...

View Full Version : Login script (Active/inactive) account



PRodgers4284
02-20-2008, 11:22 PM
Im working on a login script and i need it to check a field in my database table called "active" which stores a 0 or 1, 0 representing inactive account and a 1 representing an active account. When the user registers to the site it sets the active field to 0 by default. I need the login script to check when the account is active or inactive, if inactive display an error, if active let them login. Can anyone help me, the code commented starting at the line /* Check account is active or inactive */ is where im having difficulty.

my code is:


<?php

$validation = "";

/**
* Checks whether or not the given username is in the
* database, if so it checks if the given password is
* the same password in the database for that user.
* If the user doesn't exist or if the passwords don't
* match up, it returns an error code (1 or 2).
* On success it returns 0.
*/
function confirmUser($username, $password){
global $conn;
/* Add slashes if necessary (for query) */
if(!get_magic_quotes_gpc()) {
$username = addslashes($username);
}

/* Verify that user is in database */
$q = "select password from users where username = '$username'";
$result = mysql_query($q,$conn);
if(!$result || (mysql_numrows($result) < 1)){
return 1; //Indicates username failure
}

/* Retrieve password from result, strip slashes */
$dbarray = mysql_fetch_array($result);
$dbarray['password'] = stripslashes($dbarray['password']);
$password = stripslashes($password);

/* Validate that password is correct */
if($password == $dbarray['password']){
return 0; //Success! Username and password confirmed
}
else{
return 2; //Indicates password failure
}

/* Check account is active or inactive */
$q = "select password,active from users where username = '$username'";
$sql = mysql_query($q);
$row = mysql_fetch_array($sql);

else if($row['active']=='0'{
return 3; //Indicates inactive account
}

StupidRalph
02-20-2008, 11:56 PM
Personally, I'd do things a bit different. For security reasons, when dealing with logins I try to remain as ambigous as I can about why a login actually failed. After a few attempts I'd like freeze the account. If a person is having trouble logging in and can't figure out why I'd reccomend them to the Forgot My Password page where I'd issue a new password via signup email.

Secondly, I'd save a few queries and only run one query something like this:



SELECT COUNT(*) FROM `users` WHERE username = '$username' AND password = '$password' AND active = 1;


If the count returns 1 then you know its a valid user/password combo else the login is invalid.

Finally, are you storing plain text passwords? If so, I'd recommend at the very leasting hashing them with a hash alogorithm

PRodgers4284
02-21-2008, 11:32 AM
Personally, I'd do things a bit different. For security reasons, when dealing with logins I try to remain as ambigous as I can about why a login actually failed. After a few attempts I'd like freeze the account. If a person is having trouble logging in and can't figure out why I'd reccomend them to the Forgot My Password page where I'd issue a new password via signup email.

Secondly, I'd save a few queries and only run one query something like this:



SELECT COUNT(*) FROM `users` WHERE username = '$username' AND password = '$password' AND active = 1;


If the count returns 1 then you know its a valid user/password combo else the login is invalid.

Finally, are you storing plain text passwords? If so, I'd recommend at the very leasting hashing them with a hash alogorithm


Hi thanks for the reply, im having difficulty with the following code below, im i doing this completing wrong. Im storing the passwords as plain text btw


$q = "select password,active from users where username = '$username'";
$sql = mysql_query($q);
$row = mysql_fetch_array($sql);

else if($row['active']=='0'{
return 3; //Indicates inactive account
}


I have the error outputting below along with the other errors this is what i have for the active/inactive error message:


else if($result == 3){
$validation = "Inactive Account";
}

PRodgers4284
02-21-2008, 02:37 PM
I have modified the code to this, but it doesnt check if the account is active or not, can anyone help here:


$q = "select password,active from users where username = '$username'";
$sql = mysql_query($q);
$row = mysql_fetch_array($sql);

if($row['active']=='0'){
return 3; //Success! Active Account
}

else{
return 0; //Indicates password failure
}

_Aerospace_Eng_
02-21-2008, 06:50 PM
What data type is the column active? If its an int then you need to remove the quotes from the 0. You may also want to check and see if register globals is off. If not someone could just do something like this.
http://yoursite.com/login.php?result=1&username=Aero. This will now allow a user with username Aero access to wherever you don't want them to be. You really should be hashing the passwords. Here is a good article on writing secure php. http://www.ilovejackdaniels.com/php/writing-secure-php/

PRodgers4284
02-21-2008, 08:21 PM
What data type is the column active? If its an int then you need to remove the quotes from the 0. You may also want to check and see if register globals is off. If not someone could just do something like this.
http://yoursite.com/login.php?result=1&username=Aero. This will now allow a user with username Aero access to wherever you don't want them to be. You really should be hashing the passwords. Here is a good article on writing secure php. http://www.ilovejackdaniels.com/php/writing-secure-php/

Aerospace thanks for the reply, the active field type is "int", i have removed the quotes but it still doesnt check if the user is active or not. Is there anythin else i can try?

My code is





function confirmUser($username, $password){
global $conn;
/* Add slashes if necessary (for query) */
if(!get_magic_quotes_gpc()) {
$username = addslashes($username);
}

/* Verify that user is in database */
$q = "select password, active from users where username = '$username'";
$result = mysql_query($q,$conn);
if(!$result || (mysql_numrows($result) < 1)){
return 1; //Indicates username failure
}

/* Retrieve password from result, strip slashes */
$dbarray = mysql_fetch_array($result);
$dbarray['password'] = stripslashes($dbarray['password']);
$password = stripslashes($password);


/* Validate that password is correct */
if($password == $dbarray['password']){
return 0; //Success! Username and password confirmed
}
else {
return 2; //Indicates password failure
}
else if($row['active']=='0'{
return 3; //Indicates inactive account
}
}

_Aerospace_Eng_
02-21-2008, 10:54 PM
I've made it a little more secure. I would do something like this

<?php
function confirmUser($username, $password)
{
$val = '';
global $conn;
// check to see if magic_quotes_gpc is 1 or 0
if (ini_get('magic_quotes_gpc'))
{
// if 0 stripslashes
$username = stripslashes($username);
}
// use mysql_real_escape_string since its what its meant for in place of addslashes
$username = mysql_real_escape_string($username,$conn);

/* Verify that user is in database */
$q = "select password, active from users where username = '$username'";
$result = mysql_query($q,$conn) or die(mysql_error());
if(mysql_num_rows($result) != 1)
{
$val = 1; //Indicates username failure
}
else if(mysql_num_rows($result) == 1)
{
/* Retrieve password from result, strip slashes */
$dbarray = mysql_fetch_array($result);
$dbpass = stripslashes($dbarray['password']);
$password = stripslashes($password);
$active = $dbarray['active'];

// if they are a user and account is active check their password
// if they are a user but account is inactive then don't check their password and return 3 for inactive\
$val = ($active == 1) ? (strcmp($dbpass,$password) == 0) ? 0 : 2 : 3;
// the above is a ternary operator in a ternary operator. Its the equivalent of the below
// if($active == 1)
// {
// if(strcmp($dbpass,$password) == 0)
// {
// $val = 0;
// }
// else
// {
// $val = 2;
// }
// }
// else
// {
// $val = 3;
// }

}
else
{
// if some how the if else clause gets to here it will set $val to -1
$val = -1;
}
// finally we return val
// $val = 0 username and password are good
// $val = 2 password is wrong but again just use a stand error like Login Error
// $val = 3 account is inactive
// $val = -1 there is likely the same username twice in the database or something went wrong
return $val;
}
?>
Usage:

echo confirmUser('Aero','dog'); // will return an integer according to the check
Read the comments as they help you learn.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum