Send a registration activation email

Are there any modifications to this script that will send an activation email to the new user that registers, just like the PHPBB registration activation email?

So that new users cannot log in by entering a false email address, or someone else's email address?

i created a mod using userlevels where when the user registers, they are a level 1, but only level 2 and above and login to the site. an admin (level 9) logs onto the site and reviews who registered then, if they want to let the user login to their site, they simlpy raise the userlevel to 2.

if you are somewhat comfortable with php, maybe that will give you an idea as to how you can create your own mod...if not, tomorrow when i have more time i can show you how this is possible.

in the mean time maybe someone else can share their ideas...

What I was looking for was an email activation just to make sure that other peoples or false email addresses are not being used. At the moment, you could theoretically enter someone else's email address just to login and have a look around.

If I use level 2 access, this means that when someone registers, they have to wait for me to raise them to level 2 before they can login. If I do this, they may not decide to register and will just forget about it and not come back.

i was thinking more of an email that gets sent out when the user registers - the login system has this feature built into it already - that contains a link to a page on your site that will raise the userlevel automatically (very possible with the help of php).

the client i create my mod for just wanted the control to review each account before making the choice to activate it. i would never had the time to look at each account, and i suggested making an email activation system like i just described above, but he wanted to take the time to look at each account, different strokes i guess...

later today ill look into modifying my existing code to make it do what you want it to. until then!

while fooling around with this idea this morning and afternoon, i came up with this...hopefully it helps. just don’t forget to change all the database information to fit your servers.

we’ll start off by creating a new folder called activation in the same place as main.php.
then, if you havent already, youre gonna want to open up constants.php. scroll all the way down to the bottom and find:

Code:

define("EMAIL_WELCOME", false);

this is what controls if newly registered users receive welcome messages emails. change 'false' to 'true' to turn this feature on. staying in constants.php, we have to define a new userlevel. when new users register they are assigned a userlevel of 1, but we'll say we only want users with userlevels of 2 and up allowed on your site. in constants.php, find:

Code:

define("ADMIN_NAME", "admin");
define("GUEST_NAME", "Guest");
define("ADMIN_LEVEL", 9);
define("USER_LEVEL",  1);
define("GUEST_LEVEL", 0);

and change it to:

Code:

define("ADMIN_NAME", "admin");
define("GUEST_NAME", "Guest");
define("ADMIN_LEVEL", 9);
define("REGUSER_LEVEL", 2);
define("USER_LEVEL",  1);
define("GUEST_LEVEL", 0);

then i went into database.php and added some code to make sure only usernames with a userlevel of 2 or higher could login. find:

Code:

/* Retrieve password from result, strip slashes */
$dbarray = mysql_fetch_array($result);
$dbarray['password'] = stripslashes($dbarray['password']);
$password = stripslashes($password);

and change it to:

Code:

/* Retrieve password and userlevel from result, strip slashes */
$dbarray = mysql_fetch_array($result);
$dbarray['password'] = stripslashes($dbarray['password']);
$dbarray['userlevel'] = stripslashes($dbarray['userlevel']);
$password = stripslashes($password);

/* Validate that userlevel is greater than 1 */
if($dbarray['userlevel'] < 2){
  return 3; //Indicates account has not been activated
}

that new snippet of code we added returns a value of 3 to session.php. now we just have to tell session.php what to do with it. open up session.php and look for:

Code:

/* Check error codes */
if($result == 1){
  $field = "user";
  $form->setError($field, "* Username not found");
}
else if($result == 2){
  $field = "pass";
  $form->setError($field, "* Invalid password");
}

then, make it look like:

Code:

/* Check error codes */
if($result == 1){
  $field = "user";
  $form->setError($field, "* Username not found");
}
else if($result == 2){
  $field = "pass";
  $form->setError($field, "* Invalid password");
}
else if($result == 3){
  $field = "user";
  $form->setError($field, "* Your account has not been activated yet");
}

this just tells session.php that if database.php find out that a user with a userlevel of 1 to put up an error message telling the user their account isnt active yet.

next i stayed with session.php and scrolled down to the bottom of the register new user section, find:

Code:

if($database->addNewUser($subuser, md5($subpass), $subemail)){
  if(EMAIL_WELCOME){
      $mailer->sendWelcome($subuser,$subemail,$subpass);
  }
  return 0;  //New user added succesfully
}else{
  return 2;  //Registration attempt failed
}

and change it to:

