0

Im coding a php chat and I recently added activated field. It works right but the error message displays 24/7.

I have tried the else tag, used 'no' in activated tabel, redefined it to the $result. 

$result = mysqli_query($conn , "SELECT * from user where email='$email' and password='$password' and activated = 'yes' ");
while($row = mysqli_fetch_assoc($result))
{
    $_SESSION['email'] = $row['email'];
    $_SESSION['password'] = $row['password'];
    $_SESSION['name'] = $row['name'];
}
if(mysqli_num_rows($result)>0){         
    $query = mysqli_query($conn, "UPDATE user SET status = 'Online' WHERE email = '$email' ");
    header('location: index.php');
}
else {
    echo "<font color='red'><p align='center'>Incorrect Email or Password</p>";
}   
$activated = $result;
if($activated == 'yes'){

} else {
    //This is the Activated Error that's not working.
    echo "<font color='red'><p align='center'>Your Account Has Been Suspended</p>";
}

I want the error message to only display if the users account is suspended, but the result I get is the message displays to all users and there accounts are not suspended.

Alon Eitan
  • 11,997
  • 8
  • 49
  • 58
charlie wise
  • 1
  • 2
    **Never store plain text passwords!** Please use **[PHP's built-in functions](//php.net/manual/en/function.password-hash.php)** to handle password security. If you're using a PHP version less than 5.5 you can use the password_hash() **[compatibility pack](https://github.com/ircmaxell/password_compat)** (and you should consider upgrading to a supported version of PHP). Make sure you **[don't escape passwords](//stackoverflow.com/q/36628418/1011527)** or use any other cleansing mechanism on them before hashing. Doing so changes the password and causes unnecessary additional coding. – John Conde Jul 04 '19 at 14:50
  • Please read about **[SQL injection](https://en.wikipedia.org/wiki/SQL_injection)**. Instead of building queries with string concatenation, use **[prepared statements](https://secure.php.net/manual/en/pdo.prepare.php)** with **[bound parameters](https://secure.php.net/manual/en/pdostatement.bindparam.php)**. See **[this page](https://phptherightway.com/#databases)** and **[this post](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)** for some good examples. – John Conde Jul 04 '19 at 14:50
  • 1
    `$result` can never be `"yes"` because it is an object. – Refilon Jul 04 '19 at 14:54
  • There should also never be any reason to store the password in a session variable. – M. Eriksson Jul 04 '19 at 14:57
  • You need to read the [documentation](https://www.php.net/manual/en/mysqli.query.php) - `$result` is a [mysqli_result](https://www.php.net/manual/en/class.mysqli-result.php) instance, so I have no idea how or why are you comparing it to `"yes"` – Alon Eitan Jul 04 '19 at 14:57
  • Its used to Check if the users password and email matches any in the database – charlie wise Jul 04 '19 at 15:05
  • @charliewise You can use a flag like, `$isActivated = false;` (Set it at the top of your code) and inside the `while($row = mysqli_fetch_assoc($result)){ }` loop you should set it to `$isActivated = true;` and then you will be able to check `if($isActivated){}` – Alon Eitan Jul 04 '19 at 15:23

1 Answers1

0

Your SQL is only loading records where activated = 'Yes', so do you even need this check?

$result is the resultset of your query, which will never equal 'Yes'.

thirtyish
  • 395
  • 3
  • 18