Storing Inaccessible Users in MySQL Database

Question

I have a website for which some areas/functions are available only to authenticated users. Some users existed before the website did, and currently have active subscriptions. Thus, their information exists (necessarily) in the database, but those accounts should not be accessible by anyone -- even the user to whom they belong -- until they verify their information, receive a link via email with hashed parameters, and set their password.

So: I want to store these users in the Users table, but I don't want them to be able to sign in to the website just yet.

Currently, my database is set up like this:

Table: Users

    email   |     password     |      salt
------------+------------------+----------------
    User1   |                  |                 // password and salt are
    User2   |                  |                 // empty strings, not NULL
    User3   | md5(pass + salt) | rand(10-digits)
    User4   | md5(pass + salt) | rand(10-digits)


Table: Non-Registered Users

    email   |     identify1    |    identify2
------------+------------------+----------------
    User1   |     secret1a     |    secret1b
    User2   |     secret2a     |    secret2b

And my accessControl.php, with some pseudo code for brevity:

<?php

session_start();
if(isset($_POST['email']) && isset($_POST['password']) {
    $sql1 = "SELECT salt FROM Users WHERE email = :email";
    .... // prepare and execute
    if (!empty($result1)) {
        $hash = sha2($password.$result1['salt'],256);
        $sql2 = "SELECT * FROM Users WHERE password = :hash AND email = :email";
        .... // prepare and execute
        if(!empty($result2)) {
            $_SESSION['email'] = $_POST['email'];
            $_SESSION['password'] = $_POST['password'];
        }
    }
} elseif(isset($_SESSION['email'] && isset($_SESSION['password'])) {
    // do pretty much the same check as above
} else {
    // force login
}

?>

So, my question is: Is it possible for a non-registered user to log in without setting their password first? It's not possible to match a blank field with a SHA256 of anything, right?? I'm concerned that I'm overlooking something obvious.

Please and thank you!! :3

Answer 1

The SHA256 will always have 256 bits so it will never match an empty string. That being said, your pseudo code does not fully describe how you are validating the user input, so you could still be susceptible to a SQL injection attack.