Code:

if($database->addNewUser($subuser, md5($subpass), $subemail)){

  $num = rand(1, 9999999999);
  $file = "activation/".$num.".".$subuser.".php";
  $content = "<?php\n\n"
    .'$'."link = mysql_connect(\"your host\",\"your name\",\"your password\") or die(mysql_error());\n"
    ."mysql_select_db(\"your table name\",".'$'."link) or die(mysql_error());\n\n"
    .'$'."q = \"UPDATE users SET userlevel = 2 WHERE username = '".$subuser."'\";\n"
    ."mysql_query(".'$'."q, ".'$'."link);\n\n"
    ."?>";



  if($fp = fopen($file, 'a')){
    fwrite($fp, $content."\n");
    fclose($fp);
  }

  if(EMAIL_WELCOME){
      $mailer->sendWelcome($subuser,$subemail,$subpass,$file);
  }
  return 0;  //New user added succesfully
}else{
  return 2;  //Registration attempt failed
}

real quick, lets go over what all this new code does. once you understand how it works, you'll be able to manipulate it to your needs if necessary. when a new user registers, their info is inserted into the database (with a userlevel of 1 mind you..), we know this...but if there are no errors with the data being inserted into the database, a new file is created. the filename is essentially, a random number (between 1 and 9999999999) followed by the new users username (for example, 546273274.username.php). the filename is created like this to make sure it is unique to the new user who registered. this new file will be created in the activation folder. the code in session.php then writes some more code in that new file we just created that will raise the users userlevel from 1 to 2 when its run. finally, we pass variable $file, which we defined as “activation/random number.username.php”, to mailer.php.

go ahead and open mailer.php and find:

Code:

function sendWelcome($user, $email, $pass){
  $from = "From: ".EMAIL_FROM_NAME." <".EMAIL_FROM_ADDR.">";
  $subject = "Jpmaster77's Site - Welcome!";
  $body = $user.",\n\n"
      ."Welcome! You've just registered at Jpmaster77's Site "
      ."with the following information:\n\n"
      ."Username: ".$user."\n"
      ."Password: ".$pass."\n\n"
      ."If you ever lose or forget your password, a new "
      ."password will be generated for you and sent to this "
      ."email address, if you would like to change your "
      ."email address you can do so by going to the "
      ."My Account page after signing in.\n\n"
      ."- Jpmaster77's Site";

and change it to:

Code:

function sendWelcome($user, $email, $pass, $file){
  $from = "From: ".EMAIL_FROM_NAME." <".EMAIL_FROM_ADDR.">";
  $subject = "Jpmaster77's Site - Welcome!";
  $body = $user.",\n\n"
      ."Welcome! You've just registered at Jpmaster77's Site "
      ."with the following information:\n\n"
      ."Username: ".$user."\n"
      ."Password: ".$pass."\n\n"
      ."If you ever lose or forget your password, a new "
      ."password will be generated for you and sent to this "
      ."email address, if you would like to change your "
      ."email address you can do so by going to the "
      ."My Account page after signing in.\n\n"
      ."Please follow this <a href=\"your domain/".$file."\">link</a> "
      ."to activate your account.\n"
      ."If the link doesnt work, paste <a href=\"your domain/".$file."\">your domain/".$file."</a> into the address "
      ."bar of your internet browser.\n\n"
      ."- Jpmaster77's Site";

this code from mailer.php sends out a welcome email to the newly registered user. we just added a little something so the new user will receive a link to activate their account. once the user clicks the link their userlevel raises to 2 and they are free to login to your site.

i should let you know, there are some things with this script that need some work. first off, when the new user registers, a new file is created, but after they activate their account and click the link, that file does not get deleted…it stays on the server. now when a new user registers, their userid is 0, but the first time they login, it changes. you could probably create a function to check and see if the userid is 0 and if it is, delete the activation file.

also, because i don’t have a mail server on my computer, i haven’t fully tested this script. if you come across any problems or errors i’ll help you get them right as best i can. If you do run into something, I have a feeling its going to be with mailer.php’s functionality, as this is the part of the script I couldn’t do much testing with. lemme know what happens. good luck!

Very nice work and not to much difficult to accomplish, I will integrate this modification to my login script.

Thks

no problem!

I get all that done but go to my site and get error.

Parse error: syntax error, unexpected T_STRING in /home/elepho5/public_html/login/include/session.php on line 434

Here is the code in question. Can someone please help me ?

// this is from session.php
$content = "<?php\n\n" // line 434 is the next one
.'$'."link = mysql_connect("localhost", "******", "******") or die(mysql_error());\n"
."mysql_select_db(\"elepho5_jtraders\",".'$'."link) or die(mysql_error());\n\n"
.'$'."q = \"UPDATE users SET userlevel = 2 WHERE username = '".$subuser."'\";\n"
."mysql_query(".'$'."q, ".'$'."link);\n\n"
."?>";

I replaced the username and password with '****' for this posting

im not really sure what this is for. is this the content you wanted to send in the email? maybe post the whole function that this snippet is a part of? get back to me on this one..

