YA: Login Checks 20130618122444AAd3LfO

<?php
// Yahoo Answers' Question: http://answers.yahoo.com/question/index?qid=20130618122444AAd3LfO

session_start();
$message = '';

if( isset($_POST['login']) ){
    $username = addslashes( strip_tags( trim( $_POST['username'] ) ) ); // Although you should be using your databases escaping function
    $password = addslashes( strip_tags( trim( $_POST['password'] ) ) );

    if( isset($username{0}) && isset($password{0}) ){
        // No Reason to waste the connection, unless it is actually needed.
        require_once( 'dbConnect.php' );

        // MD5 Hash the password
        $password = md5($password);

        $stmt = "SELECT userName,active,email FROM user WHERE userName='{$username}' AND password='{$password}' LIMIT 1";
        $result = mysql_query($stmt);

        if( !$result ){
            $message .= 'Internal Error: ' . mysql_error() . '<br />';
        }else if( mysql_num_rows($result) === 0){
            // Never tell someone that the username is correct, while the password
            // is incorrect. It simply opens yourself up to brute force attacks.
            $message .= 'Username/Password combo is incorrect. Please try again.';
        }else{
            $row = mysql_fetch_assoc($result); // Only one row returned, no need for a while loop for one.
            $active = (int)$row['active'];
            $email = $row['email'];
            if( $active === 0 ){
                // Never show a full email address, when the viewer might not be the owner of the address.
                // This will show the user the first three characters of the username, then filled with '*',
                // then the domain. Enough for someone who knows, to know which of their addresses they
                // registered with (Privacy).
                list( $eUser, $domain) = explode( '@', $row['email'], 2); // Although it doesn't account for all emails, it does account for 99.99% of email addresses.
                $len = strlen($eUser);
                $eUser = substr($eUser, 0, 3) . str_pad('', ($len - 3), '*');
                $email = $eUser . '@' . $domain;
                $message .= "You haven't activated your account, Please check ($email) to activate this account.<br />";
            }else{
                $_SESSION['username'] = $row['username'];
                header('Location: login.php'); // This might not be the page you wanted.
                exit;
            }
        }
    }else{
        $message .= 'Both Username and Password are required.';
    }
}

if( isset($message{1})){
    $message = '<p style="font-weight: bold;">' . $message . '</p>' . PHP_EOL;
}

if( isset($_SESSION['username']) ){
    echo "You are logged in, " . $_SESSION['username'] . ". <a href='logout.php'>Log out</a>";
}else{
    echo '
    <div id="login-wrapper" class="png_bg">
        <div id="login-top">
            <img title="Greeny Logo" alt="Greeny Logo" src="images/Logo.png" />
        </div>
        ' . $message . '
        <div id="login-content">
            <form method="post" action="login.php">
                <p>
                    <label>Username</label>
                    <input class="text-input" type="text" name="username" />
                </p>
                <br style="clear: both;">
                <br />
                <p>
                    <label>Password</label>
                    <input class="text-input" type="password" name="password" />
                </p>
                <br style="clear: both;">
                <br />
                <p>
                    <input class="button" type="submit" value="Sign In" name="login" />
                </p>
            </form>
        </div>
    </div>
    <div id="dummy"></div>
    <div id="dummy2"></div>';
}