Jump to content

banning users

onthespot

By onthespot
in PHP Coding Help

 Share

Recommended Posts

onthespot Advanced Member

onthespot

Posted
Posted

I am using a system where I have a userlevel in the db. If the userlevel is 3, they are banned.

Therefore to make this work, I have done the following:

 

   function confirmUserPass($username, $password){

      if(!get_magic_quotes_gpc()) {
      $username = addslashes($username);
      }


      $q = "SELECT password FROM ".TBL_USERS." WHERE username = '$username'";
      $result = mysql_query($q, $this->connection);
      if(!$result || (mysql_numrows($result) < 1)){
         return 1; //Indicates username not correct.
      }


      $dbarray = mysql_fetch_array($result);
      $dbarray['password'] = stripslashes($dbarray['password']);
      $dbarray['userlevel'] = stripslashes($dbarray['userlevel']);
      $password = stripslashes($password);
  
  /* Validate that userlevel IS NOT 3 */
      if($dbarray['userlevel'] == 3){
        return 3; //Indicates account is banned
      }

      if($password == $dbarray['password']){
         return 0; 
      }
      else{
         return 2; 
      }
   }

 

As you can see, it checks if the user is banned.

 

Then the following script comes into it

 

  if($result == 1){
         $field = "user";
         $form->setError($field, "* Username not found");
      }
      else if($result == 2){
         $field = "pass";
         $form->setError($field, "* Invalid password");
      }
    else if($result == 3){
        $field = "user";
        $form->setError($field, "* Your account has been banned");
      }

 

The problem is, while the username not found and invalid password both work, the user can still log in even though they are banned.

Any ideas?

Link to comment
Share on other sites
ignace Advanced Member

ignace

Posted
Posted

If the userlevel is 3, they are banned.

 

else if($result == 3){

    $field = "user";

    $form->setError($field, "* Your account has been banned");

}

 

$result == 3 means nothing to some other programmer, rather use something like:

 

define('USER_STATE_BANNED', 3);

if ($result == USER_STATE_BANNED) { ..

 

$dbarray['userlevel'] = stripslashes($dbarray['userlevel']);

 

Don't think abstract if you are working concrete. In your application design userlevel is a number therefor:

 

$dbarray['userlevel'] = (int) $dbarray['userlevel'];

 

will be more appropriate.

 

if($result == 1){
    $field = "user";
    $form->setError($field, "* Username not found");
}
else if($result == 2){
    $field = "pass";
    $form->setError($field, "* Invalid password");
}
else if($result == 3){
    $field = "user";
    $form->setError($field, "* Your account has been banned");
}

 

$form->setError($field, "* Your account has been banned"); won't stop the user from logging in, you are not taking any measures.

 

 

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.