Sure I can. This is from the section of this topic that states the following...

[next i stayed with session.php and scrolled down to the bottom of the register new user section, find:

Code:
if($database->addNewUser($subuser, md5($subpass), $subemail)){ if(EMAIL_WELCOME){ $mailer->sendWelcome($subuser,$subemail,$subpass); } return 0; //New user added succesfully}else{ return 2; //Registration attempt failed}

and change it to ] // end of quote.

I copied the code directly from this page and pasted it over the code in question as per the instructions. Then I edited the database connection information etc. It is a syntax error so it may be as little as a , or a . in the wrong place. Below I have posted the whole function after it does a whole bunch of error checking. I left the last error check in so you can see where it starts..



/* Check if mobile is not numeric */
$field = "mobile";
if(!eregi("^([0-9])*$", $submobile)){
$form->setError($field, "* Mobile not numeric");
}
/* Check if fax is not numeric */
$field = "fax";
if(!eregi("^([0-9])*$", $subfax)){
$form->setError($field, "* Fax not numeric");
}

/* Errors exist, have user correct them */
if($form->num_errors > 0){
return 1; //Errors with form
}
/* No errors, add the new account to the */
else{
if($database->addNewUser($subuser, md5($subpass), $subemail, $subfirstname, $subsirname, $subaddress1, $subaddress2, $subsuburb, $subcity, $subpostcode, $subphone, $submobile, $subfax)){
$num = rand(1, 9999999999);
$file = "activation/".$num.".".$subuser.".php";
$content = "<?php\n\n"
.'$'."link = mysql_connect("localhost", "*****", "*****") or die(mysql_error());\n"
."mysql_select_db(\"*****\",".'$'."link) or die(mysql_error());\n\n"
.'$'."q = \"UPDATE users SET userlevel = 2 WHERE username = '".$subuser."'\";\n"
."mysql_query(".'$'."q, ".'$'."link);\n\n"
."?>";
if($fp = fopen($file, 'a')){
fwrite($fp, $content."\n");
fclose($fp);
}
if(EMAIL_WELCOME){
$mailer->sendWelcome($subuser,$subemail,$subpass,$file);
}
return 0; //New user added succesfully
}else{
return 2; //Registration attempt failed
}
}
}

haha, dont mind me... im just being an idiot. i was posting a response in another topic thinking this was for that one. kinda embarrassing.

you are getting this error cause you forgot to escape the database info. try replacing your database info with mysql_connect(\"localhost\", \"******\", \"******\"). obviously fix the username and password, but keep the slashes!

Linchpin311 wrote:haha, dont mind me... im just being an idiot. i was posting a response in another topic thinking this was for that one. kinda embarrassing.

you are getting this error cause you forgot to escape the database info. try replacing your database info with mysql_connect(\"localhost\", \"******\", \"******\"). obviously fix the username and password, but keep the slashes!

Yikes I didn't even think about that !!! I just copied and pasted so something got mucked up lol. Thanks !!!!

When it rains it pours and it's pouring here in Auckland ! Ok everytime I get one thing fixed another one pops up. I've been trying to get rid of these errors all morning. This is the latest..

Fatal error: Call to undefined function: calcnumactiveusers() in /home/elepho5/public_html/login/include/database.php on line 36

The code is:

/* Class constructor */
function MySQLDB(){
/* Make connection to database */
$this->connection = mysql_connect('localhost', 'elepho5_elvin66', 'humpster66') or die(mysql_error());
mysql_select_db('elepho5_jtraders', $this->connection) or die(mysql_error());

/**
* Only query database to find out number of members
* when getNumMembers() is called for the first time,
* until then, default value set.
*/
$this->num_members = -1;

if(TRACK_VISITORS){
/* Calculate number of users at site */
->error here $this->calcNumActiveUsers(); // this line is the error

/* Calculate number of guests at site */
$this->calcNumActiveGuests();
}
}

php is a pretty case sensitive scripting language...

is that EXACTLY what the error says? i am specifically curious in the case of the function in question. the error message you posted says calcnumactiveusers() but on the line with the error i see $this->calcNumActiveUsers(). if when you call the function it is not EXACTLY the same name as what you defined it as you will get that call to undefined function error. let me know if this fixes your problem, maybe we can put an end to all this rain.

remember that CONSISTENCY should be something you strive for when you program in any language. i dont want to tell you how to program, but for the sake of whoever reads your code (yourself included) be consistent in your practices.

That is very strange. The line of actual code is

$this->calcNumActiveUsers();

and in the error message it states

calcnumactiveusers()

I don't know why the php engine has come back with small caps on that error line. Do you think it may be getting called from another script possibly ?

