patternphpMinor
Simple activation script
Viewed 0 times
scriptactivationsimple
Problem
The script is fully working, but I ask is there a better way I can do this rather than name all of the query variables,
$q, $q1 etc, and then use if else statements to execute the code. prepare("SELECT * FROM accounts WHERE email = ? && password = ? && logcount != ''");
$q -> bind_param('ss', ($_POST['email']), ($_POST['password']));
$q -> execute();
$q -> store_result();
// wrong password variables
$q1 = $dbc -> prepare("SELECT * FROM accounts WHERE email = ? && password != ? && logcount != ''");
$q1 -> bind_param('ss', ($_POST['email']), ($_POST['password']));
$q1 -> execute();
$q1 -> store_result();
// not active variables
$q2 = $dbc -> prepare("SELECT * FROM accounts WHERE email = ? && logcount = ''");
$q2 -> bind_param('s', ($_POST['email']));
$q2 -> execute();
$q2 -> store_result();
// successful login query
if ($q -> num_rows == 1) {
$q = $dbc -> prepare("UPDATE accounts SET logcount = logcount+1 WHERE email = ?");
$q -> bind_param('s', ($_POST['email']));
$q -> execute();
$dbc -> close();
header('location: shack');
exit();
}
// wrong password query
elseif ($q1 -> num_rows == 1) {
echo 'Your password is incorrect.';
}
// not activated query
elseif ($q2 -> num_rows == 1) {
echo 'Your account is not activated.';
}
// blank email form entry
elseif (empty($_POST['email'])) {
echo 'You did not fill in an email on the login form.';
}
// account not found
else {
echo 'An account could not be found.';
}
// close the mysql connection
$dbc -> close();
?>Solution
Appears you are storing cleartext passwords and doing a 1:1 comparison. This is bad.
You can clean the code up by doing the following and executing 1 query to MySQL:
You can clean the code up by doing the following and executing 1 query to MySQL:
require_once('mysqli.php');
// successful login variables
$q = $dbc -> prepare("SELECT email,dbClearTextPassword,accountActive FROM accounts WHERE email = ?");
$q -> bind_param('s', ($_POST['email']));
$q -> execute();
$q -> store_result();
// check to see if you returned any information from your query
if ($q->num_rows == 0) {
// email doesn't exist in db .. #fail
exit;
}
if ($q['accountActive'] != '1') {
// email account is not active .. #fail
exit;
}
// check the password matches
if ($_POST['clearTextPassword'] == $q['dbClearTextPassword']) {
// do some of your fancy code to process the successful login
} else {
// do some other fancy code to process a login failure
}
$dbc->close();Code Snippets
require_once('mysqli.php');
// successful login variables
$q = $dbc -> prepare("SELECT email,dbClearTextPassword,accountActive FROM accounts WHERE email = ?");
$q -> bind_param('s', ($_POST['email']));
$q -> execute();
$q -> store_result();
// check to see if you returned any information from your query
if ($q->num_rows == 0) {
// email doesn't exist in db .. #fail
exit;
}
if ($q['accountActive'] != '1') {
// email account is not active .. #fail
exit;
}
// check the password matches
if ($_POST['clearTextPassword'] == $q['dbClearTextPassword']) {
// do some of your fancy code to process the successful login
} else {
// do some other fancy code to process a login failure
}
$dbc->close();Context
StackExchange Code Review Q#1915, answer score: 5
Revisions (0)
No revisions yet.