function to check if user is active is logging me out when its shouldn't be....

php_adrian

Hi folks,
Going through this tutorial on Youtube - http://www.youtube.com/watch?v=OY5OxqMI3WA&list=ECE134D877783367C7

Is my database, there is a field called user_active that will have a 1 is the user is active, 0 is not active. As seen in the video, we are using an existing function (see below) to check if a user is active while browsing the site, and if the user isn't active..logging them out, and bring them back to the login page.

My problem is that when I implement this code in my init.php file, and hit F5, it logs my legit user account (which is active, is set to 1 in the database) out when it shouldn't, it should keep me logged in.

Here is the user_active function: (which is located in another file called user.php)

function user_active( $username,mysqli $DB ){ 

# sanitize $username (to avoid SQL injection attacks/errors) 
$username = $DB->real_escape_string( $username ); 

# this is the SQL query we'll use. 
$sql = "SELECT 1 FROM `users` WHERE `username`='$username' AND `active` = 1"; 

# execute the query. 
$result = $DB->query( $sql ); 

# check if there were any rows in the result (if there were no rows, the username does not exist).
 return (bool)$result->num_rows;

Here is where I call the function to check if the user is logged when they are browsing the site. This is located in init.php

session_start();

require 'database/connect.php';
require 'functions/general.php';
require 'functions/users.php';

//we are calling the user_active function to see if the user is logged in.
	if(user_active($username,$DB ) === false) {
		session_destroy();
		header('Location: index.php');
		exit();
	}

Any ideas?

Many thanks,

Weedpacket

In [font=monospace]init.php[/font], where does the variable [font=monospace]$username[/font] come from? How does it get its value?

php_adrian

there is nothing in init.php that tells us where $username comes from...I guess that's my problem....? ...but isn't that what the

include 'core/init.php';

is there for? ....or do we need to add to init.php:

require 'login.php';

??? ...so it knows to look around in login.php if it can't find it in init.php? Is that how it works?

Here's my login.php file - this is what gets processed after the user put in the username/password and hits submit....as you can see from the video, I am re-doing everything using the new mysqli extension while the guy in the video wasn't!

<?php
// this file processes the username and password, and calls different functions, is the user active.
// to handle error handling (i.e - wrong password) we create an array called $errors in init.php
include 'core/init.php';


ini_set('error_reporting',-1);
ini_set('display_errors','On'); 


// =====================================================

# database connection 
$DB = new mysqli( 'localhost','root','', 'lr' ); 

# username to check 
//$username = 'adrian'; 

//if( check_username( $username,$DB ) ){ 

# check_username() returned TRUE. 
//    print "The username '$username' already exists."; 
//}else{ 

//    # check_username() returned FALSE. 
//    print "The username '$username' is available."; 
//} 



if (empty($_POST) === false) { // === checks for type
	$username = $_POST['username']; //define the $username variable and point it back to the other login.php file where it says - <input type="text" name="username">
	$password = $_POST['password']; //define the $password variable and point it back to the other login.php file where it says - <input type="password" value="password">


//return test( $username );
//	print "user id is .'$row'.";
//} else {
//	print "no user id";
//}




if(empty($username) === true || empty($password) === true) {
	$errors[] = 'You need to enter a username and password';  //if the username or password is empty, display the code
} else if(user_exists($username,$DB ) === false) { //WORKFLOW:  we are checking if the user exists, which is calling the user_exists fucntion user_exists in users.php, which then passes in the username, sanitizing it by calling the sanitize function in the general.php, and then we run our query.
	$errors[] = 'We can\'t find the username.  Have your registered?';
} else if(user_active($username,$DB ) === false) {
	 $errors[] = 'You haven\'t activated your account!;';
} else {

	//check the string length
	if (strlen($password) > 32) {
		$errors[] = 'Password too long';
	}

	$login = login($username, $password, $DB);
	if ($login === false) {
		$errors[] = 'That username/password combination is incorrect';
	} else {
			//echo 'ok, You have logged in successfully!';
		//die($login);
		//start the session
		$_SESSION['user_id'] = $login; //set a session which holds our user id which uniquely identifies us.
		// redirect user to home
		header('Location: index.php');
		exit();
	}
}
} else {
	$errors[] = 'No data received';
}
//print_r($errors); //this will out put the error of the array above - whichever one fails.


include 'includes/overall/header.php';
//echo output_errors($errors); //passing $errors array into output_errors function
if (empty($errors) ===  false) {
?>
	<h2>We tried to log you in, but...</h2>
<?php
	echo output_errors($errors);
}
include 'includes/overall/footer.php';
?>

Weedpacket

php_adrian wrote:

    $username = $_POST['username']; //define the $username variable

So this is where the variable gets defined - long after you've tried to see if it's valid.

But further down in that same code is:

if(user_active($username,$DB ) === false) {

So you're already using the function. There, you're using it to decide whether or not to include a message in the [font=monospace]$errors[/font] array.

php_adrian

So I'm lost as to what you're trying to tell me...It sounds like I'm using the code in the wrong order/sequence....?