I thank you for your advise on programming consistancy. I agree. As I am only learning Php, it is a good idea to get into the habit of formatting code correctly.

For this particular problem, I copied and pasted directly from this tutorial so if formatting is wrong, it is the tutorials doing lol. Thanks anyway.

yea, its very strange. maybe you could post all of database.php so we could take a look at it?

<?php
/**
* Database.php
*
* The Database class is meant to simplify the task of accessing
* information from the website's database.
*
* Written by: Jpmaster77 a.k.a. The Grandmaster of C++ (GMC)
* Last Updated: August 17, 2004
*/
include("constants.php");

class MySQLDB
{
var $connection; //The MySQL database connection
var $num_active_users; //Number of active users viewing site
var $num_active_guests; //Number of active guests viewing site
var $num_members; //Number of signed-up users
/* Note: call getNumMembers() to access $num_members! */

/* Class constructor */
function MySQLDB(){
/* Make connection to database */
$this->connection = mysql_connect('localhost', 'my_username', 'my_password') or die(mysql_error());
mysql_select_db('my_database', $this->connection) or die(mysql_error());

/**
* Only query database to find out number of members
* when getNumMembers() is called for the first time,
* until then, default value set.
*/
$this->num_members = -1;

if(TRACK_VISITORS){
/* Calculate number of users at site */
$this->calcNumActiveUsers();

/* Calculate number of guests at site */
$this->calcNumActiveGuests();
}
}

/**
* confirmUserPass - Checks whether or not the given
* username is in the database, if so it checks if the
* given password is the same password in the database
* for that user. If the user doesn't exist or if the
* passwords don't match up, it returns an error code
* (1 or 2). On success it returns 0.
*/
function confirmUserPass($username, $password){
/* Add slashes if necessary (for query) */
if(!get_magic_quotes_gpc()) {
$username = addslashes($username);
}

/* Verify that user is in database */
$q = "SELECT password FROM ".TBL_USERS." WHERE username = '$username'";
$result = mysql_query($q, $this->connection);
if(!$result || (mysql_numrows($result) < 1)){
return 1; //Indicates username failure
}

/* Retrieve password from result, strip slashes */
$dbarray = mysql_fetch_array($result);
$dbarray['password'] = stripslashes($dbarray['password']);
$password = stripslashes($password);

/* Validate that password is correct */
if($password == $dbarray['password']){
return 0; //Success! Username and password confirmed
}
else{
return 2; //Indicates password failure
}
}

/**
* confirmUserID - Checks whether or not the given
* username is in the database, if so it checks if the
* given userid is the same userid in the database
* for that user. If the user doesn't exist or if the
* userids don't match up, it returns an error code
* (1 or 2). On success it returns 0.
*/
function confirmUserID($username, $userid){
/* Add slashes if necessary (for query) */
if(!get_magic_quotes_gpc()) {
$username = addslashes($username);
}

/* Verify that user is in database */
$q = "SELECT userid FROM ".TBL_USERS." WHERE username = '$username'";
$result = mysql_query($q, $this->connection);
if(!$result || (mysql_numrows($result) < 1)){
return 1; //Indicates username failure
}

/* Retrieve userid from result, strip slashes */
$dbarray = mysql_fetch_array($result);
$dbarray['userid'] = stripslashes($dbarray['userid']);
$userid = stripslashes($userid);

/* Validate that userid is correct */
if($userid == $dbarray['userid']){
return 0; //Success! Username and userid confirmed
}
else{
return 2; //Indicates userid invalid
}


/* Retrieve password and userlevel from result, strip slashes */
$dbarray = mysql_fetch_array($result);
$dbarray['password'] = stripslashes($dbarray['password']);
$dbarray['userlevel'] = stripslashes($dbarray['userlevel']);
$password = stripslashes($password);
/* Validate that userlevel is greater than 1 */
if($dbarray['userlevel'] < 2){ return 3; //Indicates account has not been activated
}

/**
* usernameTaken - Returns true if the username has
* been taken by another user, false otherwise.
*/
function usernameTaken($username){
if(!get_magic_quotes_gpc()){
$username = addslashes($username);
}
$q = "SELECT username FROM ".TBL_USERS." WHERE username = '$username'";
$result = mysql_query($q, $this->connection);
return (mysql_numrows($result) > 0);
}

/**
* usernameBanned - Returns true if the username has
* been banned by the administrator.
*/
function usernameBanned($username){
if(!get_magic_quotes_gpc()){
$username = addslashes($username);
}
$q = "SELECT username FROM ".TBL_BANNED_USERS." WHERE username = '$username'";
$result = mysql_query($q, $this->connection);
return (mysql_numrows($result) > 0);
}

