Block or authorize user

[EmilyPham]

<?php session_start(); 
include_once('includes/config.php');

if(isset($_POST['login']))
{
$password=$_POST['password'];
$dec_password=$password;
$useremail=$_POST['uemail'];
$ret= mysqli_query($con,"SELECT id,fname FROM users WHERE email='$useremail' and password='$dec_password' and authorized ='1'");
$num=mysqli_fetch_array($ret);
if($num>0)
{

$_SESSION['id']=$num['id'];
$_SESSION['name']=$num['fname'];
header("location:welcome.php");

}
else
{
echo "<script>alert('Invalid username or password');</script>";
}
}
?>

In cPanel, my mysql table data "bit" type is named "authorized". It throws an error each time it runs.  I can't seem to figure out how to place that requirement.
Plus if their registered account "authorized" equals "0", I need to show the user a message that they are not authorized or send them to a different php page. Can I do this using this same code but corrected?

I do so much appreciate php help. This is my first questions so please forgive me if I am wrong with in how I am doing this. My English is not my first language.

[Barand]

mysqli_fetch_array() does not return the number of rows

Quote

Returns an array representing the fetched row, null if there are no more rows in the result set, or false on failure.

 

8 minutes ago, EmilyPham said:

Plus if their registered account "authorized" equals "0", I need to show the user a message that they are not authorized or send them to a different php page. Can I do this using this same code but corrected?

To do that you would need to remove and authorized ='1' and add "authorized" to the selected columns. Then check if $num['authorized'] == 1 (or not).

[EmilyPham]

Sorry, that did not help me. I am a beginner with php. I have no idea what you mean "Returns an array representing the fetched row, null if there are no more rows in the result set, or false on failure.

I was hoping someone would show me what my should look like.  I have gone this far and it works if I remove all mention of "authorized".

[Barand]

3 minutes ago, EmilyPham said:

Sorry, that did not help me. I am a beginner with php. I have no idea what you mean "Returns an array representing the fetched row, null if there are no more rows in the result set, or false on failure.

Let me introduce you to the reference manual. See https://www.php.net/mysqli_fetch_array

[mac_gyver]

7 minutes ago, EmilyPham said:

It throws an error each time it runs

what error?

if you want to do something based on the authorized value, you would not include it in the WHERE term in the query. you would SELECT it, then test its value in the program logic.

also -

1.  use 'require' for things your code must have.
2. include/require are not functions. leave the () around the path/file out.
3. don't attempt to detect if the submit button is set. there are cases where it wont be. instead, test if a post method form was submitted.
4. you need to trim, mainly so that you can detect if all white-space characters were entered, then validate all inputs before using them.
5. don't copy variables to other variables for nothing.
6. don't put dynamic values directly into sql query statements. use a prepared query. if it seems like using the mysqli extension is overly complicated and inconsistent, it is. this would be a good time to switch to the much simpler and better designed PDO extension.
7. you should be hashing the passwords. see php's password_hash() and password_verify(). you would not include the password in the WHERE term. you would SELECT the password, then after you have determined if a row of data was matched, use password_verify() in your program logic to test the password hash.
8. the fetch instruction returns either an array, a null, or a false value, not a number. is this where you are getting an error?
9. the only user value you should store in a session variable is the user id. you should query on each page request to get any other user data.
10. the redirect you perform upon successful completion of the post method form processing code needs to be to the exact same URL of the current page to cause a get request.
11. every redirect needs an exit/die statement to stop php code execution.
12. if you want to display a one-time success message, store it in a session variable, then test, display, and clear that session variable at the appropriate location in the html document.

[EmilyPham]

Oh great. I came for simple help and am basically told to read the manual, which I have tried but converting to Vietnamese loses far too much. And that's why I came here. I thought or hoped someone would add a correct line to my code to block the user. Then I could understand and learn.  But no teachers here.

> you would not include it in the WHERE term
Duh!

But it looks like I came to the wrong website, so far one just sits back and hints that I should read the book. The other tosses out so many ideas but none helpful for my problem.  I am an almost totally disabled 35 year old woman who needed some help, but there is none here. So disappointing here. Shame on this website. Useless, lazy people I see so far sits in their self make chair but has no solution. Shame on all of you. No wonder this site has no traffic.

