Clever Geek Handbook

Confirmation link won't activate

So, I posted a link after registering to verify an account, the link contains the email address of the users and a 32 character code like:

                $to      = $email;
                $subject = 'Signup | Verification';
                $message = '

                Thanks for signing up!
                Your account has been created, you can login with the following credentials after you have activated your account by pressing the url below.

                ------------------------
                Username: '.$username.'
                Password: '.$password.'
                ------------------------

                Please click this link to activate your account:
                localhost:8888/website/verify.php?email='.$email.'&hash='.$hash.'
                '; 

                $headers = 'From:myemail@email.com' . "\r\n"; 
                mail($to, $subject, $message, $headers);

That everything is working fine, I get a message with a link:

http://localhost:8888/website/verify.php?email=myemail@email.com&hash=fe646d38bc2145ca6c3cf77d52820cd0

The problem occurs when I follow the link and try to activate the account. I require Verify.php but I keep getting an invalid approach and I cannot set Validation to 1.

    <?php include "includes/base.php"; ?>

    <?php

        if(isset($_GET['Email']) && !empty($_GET['Email']) AND isset($_GET['Hash']) && !empty($_GET['Hash'])){
            $email = mysql_escape_string($_GET['Email']); 
            $hash = mysql_escape_string($_GET['Hash']); 
            $search = mysql_query("SELECT Email, Hash, Validation FROM users WHERE Email = '".$email."' AND Hash = '".$hash."' AND Validation = 0") or die(mysql_error()); 
            $match  = mysql_num_rows($search);


            if($match > 0){
                mysql_query("UPDATE users SET Validation = 1 WHERE Email = '".$email."' AND Hash = '".$hash."' AND Validation = 0") or die(mysql_error());
                echo "Your account has been activated, you can now login";
            }else{
                echo "The url is either invalid or you already have activated your account.";
            }

        }else{
            echo "Invalid approach, please use the link that has been sent to your email.";
        }


    ?>
+3


source to share


3 answers


1) this code is unsafe as it has a SQL injection problem. Use prepared statements Be aware that mysql _ * functions are no longer supported and are deprecated

2) Regarding your code, I found that your GET request has "email" and "hash" all lowercase, but in your PHP code you are using $ _GET ['Email'] and $ _GET ['Hash']. You need to change this:

 if(isset($_GET['Email']) && !empty($_GET['Email']) AND isset($_GET['Hash']) && !empty($_GET['Hash'])){
            $email = mysql_escape_string($_GET['Email']); 
            $hash = mysql_escape_string($_GET['Hash']);

For this



 if(isset($_GET['email']) && !empty($_GET['email']) AND isset($_GET['eash']) && !empty($_GET['eash'])){
            $email = mysql_escape_string($_GET['email']); 
            $hash = mysql_escape_string($_GET['eash']);

or change your GET request to the following:

http://localhost:8888/website/verify.php?Email=myemail@email.com&Hash=fe646d38bc2145ca6c3cf77d52820cd0
+2


source


Change Hash

to Hash

and Email

to Email

. (The title, but not the link you are sending)



Also, your code is susceptible to sql injection attack because you directly use the values ​​in the url to query your database. Please use mysql_real_escape_string

and perform some health checks before making a request.

0


source


there are small caps in PHP, while in the link there is no

$_GET['Email']

verify.php?email=myemail@email.com
0


source






More articles:


All Articles