/**
* addNewUser - Inserts the given (username, password, email)
* info into the database. Appropriate user level is set.
* Returns true on success, false otherwise.
*/
function addNewUser($username, $password, $email, $firstname, $sirname, $address1, $address2, $suburb, $city, $postcode, $phone, $mobile, $fax){
$time = time();
/* If admin sign up, give admin user level */
if(strcasecmp($username, ADMIN_NAME) == 0){
$ulevel = ADMIN_LEVEL;
}else{
$ulevel = USER_LEVEL;
}
$q = "INSERT INTO ".TBL_USERS." VALUES ('$username', '$password', '0', '$ulevel', '$email', '$time','$firstname','$sirname','$address1','$address2','$suburb','$city','$postcode','$phone','$mobile','$fax')";
return mysql_query($q, $this->connection);
}

/**
* updateUserField - Updates a field, specified by the field
* parameter, in the user's row of the database.
*/
function updateUserField($username, $field, $value){
$q = "UPDATE ".TBL_USERS." SET ".$field." = '$value' WHERE username = '$username'";
return mysql_query($q, $this->connection);
}

/**
* getUserInfo - Returns the result array from a mysql
* query asking for all information stored regarding
* the given username. If query fails, NULL is returned.
*/
function getUserInfo($username){
$q = "SELECT * FROM ".TBL_USERS." WHERE username = '$username'";
$result = mysql_query($q, $this->connection);
/* Error occurred, return given name by default */
if(!$result || (mysql_numrows($result) < 1)){
return NULL;
}
/* Return result array */
$dbarray = mysql_fetch_array($result);
return $dbarray;
}

/**
* getNumMembers - Returns the number of signed-up users
* of the website, banned members not included. The first
* time the function is called on page load, the database
* is queried, on subsequent calls, the stored result
* is returned. This is to improve efficiency, effectively
* not querying the database when no call is made.
*/
function getNumMembers(){
if($this->num_members < 0){
$q = "SELECT * FROM ".TBL_USERS;
$result = mysql_query($q, $this->connection);
$this->num_members = mysql_numrows($result);
}
return $this->num_members;
}

/**
* calcNumActiveUsers - Finds out how many active users
* are viewing site and sets class variable accordingly.
*/
function calcNumActiveUsers(){
/* Calculate number of users at site */
$q = "SELECT * FROM ".TBL_ACTIVE_USERS;
$result = mysql_query($q, $this->connection);
$this->num_active_users = mysql_numrows($result);
}

/**
* calcNumActiveGuests - Finds out how many active guests
* are viewing site and sets class variable accordingly.
*/
function calcNumActiveGuests(){
/* Calculate number of guests at site */
$q = "SELECT * FROM ".TBL_ACTIVE_GUESTS;
$result = mysql_query($q, $this->connection);
$this->num_active_guests = mysql_numrows($result);
}

/**
* addActiveUser - Updates username's last active timestamp
* in the database, and also adds him to the table of
* active users, or updates timestamp if already there.
*/
function addActiveUser($username, $time){
$q = "UPDATE ".TBL_USERS." SET timestamp = '$time' WHERE username = '$username'";
mysql_query($q, $this->connection);

if(!TRACK_VISITORS) return;
$q = "REPLACE INTO ".TBL_ACTIVE_USERS." VALUES ('$username', '$time')";
mysql_query($q, $this->connection);
$this->calcNumActiveUsers();
}

/* addActiveGuest - Adds guest to active guests table */
function addActiveGuest($ip, $time){
if(!TRACK_VISITORS) return;
$q = "REPLACE INTO ".TBL_ACTIVE_GUESTS." VALUES ('$ip', '$time')";
mysql_query($q, $this->connection);
$this->calcNumActiveGuests();
}

/* These functions are self explanatory, no need for comments */

/* removeActiveUser */
function removeActiveUser($username){
if(!TRACK_VISITORS) return;
$q = "DELETE FROM ".TBL_ACTIVE_USERS." WHERE username = '$username'";
mysql_query($q, $this->connection);
$this->calcNumActiveUsers();
}

/* removeActiveGuest */
function removeActiveGuest($ip){
if(!TRACK_VISITORS) return;
$q = "DELETE FROM ".TBL_ACTIVE_GUESTS." WHERE ip = '$ip'";
mysql_query($q, $this->connection);
$this->calcNumActiveGuests();
}

/* removeInactiveUsers */
function removeInactiveUsers(){
if(!TRACK_VISITORS) return;
$timeout = time()-USER_TIMEOUT*60;
$q = "DELETE FROM ".TBL_ACTIVE_USERS." WHERE timestamp < $timeout";
mysql_query($q, $this->connection);
$this->calcNumActiveUsers();
}

