PHP login validation when user is not active

Question

I developed a PHP login system that when the user logs in and the account is still not activated by the admin it will display message2 and if the user inputs wrong credentials it will display mesage1

I am almost done with the work. but i am confused on why the condition always falls under message1.

here is my code.

<?php
    session_start();
    if(isset($_POST["submit"])){
      // windows
      // $servername = "localhost";
      // $username = "root";
      // $password = "";
      // $dbname = "loginDB";

      // linux
      $servername = "localhost";
      $username = "root";
      $password = "gmg0ddepfrxs";
      $dbname = "loginDB";

    // Create connection
    $conn = mysqli_connect($servername, $username, $password, $dbname);

    // Check connection
    if (!$conn){
      die("Connection failed: " . mysqli_connect_error());
    }

    $uname = $_POST["name"];
    $password = $_POST["pwd"];

    $sql = "SELECT * FROM user WHERE user_name='$uname' AND password='$password'";
    $result = mysqli_query($conn, $sql);

    while($row = mysqli_fetch_assoc($result)){
      $utype = $row["user_type"]; //1
      $status = $row["user_status"]; //0
      $username = $row["user_name"]; //USERNAME
      $password = $row["password"]; //PASSWORD NG USER
    }

    if (mysqli_num_rows($result) > 0 AND $utype == '1'){
      // session_start();
      $_SESSION["login"] = "access";
      setcookie("name",$uname,false);     
      echo "<script>window.location.href=\"member.php\"</script>"; 
    }elseif (mysqli_num_rows($result) <= 0) {
      echo "<script>window.location.href=\"index.php?msg=1\"</script>"; 
    }elseif ($utype == '0') {
      echo "<script>window.location.href=\"index.php?msg=2\"</script>"; 
    }

 }
?>

here is my HTML code.

<html>
<form action='login.php' method="post">
  <table cellspacing='5' align='center'>
    <tr>
      <td>Username:</td>
      <td>
        <input required type='text' name='name' />
      </td>
    </tr>
    <tr>
      <td>Password:</td>
      <td>
        <input required type='password' name='pwd' />
      </td>
    </tr>
    <tr>
      <td></td>
      <td>
        <input type='submit' name='submit' value='Submit' />
      </td>
    </tr>
  </table>
  <?php if(isset($_GET[ "msg"])){
      $errmsg=$ _GET[ "msg"]; 
       if($errmsg==1 ){ echo "<div style='text-align: center;'><h5> <font color = \"red\ "> Incorrect username and/or password! have you registered? </font></div>"; } 
       elseif ($errmsg==2 ) { echo
  "<div style='text-align: center;'><h5> <font color = \"red\ "> Contact admin to activate your account. </font></div>"; } } ?>

</form>
<div style="text-align: center;">
  <a href="register.php">
    <button>Register here</button>
  </a>
</div>

</html>

[Your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) — Jay Blanchard, Feb 05 '16 at 19:43
Please use PHP's [built-in functions](http://jayblanchard.net/proper_password_hashing_with_PHP.html) to handle password security. If you're using a PHP version less than 5.5 you can use the `password_hash()` [compatibility pack](https://github.com/ircmaxell/password_compat). — Jay Blanchard, Feb 05 '16 at 19:44
You need to add error checking to your query, you're assuming it always works. — Jay Blanchard, Feb 05 '16 at 19:45
that `if()` belongs inside `while()`. more importantly, the `$utype == '1'` however you may need to remove the quotes around the 1. That may be interpreted as a string, rather than an integer. — Funk Forty Niner, Feb 05 '16 at 19:54
@Fred-ii- Hi, thanks for answering. but its still not working. — GTAT, Feb 05 '16 at 19:58
you're welcome. another thing I forgot is that `if (mysqli_num_rows($result))` belongs before the `while`. you need to check if the row exists first, then `while`, then `if`. and check for errors too. — Funk Forty Niner, Feb 05 '16 at 19:59
you also didn't post your HTML form, so it's unknown if it's correct, post method and name attributes for the POST arrays, and if your columns are long enough to accomodate the data etc. check for all that. — Funk Forty Niner, Feb 05 '16 at 20:02
ok, it seems like I'm out of this loop. somebody posted an answer now. ask them. — Funk Forty Niner, Feb 05 '16 at 20:05

Agustin Ceballos · Answer 1 · 2016-02-05T20:15:15.433

0

use a simple header location to redirect your users:

<?php
session_start();
if(isset($_POST["submit"])){

  $servername = "localhost";
  $username = "root";
  $password = "gmg0ddepfrxs";
  $dbname = "loginDB";

// Create connection
$conn = mysqli_connect($servername, $username, $password, $dbname);

// Check connection
if (!$conn){
  die("Connection failed: " . mysqli_connect_error());
}

$uname = $_POST["name"];
$password = $_POST["pwd"];

$sql = "SELECT * FROM user WHERE user_name='$uname' AND password='$password'";
$result = mysqli_query($conn, $sql);  
$row = mysql_fetch_assoc($result);
    $totalRows_result = mysql_num_rows($result);

if ($totalRows_result == 0) {
           header("location: index.php?msg=1");}


  $utype = $row["user_type"]; //1
  $status = $row["user_status"]; //0

if ($utype == '1'){
        $_SESSION["login"] = "access";
  setcookie("name",$uname,false);     
 header("location: member.php"); 
} else {
   header("location: index.php?msg=2"); 
}
}
?>

edited Feb 05 '16 at 20:15

answered Feb 05 '16 at 20:02

Agustin Ceballos

3
3

a few extra edits to your code, let me know if it works to comment it better – Agustin Ceballos Feb 05 '16 at 20:09
Hi, thanks for your time. but its still not working. – GTAT Feb 05 '16 at 20:13
well i removed just now the while loop, as you will only get one result. can you try again? – Agustin Ceballos Feb 05 '16 at 20:16
sadly, it just outputs a blank page. – GTAT Feb 05 '16 at 20:20
can you post your form and the structure of your users table? – Agustin Ceballos Feb 05 '16 at 20:23

PHP login validation when user is not active

1 Answers1