 

Edited August 12 by EmilyPham

[jodunno]

2 hours ago, EmilyPham said:

But it looks like I came to the wrong website, so far one just sits back and hints that I should read the book. The other tosses out so many ideas but none helpful for my problem.  I am an almost totally disabled 35 year old woman who needed some help, but there is none here. So disappointing here. Shame on this website. Useless, lazy people I see so far sits in their self make chair but has no solution. Shame on all of you. No wonder this site has no traffic.

 

Do not come here looking for handouts, then insult my friends for not providing free labor.
So far as i can see, you have two answers that will solve your immediate problems.
Update your code with the provided answers, then feel ashamed for your behavior.

Meantime, shell games with variables serves no purpose here:
$password=$_POST['password'];
$dec_password=$password;
 

focus on adding an exit after a redirect:

$_SESSION['id']=$num['id'];
$_SESSION['name']=$num['fname'];
header("location:welcome.php");
exit;

and including authorized and password columns in your query:

$ret= mysqli_query($con,"SELECT id, fname, password, authorized FROM users WHERE email='$useremail'");

Yeah Glo!

[Strider64]

All you need is the `username` and `password` to get the user's credentials and you really should just store the `id` or `username` in sessions as you can pull the other information of the user when you need it from the database table. 

and example of my login ->

    public function verify_credentials($username, $password): bool
    {
        $sql = "SELECT id, password FROM admins WHERE username =:username LIMIT 1";
        $user = $this->retrieve_credentials($sql, $username);
        if ($user && password_verify($password, $user['password'])) {
            session_regenerate_id(); // prevent session fixation attacks
            $_SESSION['user_id'] = $user['id'];
            return true;
        }

        return false;
    }

    protected function retrieve_credentials(string $sql, string $username): ?array
    {
        $stmt = $this->pdo->prepare($sql);
        $stmt->execute(['username' => $username]);
        $result = $stmt->fetch(PDO::FETCH_ASSOC);
        return $result !== false ? $result : null;
    }

It's a method part of a class that I wrote, but basically it's a function and could easily be written in procedural style. This is just an example. 

Edited August 12 by Strider64

[EmilyPham]

I not understand much long words but i not feel ashamed to adolf boy jodunno in a mask trying to show his muscles so juvenile. I laugh at you.  

Strider64: Thanks you. You seem nice. But i not understand all your new code. I just wanted to correct my code. I am not a program woman. I am ceo. My coder moved long way.  So I come here to correct simple problem. I do not like it here. You seem okay but I think i will leave as I cannot understand. All I wanted was a correction. 

This  was error:

Fatal error: Uncaught TypeError: mysqli_fetch_array(): Argument #1 ($result) must be of type mysqli_result, bool given in /home/primehor/emily***.com/register/restrict-login.php:10 Stack trace: #0 /home/primehor/emily***.com/register/restrict-login.php(10): mysqli_fetch_array() #1 {main} thrown in /home/primehor/emilydiem.com/register/restrict-login.php on line 10

 

[mac_gyver]

had you initially posted the error message (someone did ask), you could have gotten help earlier. that error (most likely) means that the query failed with an sql error and the code does not have error handling for database errors. to add error handling for database errors, add the following line of code before the point where the database connection is made, then report back with the database error (this is the default setting now in php8+, so you need to also update to using php8) -

mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);

 

once you solve the current problem, to do what you have asked, which requires knowing first if the email/password is correct, then what the authorized value is, will require actual programming changes to be made to the query and to the program logic. programing is not about finding something that does what you want and repeat it in your code. programming is a creative writing (and reading) activity. you must actually learn the meaning of the words and syntax you are using so that what you write makes sense when it is executed by the computer.

lastly, because the current query is putting the values directly into the sql query statement, sql injection is possible. someone can submit an email address for an administrator, to match his row of data, and bypass the need for the password and become logged in as an administrator. since i doubt you want this to be possible, you will need to convert this query to be a prepared query.