-1

After registration on my site the activation link sets a field 'activated' in the table to 1 from 0. So unless a user clicks on the activation link, he/she should not be able to login, but for some reason login function is still executing and activation is of no use, I have even tried the AND condition in the query but no use, can someone please help me with my code. 

function login()
{   

if(isset($_POST['submit']))

{

    $db = new Connection(DB_HOST, DB_USER, DB_PASS, DB_NAME);
    $username = mysql_real_escape_string($_POST['username']);
    $password = mysql_real_escape_string($_POST['password']);

    if($username == '')
    {
        setMessage('Sorry you did not enter a username.', 0);
        header('Location: '.BASE_URL.'dashboard/login');
        exit;
    }
    elseif($password == '')
    {
        setMessage('Sorry, you did not enter a password.', 0);
        header('Location: '.BASE_URL.'dashboard/login');
        exit;
    }
    else
    {
        $result = $db->query('
        SELECT ID, name, email, password, type, activated, suspended, count
        FROM users
        WHERE email = "'.$username.'"
        LIMIT 1
        ');

        $totalRows = mysql_num_rows($result);

        if($totalRows == 1)
        {
            while($row = mysql_fetch_assoc($result))
            {
                if(verifyPassword($password, $row['password']) == TRUE)
                {
                    if($row['activated'] == 0)
                    {
                        setMessage('You have not activated your account.', 0);
                        header('Location: '.BASE_URL.'dashboard/login');
                        exit;
                    }

                    if($row['suspended'] == 1)
                    {
                        setMessage('Your account is suspended. You may request to have your account restored by sending us a message on the Contact us page of newtongrads.com.', 0);

                        header('Location: '.BASE_URL.'dashboard/login');
                        exit;
                    }

                    if($row['type'] != 'ADMIN')
                    {
                        setMessage('You don\'t have enough privileges to access this page.', 0);
                        header('Location: '.BASE_URL.'dashboard/login');
                        exit;
                    }
                    else
                    {
                        $_SESSION['admin']['sessionID'] = base64_encode(date('Ymdhis'));
                        $_SESSION['admin']['userID'] = $row['ID'];
                        $_SESSION['admin']['email'] = $row['email'];
                        $_SESSION['admin']['type'] = $row['type'];
                        $_SESSION['admin']['fullName'] = getName($row['ID']);
                        $_SESSION['admin']['profileImage'] = $row['ID'];

                        setcookie('username', $username, time() + (86400 * 7));

                        //setcookie('password', $password, time() + (86400 * 7));

                        //$row['type'];

                        $query = 'UPDATE users
                        SET count = "'.($row['count']+1).'"
                        WHERE ID = "'.$row['ID'].'"';

                        $db->query($query);

                        setMessage('Successfully logged in.', 1);
                        header('Location: '.BASE_URL.'dashboard/home');
                        exit;
                    }
                }
                else
                {
                    setMessage('Sorry, you have entered an incorrect password.', 0);
                    header('Location: '.BASE_URL.'dashboard/login');
                    exit;
                }
            }
        }
        else
        {
            setMessage('Sorry, no user exists with that username.', 0);
            header('Location: '.BASE_URL.'dashboard/login');
            exit;
        }
    }
}
}
Kaymaz
  • 454
  • 8
  • 23
user3297381
  • 11
  • 1
  • 6
  • http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php – Mark Oct 03 '14 at 13:54

1 Answers1

-1

use this code this should work

            <?php

            function login()

            {
            if(isset($_POST['submit']))

            {



                $db = new Connection(DB_HOST, DB_USER, DB_PASS, DB_NAME);



                $username = mysql_real_escape_string($_POST['username']);

                $password = mysql_real_escape_string($_POST['password']);



                if($username == '')

                {



                    setMessage('Sorry you did not enter a username.', 0);

                    header('Location: '.BASE_URL.'dashboard/login');

                    exit;



                }

                elseif($password == '')

                {



                    setMessage('Sorry, you did not enter a password.', 0);

                    header('Location: '.BASE_URL.'dashboard/login');

                    exit;



                }

                else

                {



                    $result = $db->query('

                    SELECT ID, name, email, password, type, activated, suspended, count

                    FROM users

                    WHERE email = "'.$username.'"

