Login/ban script

[OneEyedWillie]

Hi, I wrote a login, register, and IP ban script. I now want to expand the IP ban to only a username ban. I setup the database, but I'm having troubles checking for the ban and the correct password. I want to verify the password before the user is shown the ban page.

Here is my signin.php page

<?php

//Database Information

$dbhost = "localhost";
$dbname = "islewar";
$dbuser = "islewar";
$dbpass = "***";

//Connect to database

mysql_connect ($dbhost, $dbuser, $dbpass)or die("Could not connect: ".mysql_error());
mysql_select_db($dbname) or die(mysql_error());

session_start();
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string(md5($_POST['password']));

$banquery = mysql_query("select * from users where username='$username' and password='$password'"); mysql_query("select * from bans where username='$username'");
$ban_exist = mysql_num_rows($banquery);

$query = "select * from users where username='$username' and password='$password'";

$result = mysql_query($query);

if ($ban_exist > 0){
include 'userban.html';

} elseif (mysql_num_rows($result) != 1) {
    include 'loginfail.php';

} else {
$_SESSION['username'] = "$username";
include "members.php";
}

?>

I read about a 'hack' to execute two mysql queries but that didn't do anything. Maybe someone has had a similar issue.

 

Thanks

[btherl]

That code is a bit of a mess.  Try this:

 

<?php

//Database Information

$dbhost = "localhost";
$dbname = "islewar";
$dbuser = "islewar";
$dbpass = "***";

//Connect to database

mysql_connect ($dbhost, $dbuser, $dbpass)or die("Could not connect: ".mysql_error());
mysql_select_db($dbname) or die(mysql_error());

session_start();
$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string(md5($_POST['password']));

# Is the user's password correct?
$query = "select * from users where username='$username' and password='$password'";
$result = mysql_query($query);
$password_correct = mysql_num_rows($result);

# Is this user banned?
$banquery = mysql_query("select * from bans where username='$username'");
$ban_exist = mysql_num_rows($banquery);

if ($ban_exist > 0 && $password_correct > 0){
include 'userban.html';


} elseif ($ban_exist == 0 && $password_correct == 1) {
$_SESSION['username'] = "$username";
include "members.php";
} else {
    include 'loginfail.php';
}

?>

 

I've re-ordered the if/then/else because I don't feel comfortable about having "log the user in" as the default case.

 

With mysql queries you need to have a clear idea of where the data goes.  First there is a query, then a query result (from mysql_query()), and then data derived from the query result like the number of rows and the values in the rows.  In your original code the query result from the "ban" query was not being stored in a variable.

[OneEyedWillie]

Thanks!! That worked great! I can't even thank you enough. I just started learning PHP so my code sometimes gets a bit sloppy 

[btherl]

You're welcome   Good luck with your coding!

 

BTW I just noticed I used $password_correct > 0 and $password_correct == 1 in the code I posted.  I should have used the same condition both times, that was a mistake.  I don't want you to think there's any special reason for that, it's just me not being careful