problem with activation code

fullyloaded

Hi,
I've been trying and trying to add a few lines of code to my login script with no luck. What im trying to add is a activation code to check if the user has activated there account. Any help would be great thanks.

require("db.php");
$submitted_username = '';
$errormessage = '';
if(!empty($_POST))
{
    $query = "SELECT id,username,password,salt,actnum FROM users WHERE username = :username";
    $query_params = array(
    ':username' => $_POST['username']
    );
    try
    {
        $stmt = $db->prepare($query);
        $result = $stmt->execute($query_params);
    }
    catch(PDOException $ex)
    {
        die("Failed to run query: " . $ex-&gt;getMessage());
    }
    $login_ok = false;
    $row = $stmt->fetch();
    if($row)
    {
        $check_password = hash('sha256', $_POST['password'] . $row['salt']);
        if($check_password === $row['password'])
        {
            $login_ok = true;
        }
    }
    if($login_ok)
    {
        unset($row['salt']);
        unset($row['password']);
        $_SESSION['user'] = $row;
        header("Location: members");
        die("Redirecting to: members");
    }
    else
    {
        $errormessage = 'Your user ID or password is incorrect.';
        $submitted_username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8');
    }

}

Activation code trying to add:

if ($row['actnum'] == '0'){
}
else
{
$errormessage = 'Please activate your account.';
}

And ways i have tried:

//This way works but this way has no error message to show so it shows $errormessage = 'Your user ID or password is incorrect.';
if($login_ok && $row['actnum'] == '0')
    {
        unset($row['salt']);
        unset($row['password']);
        $_SESSION['user'] = $row;
        header("Location: members");
        die("Redirecting to: members");
    }
    else
    {
        $errormessage = 'Your user ID or password is incorrect.';
        $submitted_username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8');
    }


//This way dont work at all
if ($row['actnum'] == '0'){
}
else
{
$errormessage = 'Please activate your account.';
}
if($login_ok)
    {
        unset($row['salt']);
        unset($row['password']);
        $_SESSION['user'] = $row;
        header("Location: members");
        die("Redirecting to: members");
    }
    else
    {
        $errormessage = 'Your user ID or password is incorrect.';
        $submitted_username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8');
    }

Bonesnap

I imagine the process is the user registers, and then receives an email with a link to activate their account? There are probably a couple of ways of doing this, but the first way that comes to mind is when the user registers, store a hash value (their activation code) in a column in the database. Send the link in an email to their email address that includes the activation code. When they click on it, it will verify that the activation code matches the code, but also the user ID, user name, and email address. If it does, then delete the activation code.

fullyloaded

Hi,
thanks for the reply, i have all that done but my problem is adding in the code from my first post to the login form to check if it has been activated. thanks.

Derokorian

The first try is almost right but what you need to do instead is separate the loginok check and the activated check. Right now your not true (else) block says userid password wrong, but this else block also covers when the account isn't activated. Use 2 separate checks for this, like so:

if( !$loginok ) {
   $errormessage = "User ID/password mismatch";
} elseif( $row['actnum'] != 0 ) {
   $errormessage = "Account not activated";
} else {
   $_SESSION['user'] = $row;
   header('Location: http://url.com');
}

Psuedo-code: modify as necessary.

fullyloaded

Thank you very much for the help guys, Derokorian that code worked out great! again thanks.