banning users

[onthespot]

I am using a system where I have a userlevel in the db. If the userlevel is 3, they are banned.

Therefore to make this work, I have done the following:

 

   function confirmUserPass($username, $password){

      if(!get_magic_quotes_gpc()) {
      $username = addslashes($username);
      }


      $q = "SELECT password FROM ".TBL_USERS." WHERE username = '$username'";
      $result = mysql_query($q, $this->connection);
      if(!$result || (mysql_numrows($result) < 1)){
         return 1; //Indicates username not correct.
      }


      $dbarray = mysql_fetch_array($result);
      $dbarray['password'] = stripslashes($dbarray['password']);
      $dbarray['userlevel'] = stripslashes($dbarray['userlevel']);
      $password = stripslashes($password);
  
  /* Validate that userlevel IS NOT 3 */
      if($dbarray['userlevel'] == 3){
        return 3; //Indicates account is banned
      }

      if($password == $dbarray['password']){
         return 0; 
      }
      else{
         return 2; 
      }
   }

 

As you can see, it checks if the user is banned.

 

Then the following script comes into it

 

  if($result == 1){
         $field = "user";
         $form->setError($field, "* Username not found");
      }
      else if($result == 2){
         $field = "pass";
         $form->setError($field, "* Invalid password");
      }
    else if($result == 3){
        $field = "user";
        $form->setError($field, "* Your account has been banned");
      }

 

The problem is, while the username not found and invalid password both work, the user can still log in even though they are banned.

Any ideas?

[ignace]

If the userlevel is 3, they are banned.

 

else if($result == 3){

    $field = "user";

    $form->setError($field, "* Your account has been banned");

}

 

$result == 3 means nothing to some other programmer, rather use something like:

 

define('USER_STATE_BANNED', 3);

if ($result == USER_STATE_BANNED) { ..

 

$dbarray['userlevel'] = stripslashes($dbarray['userlevel']);

 

Don't think abstract if you are working concrete. In your application design userlevel is a number therefor:

 

$dbarray['userlevel'] = (int) $dbarray['userlevel'];

 

will be more appropriate.

 

if($result == 1){
    $field = "user";
    $form->setError($field, "* Username not found");
}
else if($result == 2){
    $field = "pass";
    $form->setError($field, "* Invalid password");
}
else if($result == 3){
    $field = "user";
    $form->setError($field, "* Your account has been banned");
}

 

$form->setError($field, "* Your account has been banned"); won't stop the user from logging in, you are not taking any measures.