HiveBrain v1.2.0
Get Started
← Back to all entries
patternphpMinor

Simple activation script

Submitted by: @import:stackexchange-codereview··
0
Viewed 0 times
scriptactivationsimple

Problem

The script is fully working, but I ask is there a better way I can do this rather than name all of the query variables, $q, $q1 etc, and then use if else statements to execute the code.

 prepare("SELECT * FROM accounts WHERE email = ? && password = ? && logcount != ''");
$q -> bind_param('ss', ($_POST['email']), ($_POST['password'])); 
$q -> execute();
$q -> store_result();

// wrong password variables

$q1 = $dbc -> prepare("SELECT * FROM accounts WHERE email = ? && password != ? && logcount != ''");
$q1 -> bind_param('ss', ($_POST['email']), ($_POST['password']));
$q1 -> execute();
$q1 -> store_result();  

// not active variables

$q2 = $dbc -> prepare("SELECT * FROM accounts WHERE email = ? && logcount = ''");
$q2 -> bind_param('s', ($_POST['email']));
$q2 -> execute();
$q2 -> store_result();  

// successful login query

if ($q -> num_rows == 1) {
    $q = $dbc -> prepare("UPDATE accounts SET logcount = logcount+1 WHERE email = ?");
    $q -> bind_param('s', ($_POST['email']));
    $q -> execute();
    $dbc -> close();
    header('location: shack');
    exit();
}

// wrong password query

elseif ($q1 -> num_rows == 1) {
    echo 'Your password is incorrect.';
}

// not activated query

elseif ($q2 -> num_rows == 1) {
    echo 'Your account is not activated.';
}

// blank email form entry

elseif (empty($_POST['email'])) {
    echo 'You did not fill in an email on the login form.';
}

// account not found

else {
    echo 'An account could not be found.';
}

// close the mysql connection

$dbc -> close();

?>

Solution

Appears you are storing cleartext passwords and doing a 1:1 comparison. This is bad.

You can clean the code up by doing the following and executing 1 query to MySQL:

require_once('mysqli.php');  
// successful login variables  
$q = $dbc -> prepare("SELECT email,dbClearTextPassword,accountActive FROM accounts WHERE email = ?"); 
$q -> bind_param('s', ($_POST['email']));  
$q -> execute(); 
$q -> store_result();

// check to see if you returned any information from your query
if ($q->num_rows == 0) { 
  // email doesn't exist in db .. #fail
  exit;
}

if ($q['accountActive'] != '1') { 
  // email account is not active .. #fail
  exit;
}

// check the password matches 
if ($_POST['clearTextPassword'] == $q['dbClearTextPassword']) { 
  // do some of your fancy code to process the successful login
} else { 
  // do some other fancy code to process a login failure
}

$dbc->close();

Code Snippets

require_once('mysqli.php');  
// successful login variables  
$q = $dbc -> prepare("SELECT email,dbClearTextPassword,accountActive FROM accounts WHERE email = ?"); 
$q -> bind_param('s', ($_POST['email']));  
$q -> execute(); 
$q -> store_result();

// check to see if you returned any information from your query
if ($q->num_rows == 0) { 
  // email doesn't exist in db .. #fail
  exit;
}

if ($q['accountActive'] != '1') { 
  // email account is not active .. #fail
  exit;
}

// check the password matches 
if ($_POST['clearTextPassword'] == $q['dbClearTextPassword']) { 
  // do some of your fancy code to process the successful login
} else { 
  // do some other fancy code to process a login failure
}

$dbc->close();

Context

StackExchange Code Review Q#1915, answer score: 5

Revisions (0)

No revisions yet.