Hello guys.

My problem is that everything works just fine, but i cant log in. When i try to log in with a correct username and password and the account IS activated it still says "Array ( [0] => Activate your account ) "

This is the function:


function user_active($username) {
$username = sanitize($username);
return(mysql_result(mysql_query("SELECT COUNT(user_id) FROM users WHERE `username` = '$username' AND 'active' = '1'"), 0) == 1 ) ? true : false;
}

And this is the code/session from login.php ( i copied the whole thing) :

<?php
include 'core/init.php';

if (empty($_POST) === false) {
$username = $_POST['username'];
$password = $_POST['password'];

if (empty($username) === true || empty ($password) === true) {
$errors [] = 'You need to enter a username and password';
} else if (user_exists($username) === false) {
$errors [] = 'We can\'t find that username. Have you registered?';
} else if (user_active($username) === false) {
$errors [] = 'Activate your account';
} else {
$login= login($username, $password);
if ($login === false) {
$errors [] = 'That username/pasword combination is incorrect';
} else {
$_SESSION['user_id'] = $login;
header('Location: index.php');
exit();
}

}

print_r($errors);
}
?>

Thank you.

works for me. what does your sanitize function do? my first suspicion would be that it's altering your input values (rather than simply preparing them for use in your query, which is what it would seem to be intended to do).

aside from that, you should seriously consider two things:

1. DO NOT give any error messages to the user, aside from "username+password combo not found."
.....telling an unknown user (who might be malicious) anything more than that is a security/privacy risk.

2. do not use the mysql_* functions.
.....ext/mysql is outdated and scheduled for deprecation
.....(choose another API instead (http://php.net/mysqlinfo.api.choosing), such as ext/mysqli (http://php.net/mysqli) or PDO (http://php.net/pdo)).

3. I don't know that you're doing this, but it would seem like a possibility based on the code you've given:
.....don't store user passwords in plain text.
.....they should be hashed before being stored or used in a query.

works for me. what does your sanitize function do? my first suspicion would be that it's altering your input values (rather than simply preparing them for use in your query, which is what it would seem to be intended to do).

aside from that, you should seriously consider two things:

1. DO NOT give any error messages to the user, aside from "username+password combo not found."
.....telling an unknown user (who might be malicious) anything more than that is a security/privacy risk.

2. do not use the mysql_* functions.
.....ext/mysql is outdated and scheduled for deprecation
.....(choose another API instead (http://php.net/mysqlinfo.api.choosing), such as ext/mysqli (http://php.net/mysqli) or PDO (http://php.net/pdo)).

3. I don't know that you're doing this, but it would seem like a possibility based on the code you've given:
.....don't store user passwords in plain text.
.....they should be hashed before being stored or used in a query.

Its sanitizing data.


<?php
function sanitize($data) {
return mysql_real_escape_string($data);
}
?>

try adding this line to the function user_active (and remove it afterwards):
function user_active($username) {
die( $username == sanitize($username) );
$username = sanitize($username);
return(mysql_result(mysql_query("SELECT COUNT(user_id) FROM users WHERE `username` = '$username' AND 'active' = '1'"), 0) == 1 ) ? true : false;
} if that doesn't print 1, try this modification:
function user_active($username) {
$username = sanitize($username);
// return(mysql_result(mysql_query("SELECT COUNT(user_id) FROM users WHERE `username` = '$username' AND 'active' = '1'"), 0) == 1 ) ? true : false;
die( mysql_result( mysql_query("SELECT COUNT(user_id) FROM users WHERE `username` = '$username' AND 'active' = '1'"), 0 ) );
} let me know the results.



whup, just caught it:
'active' = '1'

# SHOULD BE
`active` = '1'

# _backticks_, not single-quotes. :)