-4

I want to prevent unpaid user from log in in my website and this codes my login page php codes.

enter <?php session_start(); 
include_once('includes/config.php');

if(isset($_POST['login']))
{
$pass=md5($_POST['password']);
$useremail=$_POST['uemail'];

$ret= mysqli_query($con,"SELECT id,fname FROM users WHERE email='$useremail' and 
password='$pass'");


$num=mysqli_fetch_array($ret);
if($num>0)
{

$_SESSION['id']=$num['id'];
$_SESSION['name']=$num['fname'];

header("location:welcome.php");

}
else
{
echo "<script>alert('Invalid username or password');</script>";
}
}
?>

and mysql table: id username email password paid_unpaid

in this database I want prevent unpaid user from access to website

James Westgate
  • 11,306
  • 8
  • 61
  • 68
Subodh Kumar
  • 1
  • 1
    **Warning:** Your code is vulnerable to SQL Injection attacks. You should use parameterised queries and prepared statements to help prevent attackers from compromising your database by using malicious input values. http://bobby-tables.com gives an explanation of the risks, as well as some examples of how to write your queries safely using PHP / mysqli. **Never** insert unsanitised data directly into your SQL. The way your code is written now, someone could easily steal, incorrectly change, or even delete your data. – ADyson Aug 23 '22 at 13:32
  • https://phpdelusions.net/mysqli also contains good examples of writing safe SQL using mysqli. See also the [mysqli documentation](https://www.php.net/manual/en/mysqli.quickstart.prepared-statements.php) and this: [How can I prevent SQL injection in PHP?](https://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) . Parameterising your queries will also greatly reduce the risk of accidental syntax errors as a result of un-escaped or incorrectly quoted input values. If you learnt your current technique from a tutorial or book, please don't use it again. – ADyson Aug 23 '22 at 13:32
  • 1
    Also, please don't store passwords using the obsolete, insecure md5 algorithm - that is another security risk. Learn about PHP's built-in, up-to-date, secure [password hashing and verification functions](https://www.php.net/manual/en/faq.passwords.php) instead. See also [How to use PHP's password_hash to hash and verify passwords](https://stackoverflow.com/questions/30279321/how-to-use-phps-password-hash-to-hash-and-verify-passwords). – ADyson Aug 23 '22 at 13:33
  • I guess you copied this code off some dodgy, out-of-date tutorial and don't really understand it. And anyway it's unclear where you're having a problem...this is just the login bit. If you want to stop people accessing a specific page you have to write some code on that page to check if the Session values created by a successful login process are present or not. Any _worthwhile_ login tutorial would show you that already. – ADyson Aug 23 '22 at 13:33

1 Answers1

0

Just create Login table paid-status enum (0,1) if paid 1 else default 0 then check

($con,"SELECT id,fname,paid-status FROM users WHERE email='$useremail' and 
password='$pass' and paid-status='1'");

in paid screen update paid-status 0 to 1 in particular login user

T.S.
  • 18,195
  • 11
  • 58
  • 78
DeveloperHere
  • 1
  • 2