Home/ Questions/Q 6997021
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-27T20:13:52+00:00

I’m getting errors with the PHP login script I am using on my site.

  • 0

I’m getting errors with the PHP login script I am using on my site.

I wanted to add code which checks if the user is banned when he/she logs in.

But for some reason(s), it’s not working properly; it always outputs “You are banned,” even if the ban field/attribute contains on “n” for false in the MySQL “users” table.

I’ve tried fixing the code, but I still get errors. This is my code:

$bancheck = mysql_query("SELECT * FROM users WHERE ban = '".$_POST['username']."'" ) or die(mysql_error());
$ban = mysql_fetch_array($bancheck);    

if ($ban = 'y') {
  die('You are banned...');
}

The MySQL field which I’ve to check against is called “ban” and value is either “y” for “true,” or “n” for “false.”

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    1: Should be a comparison, not an assignment.

    This line is incorrect:

    if ($ban = 'y') {{

    It should be:

    if ($ban == 'y') {

    I’m assuming there’s an extra brace there by accident also.

    2: SQL injection

    You should not pass your string straight from $_POST into your MySql as you are vulnerable to SQL injection. You should escape it like so:

    $bancheck = mysql_query("SELECT * FROM users WHERE ban = '".mysql_real_escape_string($_POST['username'])."'" )or die(mysql_error());

    3: Ban != user

    You should not compare ban to the username passed in via the form anyway, as ban will either hold the string ‘y’ or ‘n’. You should compare the username (passed in) to the approriate username field in your database table. Like so:

    $bancheck = mysql_query("SELECT * FROM users WHERE username = '".mysql_real_escape_string($_POST['username'])."'" )or die(mysql_error());

    4: Proper iteration & comparison

    Instead of the mysql_fetch_array() function I’d use the mysql_fetch_assoc() function because it returns an associative array.

    This will return an associative array for each row returned (contained in the MySql resource $bancheck) so you need to iterative through them (even though it should only return one array) like so:

    while($ROW = mysql_fetch_assoc($bancheck))
{
    if('y' == $ROW['ban']) {

        die('You are banned...');
    
    }
}

    But I’d add in some more code just to help with any other problems:

    $count = mysql_num_rows($bancheck);
if($count > 1)
{
    die('More than one user with that username');    
}
elseif($count > 0)
{
    while($ROW = mysql_fetch_assoc($bancheck))
    {
        if('y' == $ROW['ban']) {

            die('You are banned...');
        
        }
    }
}
else //i.e. $count<=0
{
    die('No users with that username');
}
    • 0