                    LIMIT 1

                    ');



                    $totalRows = mysql_num_rows($result);



                    if($totalRows == 1)

                    {



                        while($row = mysql_fetch_assoc($result))

                        {



                            if(verifyPassword($password, $row['password']) == TRUE)

                            {


                                $activated = $row['activated']; 
                                if($activated == 0)

                                {



                                    setMessage('You have not activated your account.', 0);

                                    header('Location: '.BASE_URL.'dashboard/login');

                                    exit;



                                }



                                if($row['suspended'] == 1)

                                {



                                    setMessage('Your account is suspended. You may request to have your account restored by sending us a message on the Contact us page of newtongrads.com.', 0);

                                    header('Location: '.BASE_URL.'dashboard/login');

                                    exit;



                                }



                                if($row['type'] != 'ADMIN')

                                {



                                    setMessage('You don\'t have enough privileges to access this page.', 0);

                                    header('Location: '.BASE_URL.'dashboard/login');

                                    exit;



                                }

                                else

                                {



                                    $_SESSION['admin']['sessionID'] = base64_encode(date('Ymdhis'));

                                    $_SESSION['admin']['userID'] = $row['ID'];

                                    $_SESSION['admin']['email'] = $row['email'];

                                    $_SESSION['admin']['type'] = $row['type'];

                                    $_SESSION['admin']['fullName'] = getName($row['ID']);

                                    $_SESSION['admin']['profileImage'] = $row['ID'];



                                    setcookie('username', $username, time() + (86400 * 7));

                                    //setcookie('password', $password, time() + (86400 * 7));

                                    //$row['type'];

                                    $query = 'UPDATE users

                                    SET count = "'.($row['count']+1).'"

                                    WHERE ID = "'.$row['ID'].'"';

                                    $db->query($query);



                                    setMessage('Successfully logged in.', 1);

                                    header('Location: '.BASE_URL.'dashboard/home');

                                    exit;



                                }

                            }

                            else

                            {



                                setMessage('Sorry, you have entered an incorrect password.', 0);

                                header('Location: '.BASE_URL.'dashboard/login');

                                exit;



                            }



                        }



                    }

                    else

                    {



                        setMessage('Sorry, no user exists with that username.', 0);

                        header('Location: '.BASE_URL.'dashboard/login');

                        exit;



                    }



                }



            }
            }
            ?>

            ?>
Pavan Jiwnani
  • 274
  • 1
  • 5
  • You should try to explain why it wasn't working, in addition to posting a solution. Otherwise the OP is prone to make the same mistake again without knowing how to fix it. – Mark Oct 03 '14 at 14:02
  • @Mark thanks for your suggestion actually OP is directly accessing the $row['activated'] inside a if condition which is a logical error due to precedence therefore I have stored the result in a variable then executed the if condition which should work fine – Pavan Jiwnani Oct 03 '14 at 14:05
  • omg! I got -1 for answering a question ? I am new to this community but seems like you guys are pretty rude – Pavan Jiwnani Oct 03 '14 at 14:08
  • @PavanJiwnani Thanks but it still is not working, logs in straight away whereas it should execute the last else – user3297381 Oct 03 '14 at 14:08
  • ohk you are using if condition instead of elseif kindly replace all inner if conditions with elseif otherwise it will just check the type if its not admin then it will login to the system – Pavan Jiwnani Oct 03 '14 at 14:11
  • @PavanJiwnani As I stated in my comment, your answer contains no information about what went wrong, only a solution for this single use case. If another user comes along with different code, he can't just paste in your solution, nor can he read your answer to extrapolate what went wrong. Answering questions is not just about providing a solution, it's also about teaching what went wrong so someone can fix it again without your help. – Mark Oct 03 '14 at 14:12
  • @PavanJiwnani still no use :( any other idea? – user3297381 Oct 03 '14 at 14:17
  • @user3297381 could you please echo the contents of activated ? data might not be stored correctly – Pavan Jiwnani Oct 03 '14 at 14:25
  • the field is set to a default defined value of 0, so i am sure the field is not empty, but umm how do i echo it? not that good at php as you can see – user3297381 Oct 03 '14 at 14:36
  • paste this line echo $activated; above if($activated == 0) and execute the file in your browser somewhere on the output you will find 0 or 1 – Pavan Jiwnani Oct 03 '14 at 15:06
  • it worked when I changed the statement to if(!$row['activated']) – user3297381 Oct 03 '14 at 15:15
  • welcome bro! make sure now its working with activated accounts as well – Pavan Jiwnani Oct 03 '14 at 15:19