/* removeInactiveGuests */
function removeInactiveGuests(){
if(!TRACK_VISITORS) return;
$timeout = time()-GUEST_TIMEOUT*60;
$q = "DELETE FROM ".TBL_ACTIVE_GUESTS." WHERE timestamp < $timeout";
mysql_query($q, $this->connection);
$this->calcNumActiveGuests();
}

/**
* query - Performs the given query on the database and
* returns the result, which may be false, true or a
* resource identifier.
*/
function query($query){
return mysql_query($query, $this->connection);
}
}
}
/* Create database connection */
$database = new MySQLDB;

?>

ahh, the plot thickens! you blame my tutorial... i blame a missing curly bracket!

first off, constants.php is suppose to hold all your database connection info. database.php just grabs it from there so i would recommend replacing your database connection line in database.php with

Code:

$this->connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS) or die(mysql_error());
mysql_select_db(DB_NAME, $this->connection) or die(mysql_error());

now to your error... where you have

Code:

/* Validate that userlevel is greater than 1 */
if($dbarray['userlevel'] < 2){ return 3; //Indicates account has not been activated
}

you forgot a }. it should look more like

Code:

/* Validate that userlevel is greater than 1 */
if($dbarray['userlevel'] < 2){ return 3; } //Indicates account has not been activated
}

when i stuck your database.php in my script, that solved my problem. hopefully it will do the same for you.


on a side note, constants.php was designed to really be the only thing you need to edit to implement this script. realistically, anyone who wants a beautiful and functional login script will end up editing almost every file in the script. but if you can read through and understand constants.php you should really see how it controls the entire script. and with you controlling constants.php the whole thing seems to all fall into place. and on a side side note, i think constants.php is the answer to another question you posted about emails.

I must tell you again how much I appreciate your help. You are a legend ! Ok I see where the curly } was missing. It now works so I can go to the main page and register. You are going to kick me but I have two problems here. Firstly, the script tries to create and open a file in the /activation folder. I have that folder created but I get an error permission denied. This may be a server issue but I will play with it some more.

The other issue is after fixing the curly bracket, no matter what account I sign in as I get the account not activated error. I have tried with level 1 accounts, level 2 accounts and level 9 accounts. All have the same problem. I am a delphi programmer and I see one problem with the following piece of code.

/* Retrieve password and userlevel from result, strip slashes */
$dbarray = mysql_fetch_array($result);
$dbarray['password'] = stripslashes($dbarray['password']);
$dbarray['userlevel'] = stripslashes($dbarray['userlevel']);
$password = stripslashes($password);

if($dbarray['userlevel'] < 2){
return 3;//Indicates account has not been activated
}

/* Validate that password is correct */
if($password == $dbarray['password']){
return 0; //Success! Username and password confirmed
}
else{
return 2; //Indicates password failure
/* Validate that userlevel is greater than 1 */
}
}


The above code is doing two checks.
1: Check to see if the user level is above 1 (or less than 2). If so, return 3

2: Check the password matches the database password.

What this is actually doing is evaluating the first IF statement then setting the "return" to 3 even if the user level is 2 or 9.

It sounds impossible but it is true ! I will pull my hair out finding this answer haha.

I tried putting the userlevel check after the password check but all that did was let me login no matter what level I used as login. Am I missing something simple here ?

you are very right about the if statement. i dont know why i never caught this before, but if you alter it like so it should work properly:

Code:

/* Validate that password is correct */
if($password == $dbarray['password']){
   if($dbarray['userlevel'] < 2){
      return 3;//Indicates account has not been activated
   }
   else{
   return 0; //Success! Username, userlevel and password confirmed
   }
}
else{
   return 2; //Indicates password failure
}

this checks the userlevel only after the password has been validated. does this fix things for you?

i wrote this a long time ago, and honestly i dont even use it much. i think i am going to start blaming my tutorials too! i really need to get my stuff together and write some more current tutorials to guide the masses. thanks for picking this up!

It returns a 3 no matter what user level I log in as !!! It is as if it is ignoring the code and evaluating every user level to be less than 2. I will try play with this on my local server with some simple code and see why this is not working as it should. I thank you from the bottom of my heart for putting so much time into this tutorial !!!!

