[SOLVED] account validation/login

[NSW42]

Heya,

 

when a user joins mysite they get sent an email to verify there email address, which is what its suppose to do, but if even if they dont validate the email, they can still login to the site, again this is what the script allows, but what I want is, unless they verify there account via the email they get sent, I dont want them to be able to login to the site as it defeats the purpose of even sending the email in the 1st place to make sure its a valid email, the code below works on 1 or 0 for verified emails, but im sure it can be done in a way to stop members logging in until they verify there email address, any help on this is appreciated.

 

 

<?php
ob_start("ob_gzhandler");

session_start();
include("includes/config.php");

  $email=str_replace("'","",$HTTP_POST_VARS["email"]);
  $password=str_replace("'", "", $HTTP_POST_VARS["password"]);
  $password=md5($password);

        $sql="select * from members where member_email like '$email' and member_password like '$password' and enabled = '1'";
        $result=mysql_query($sql);
        $num_rows=mysql_num_rows($result);
        $RSUser=mysql_fetch_array($result);
  if ($num_rows==0)
  {
        print ("<script language='JavaScript'> window.location='index.php?err=1'; </script>");
  }
  else
  {
  //if($RSUser["email_verify"]==0)
  //{
  //      print ("<script language='JavaScript'> window.location='login.php?err=2'; </script>");
  //}
  //else
  //{
        $posted_on=date("m/d/Y");
        $ip_address=$_SERVER['REMOTE_ADDR'];

[premiso]

HTTP_POST has been depreciated use $_POST instead.

 

On the login verification page do you set enabled to be 0? If not that is your problem. To me it does not seem like that is what you are doing. From this code, given what you stated it "should" work. But yea, without seeing where the register information is entered, it is hard to say.

 

Also you should set member_password to be = not like, this can be a security risk/vunerability. Same with the member email.

[Cal]

Maybe in your database the field "enabled" is 1 by default, check that.

 

Also, escape your email variable.

 

$email = mysql_real_escape_string(str_replace("'","",$HTTP_POST_VARS["email"]));

[NSW42]

thanks for your help so far, and in the members table verify email, its default setting is 0, so im guessing a code in the above file to allow login only if there is "1" instead of "0". but to be very honest I have no clue on how to go about it, hence asking for help here.

[Cal]

wheres the register script

[NSW42]

actually cal I fixed it, the code is actually in what I pasted, but was disabled, if you take a good look it hits you right between the eyes  again thanks for any help provided to me and thats why I love this place.

 

Regards

[NSW42]

thanks again