if($retrievepassword['status'] == 1) //whatever condtion to match
      {
            $_SESSION['UserName'] = $UserName;
            if($checkbox == "on")
            {
            setcookie("UserName", $UserName, time()+3600);
            }
            header("location: profile.php");            
      }
      else
      {
            $alert = "User Not active"; //Message to display
      }

}
}
else
{
$alert = "Username doesn't exit in database";
}

score 0 · Answer 4 · answered Jun 29 '17 at 02:37

First of all, I would like to point out that you have used $ _SESSION without starting the session. To do this you have to write

session_start();

at the beginning of the code.

To verify that the user is logged in, write this just under session_start():

if(isset($_SESSION['UserName']) or isset($_COOKIE['UserName'])){
    header("location: profile.php");
}

If you do not know how to check in profile.php if the user is logging in here is how to do it:

PS: I suggest you create a check.php file so that you just include it in the pages reserved for logged in users.

check.php

if(!isset($_SESSION['UserName']) or !isset($_COOKIE['UserName'])){
    // Redirect to login or enter what you want to happen if the user is not logged in
}

php user login script

4 Answers4