<?php
/**
* Database.php
*
* The Database class is meant to simplify the task of accessing
* information from the website's database.
*
* Written by: Jpmaster77 a.k.a. The Grandmaster of C++ (GMC)
* Last Updated: August 17, 2004
*/
include("constants.php");

class MySQLDB
{
var $connection; //The MySQL database connection
var $num_active_users; //Number of active users viewing site
var $num_active_guests; //Number of active guests viewing site
var $num_members; //Number of signed-up users
/* Note: call getNumMembers() to access $num_members! */

/* Class constructor */
function MySQLDB(){
/* Make connection to database */
$this->connection = mysql_connect(DB_SERVER, DB_USER, DB_PASS) or die(mysql_error());
mysql_select_db(DB_NAME, $this->connection) or die(mysql_error());

/**
* Only query database to find out number of members
* when getNumMembers() is called for the first time,
* until then, default value set.
*/
$this->num_members = -1;

if(TRACK_VISITORS){
/* Calculate number of users at site */
$this->calcNumActiveUsers();

/* Calculate number of guests at site */
$this->calcNumActiveGuests();
}
}

/**
* confirmUserPass - Checks whether or not the given
* username is in the database, if so it checks if the
* given password is the same password in the database
* for that user. If the user doesn't exist or if the
* passwords don't match up, it returns an error code
* (1 or 2). On success it returns 0.
*/
function confirmUserPass($username, $password){
/* Add slashes if necessary (for query) */
if(!get_magic_quotes_gpc()) {
$username = addslashes($username);
}

/* Verify that user is in database */
$q = "SELECT password FROM ".TBL_USERS." WHERE username = '$username'";
$result = mysql_query($q, $this->connection);
if(!$result || (mysql_numrows($result) < 1)){
return 1; //Indicates username failure
}

/* Retrieve password from result, strip slashes */
$dbarray = mysql_fetch_array($result);
$dbarray['password'] = stripslashes($dbarray['password']);
$dbarray['userlevel'] = stripslashes($dbarray['userlevel']);
$password = stripslashes($password);

//*********************************************************************************************************
/* Validate that password is correct and userlevel is above 1 or activated*/
if($password == $dbarray['password']){
if($dbarray['userlevel'] < 2){
return 3; //Indicates account has not been activated
}

else{
return 0; //Success! Username, userlevel and password confirmed
}
}
else{
return 2; //Indicates password failure
}
}
//*********************************************************************************************************
/**
* confirmUserID - Checks whether or not the given
* username is in the database, if so it checks if the
* given userid is the same userid in the database
* for that user. If the user doesn't exist or if the
* userids don't match up, it returns an error code
* (1 or 2). On success it returns 0.
*/
function confirmUserID($username, $userid){
/* Add slashes if necessary (for query) */
if(!get_magic_quotes_gpc()) {
$username = addslashes($username);
}

/* Verify that user is in database */
$q = "SELECT userid FROM ".TBL_USERS." WHERE username = '$username'";
$result = mysql_query($q, $this->connection);
if(!$result || (mysql_numrows($result) < 1)){
return 1; //Indicates username failure
}

/* Retrieve userid from result, strip slashes */
$dbarray = mysql_fetch_array($result);
$dbarray['userid'] = stripslashes($dbarray['userid']);
$userid = stripslashes($userid);

/* Validate that userid is correct */
if($userid == $dbarray['userid']){
return 0; //Success! Username and userid confirmed
}
else{
return 2; //Indicates userid invalid
}
}

/**
* usernameTaken - Returns true if the username has
* been taken by another user, false otherwise.
*/
function usernameTaken($username){
if(!get_magic_quotes_gpc()){
$username = addslashes($username);
}
$q = "SELECT username FROM ".TBL_USERS." WHERE username = '$username'";
$result = mysql_query($q, $this->connection);
return (mysql_numrows($result) > 0);
}

/**
* usernameBanned - Returns true if the username has
* been banned by the administrator.
*/
function usernameBanned($username){
if(!get_magic_quotes_gpc()){
$username = addslashes($username);
}
$q = "SELECT username FROM ".TBL_BANNED_USERS." WHERE username = '$username'";
$result = mysql_query($q, $this->connection);
return (mysql_numrows($result) > 0);
}

/**
* addNewUser - Inserts the given (username, password, email)
* info into the database. Appropriate user level is set.
* Returns true on success, false otherwise.
*/
function addNewUser($username, $password, $email, $firstname, $sirname, $address1, $address2, $suburb, $city, $postcode, $phone, $mobile, $fax){
$time = time();
/* If admin sign up, give admin user level */
if(strcasecmp($username, ADMIN_NAME) == 0){
$ulevel = ADMIN_LEVEL;
}else{
$ulevel = USER_LEVEL;
}
$q = "INSERT INTO ".TBL_USERS." VALUES ('$username', '$password', '0', '$ulevel', '$email',

'$time','$firstname','$sirname','$address1','$address2','$suburb','$city','$postcode','$phone','$mobile','$fax')";
return mysql_query($q, $this->connection);
}

/**
* updateUserField - Updates a field, specified by the field
* parameter, in the user's row of the database.
*/
function updateUserField($username, $field, $value){
$q = "UPDATE ".TBL_USERS." SET ".$field." = '$value' WHERE username = '$username'";
return mysql_query($q, $this->connection);
}

