Block Unconfirmed Logins

[justlukeyou]

Hi,

 

It is 21:45 and I have spent 8 hours today trying to finish off my login page. The last stage is stop someone from logging in if their account is not confirmed. This is the closest I have got to it.

 

If the user has confirmed their account it should have a Y in the 'accountconfirmed' row.

 

Can anyone please advise how I return a message and block someone from logging into an unconfirmed account?

 

$accounty = ('Y'); 

$query_rsSearch = "SELECT * FROM users WHERE `accountconfirmed` = '$accounty'";
$rsSearch = mysql_query($query_rsSearch) or die(mysql_error());
$row_rsSearch = mysql_fetch_assoc($rsSearch);
$totalRows_rsSearch = mysql_num_rows($rsSearch);

if($totalRows_rsSearch != 0) {
$errors['confirmedaccount'] = "Your account has not yet been confirmed.  Please request a confirmation email.";
}

[KevinM1]

You don't want to search for all activated users, which is what you're doing now. You want to check that:

 

1. The current user exists (in other words, they can be found in the db with their login credentials)

2. IF they exist, then you check to see if their account has been activated. Notice that I bolded 'if' (*hint hint*)

 

The reason why I break it up is for the end user. You can have the following error conditions:

 

1. They're not in the system

2. They're in the system but not activated

 

If you put it all in one query, you won't be able to tell which case caused the query to return 0 rows. So, first you check to see if they even exist. Then, if they do, you check to see if they've been activated.

 

I'm not going to give you the code because you should be able to figure it out given the base algorithm I just provided. Create a small, standalone test script, and work in sections. Incorporate it when it works properly.

[justlukeyou]

Thanks,

 

I have now got it like this. It returns the correct error messages when someone has not confirmed their account but only their enters their email address. However it does block someone from logging in when they enter both their email address and password.

 

How would I block someone from logging in if their account is not confirmed?

 

 

$emailAddress = $_POST['email'];

$query_rsSearch = "SELECT * FROM users WHERE `email` = '$emailAddress'";
$rsSearch = mysql_query($query_rsSearch) or die(mysql_error());
$row_rsSearch = mysql_fetch_assoc($rsSearch);
$totalRows_rsSearch = mysql_num_rows($rsSearch);

$activeStatus = $row_rsSearch['accountconfirmed'];

if($totalRows_rsSearch == 0) {
$errors['loginEmail'] = "Your email address is not registered";
} else {
if($activeStatus == "Y") {
//'Y' MEANS ACCOUNT HAS BEEN ACTIVATED - SHOW WEBSITE

} else {
//ACCOUNT HAS NOT BEEN ACTIVATED YET .
$errors['confirmedaccount'] = "Your account has not yet been confirmed. Please request a confirmation email.";
}
}

Edited February 23, 2013 by KevinM1

[KevinM1]

You don't log them in and show them the error message?

 

You have 90% of it. The rest is just a matter of either doing your normal successful login routine, or not, depending on whether they're activated.

[justlukeyou]

But I dont know how to stop them from logging in.

 

 

$emailAddress = $_POST['email'];

$query_rsSearch = "SELECT * FROM users WHERE `email` = '$emailAddress'";
$rsSearch = mysql_query($query_rsSearch) or die(mysql_error());
$row_rsSearch = mysql_fetch_assoc($rsSearch);
$totalRows_rsSearch = mysql_num_rows($rsSearch);

$activeStatus = $row_rsSearch['accountconfirmed']; 

if($totalRows_rsSearch == 0) {
$errors['loginEmail'] = "Your email address is not registered";
} else {
if($activeStatus != "Y") {

$errors['confirmedaccount'] = "Your account has not yet been confirmed. Please request a confirmation email.";
}
}

[KevinM1]

Why not? Logging in means that you do something to identify that they're logged in, like set a cookie or session value. That identifier is used to give them access to parts of your site. To stop them from doing that, just don't set that cookie or session value.

[justlukeyou]

Hi,

 

I dont understand what you mean. If their account is not confirmed I dont want a user to log in. Are you suggesting that I let someone logging in even if they have not confirmed their account?

 

I do not know how to block a user from logging in if they have not confirmed their account.

Edited February 23, 2013 by justlukeyou

[trq]

I do not know how to block a user from logging in if they have not confirmed their account.

 

Lets put this another way then. Do you know how you  are currently logging your users in?

 

If so, simply don't do it for accounts that are not confirmed.

 

If you don't know how you are currently logging your users in, you best investigate that first.

[justlukeyou]

Oh right, so I need something like this? ....

 

But this still allows me to login into unconfirmed accounts.

 

       $query_rsSearch = "SELECT * FROM users WHERE `email` = '$emailAddress'";
$rsSearch = mysql_query($query_rsSearch) or die(mysql_error());
$row_rsSearch = mysql_fetch_assoc($rsSearch);
$totalRows_rsSearch = mysql_num_rows($rsSearch);

   $accounty = ('Y');

   // Login attempt
   if(isset($_POST['loginSubmit']) && $_POST['loginSubmit'] == 'true')
   {
       $loginEmail = filter_var(trim($_POST['email']), FILTER_VALIDATE_EMAIL);
       $loginPassword    = trim($_POST['password']);
       $accounty = $row_rsSearch['accountconfirmed'];

Edited February 23, 2013 by justlukeyou

[trq]

Nothing in that code logs in a user.

[justlukeyou]

Sorted.

 

I tried do this earlier but put the $accounty = Y; in the wrong place.

 

 

$accounty = Y;	
$loginPassword = md5($loginPassword);
$query = 'SELECT * FROM users WHERE email = "' . mysql_real_escape_string($loginEmail) . '" AND password = "' . $loginPassword . '" AND accountconfirmed = "' . $accounty . '"';
           $result = mysql_query($query);