Confirmation link won't activate
So, I posted a link after registering to verify an account, the link contains the email address of the users and a 32 character code like:
$to = $email;
$subject = 'Signup | Verification';
$message = '
Thanks for signing up!
Your account has been created, you can login with the following credentials after you have activated your account by pressing the url below.
------------------------
Username: '.$username.'
Password: '.$password.'
------------------------
Please click this link to activate your account:
localhost:8888/website/verify.php?email='.$email.'&hash='.$hash.'
';
$headers = 'From:myemail@email.com' . "\r\n";
mail($to, $subject, $message, $headers);
That everything is working fine, I get a message with a link:
http://localhost:8888/website/verify.php?email=myemail@email.com&hash=fe646d38bc2145ca6c3cf77d52820cd0
The problem occurs when I follow the link and try to activate the account. I require Verify.php but I keep getting an invalid approach and I cannot set Validation to 1.
<?php include "includes/base.php"; ?>
<?php
if(isset($_GET['Email']) && !empty($_GET['Email']) AND isset($_GET['Hash']) && !empty($_GET['Hash'])){
$email = mysql_escape_string($_GET['Email']);
$hash = mysql_escape_string($_GET['Hash']);
$search = mysql_query("SELECT Email, Hash, Validation FROM users WHERE Email = '".$email."' AND Hash = '".$hash."' AND Validation = 0") or die(mysql_error());
$match = mysql_num_rows($search);
if($match > 0){
mysql_query("UPDATE users SET Validation = 1 WHERE Email = '".$email."' AND Hash = '".$hash."' AND Validation = 0") or die(mysql_error());
echo "Your account has been activated, you can now login";
}else{
echo "The url is either invalid or you already have activated your account.";
}
}else{
echo "Invalid approach, please use the link that has been sent to your email.";
}
?>
source to share
1) this code is unsafe as it has a SQL injection problem. Use prepared statements Be aware that mysql _ * functions are no longer supported and are deprecated
2) Regarding your code, I found that your GET request has "email" and "hash" all lowercase, but in your PHP code you are using $ _GET ['Email'] and $ _GET ['Hash']. You need to change this:
if(isset($_GET['Email']) && !empty($_GET['Email']) AND isset($_GET['Hash']) && !empty($_GET['Hash'])){
$email = mysql_escape_string($_GET['Email']);
$hash = mysql_escape_string($_GET['Hash']);
For this
if(isset($_GET['email']) && !empty($_GET['email']) AND isset($_GET['eash']) && !empty($_GET['eash'])){
$email = mysql_escape_string($_GET['email']);
$hash = mysql_escape_string($_GET['eash']);
or change your GET request to the following:
http://localhost:8888/website/verify.php?Email=myemail@email.com&Hash=fe646d38bc2145ca6c3cf77d52820cd0
source to share
Change Hash
to Hash
and Email
to Email
. (The title, but not the link you are sending)
Also, your code is susceptible to sql injection attack because you directly use the values ββin the url to query your database. Please use mysql_real_escape_string
and perform some health checks before making a request.
source to share