/**
* getUserInfo - Returns the result array from a mysql
* query asking for all information stored regarding
* the given username. If query fails, NULL is returned.
*/
function getUserInfo($username){
$q = "SELECT * FROM ".TBL_USERS." WHERE username = '$username'";
$result = mysql_query($q, $this->connection);
/* Error occurred, return given name by default */
if(!$result || (mysql_numrows($result) < 1)){
return NULL;
}
/* Return result array */
$dbarray = mysql_fetch_array($result);
return $dbarray;
}

/**
* getNumMembers - Returns the number of signed-up users
* of the website, banned members not included. The first
* time the function is called on page load, the database
* is queried, on subsequent calls, the stored result
* is returned. This is to improve efficiency, effectively
* not querying the database when no call is made.
*/
function getNumMembers(){
if($this->num_members < 0){
$q = "SELECT * FROM ".TBL_USERS;
$result = mysql_query($q, $this->connection);
$this->num_members = mysql_numrows($result);
}
return $this->num_members;
}

/**
* calcNumActiveUsers - Finds out how many active users
* are viewing site and sets class variable accordingly.
*/
function calcNumActiveUsers(){
/* Calculate number of users at site */
$q = "SELECT * FROM ".TBL_ACTIVE_USERS;
$result = mysql_query($q, $this->connection);
$this->num_active_users = mysql_numrows($result);
}

/**
* calcNumActiveGuests - Finds out how many active guests
* are viewing site and sets class variable accordingly.
*/
function calcNumActiveGuests(){
/* Calculate number of guests at site */
$q = "SELECT * FROM ".TBL_ACTIVE_GUESTS;
$result = mysql_query($q, $this->connection);
$this->num_active_guests = mysql_numrows($result);
}

/**
* addActiveUser - Updates username's last active timestamp
* in the database, and also adds him to the table of
* active users, or updates timestamp if already there.
*/
function addActiveUser($username, $time){
$q = "UPDATE ".TBL_USERS." SET timestamp = '$time' WHERE username = '$username'";
mysql_query($q, $this->connection);

if(!TRACK_VISITORS) return;
$q = "REPLACE INTO ".TBL_ACTIVE_USERS." VALUES ('$username', '$time')";
mysql_query($q, $this->connection);
$this->calcNumActiveUsers();
}

/* addActiveGuest - Adds guest to active guests table */
function addActiveGuest($ip, $time){
if(!TRACK_VISITORS) return;
$q = "REPLACE INTO ".TBL_ACTIVE_GUESTS." VALUES ('$ip', '$time')";
mysql_query($q, $this->connection);
$this->calcNumActiveGuests();
}

/* These functions are self explanatory, no need for comments */

/* removeActiveUser */
function removeActiveUser($username){
if(!TRACK_VISITORS) return;
$q = "DELETE FROM ".TBL_ACTIVE_USERS." WHERE username = '$username'";
mysql_query($q, $this->connection);
$this->calcNumActiveUsers();
}

/* removeActiveGuest */
function removeActiveGuest($ip){
if(!TRACK_VISITORS) return;
$q = "DELETE FROM ".TBL_ACTIVE_GUESTS." WHERE ip = '$ip'";
mysql_query($q, $this->connection);
$this->calcNumActiveGuests();
}

/* removeInactiveUsers */
function removeInactiveUsers(){
if(!TRACK_VISITORS) return;
$timeout = time()-USER_TIMEOUT*60;
$q = "DELETE FROM ".TBL_ACTIVE_USERS." WHERE timestamp < $timeout";
mysql_query($q, $this->connection);
$this->calcNumActiveUsers();
}

/* removeInactiveGuests */
function removeInactiveGuests(){
if(!TRACK_VISITORS) return;
$timeout = time()-GUEST_TIMEOUT*60;
$q = "DELETE FROM ".TBL_ACTIVE_GUESTS." WHERE timestamp < $timeout";
mysql_query($q, $this->connection);
$this->calcNumActiveGuests();
}

/**
* query - Performs the given query on the database and
* returns the result, which may be false, true or a
* resource identifier.
*/
function query($query){
return mysql_query($query, $this->connection);
}
}

/* Create database connection */
$database = new MySQLDB;

?>

I can't find why it always returns a 3 but I have added some ************ around the code so you can find it quicker

did you try editing the code like i said in the post above?

my mistake with what you have is that it checks the userlever before checking the password which can cause some big problems. if you check out the newly edited code in the post above, it checks the userlevel only after the password has been confirmed. see what this does for you?

Yes I did already do that. If you look at the code between the ******** you will see it is as you wrote it. I just formatted the lines very slightly differently but it reads the same. doesn't it ?? Wheww