Zac Brown Zac Brown - 22 days ago 7
MySQL Question

PHP Account Activation Issues

I wrote a login system for my website. When the user registers, the system emails an activation link to the email address the user provided. The link contains two parameters, email and key. The email parameter has the user's email address and the key parameter has the registration code so that the registration can be verified and changed from pending to confirmed. The activation page is supposed to fetch the Status column from the row that has the email parameter set in the Email column. For some reason, the script decides that any link is valid, and attempts to update the status of the account whether it exists or not.

Here is my code:

<?php

$email = $_GET['email'];
if($email == "") {
header("Location: http://www.zbrowntechnology.info/yard/register.php?message=Invalid Activation Link!");
exit;
}
$key = $_GET['key'];
if($key == "") {
header("Location: http://www.zbrowntechnology.info/yard/register.php?message=Invalid Activation Link!");
exit;
}

$con = mysql_connect("HOST", "USER", "PASS") or die(mysql_error());
mysql_select_db("zach_yardad", $con) or die(mysql_error());
$query1 = "SELECT `Status` FROM Accounts WHERE `Email`='".mysql_real_escape_string($email)."' AND `Status`='".mysql_real_escape_string($key)."'";
$result1 = mysql_query($query1) or die(mysql_error());
if(mysql_num_rows($result1) <= 0) {
header("Location: http://www.zbrowntechnology.info/yard/register.php?message=Invalid Activation Link!");
exit;
} else {
$query = "UPDATE Accounts SET `Status`='Confirmed' WHERE `Email`='$email'";
mysql_query($query) or die(mysql_error());
header("Location: http://www.zbrowntechnology.info/yard/login.php?message=Registration Complete!");
exit;
}

?>


Here is a valid activation link:

http://www.zbrowntechnology.info/yard/activate.php?email=zach@zbrowntechnology.com&key=2772190956485245


It will activate that account by following the link, but it will redirect to the login page after activation if the link is not valid.




EDIT:

Here is the result of the query
DESCRIBE `Accounts`
:

First Name varchar(65) NO NULL
Last Name varchar(65) NO NULL
Email varchar(100) NO NULL
Username varchar(65) NO NULL
Password varchar(65) NO NULL
Status varchar(65) NO NULL

Answer

Can you try changing your code to this:

$query1 = mysql_query("SELECT `Status` FROM `Accounts` WHERE `Email`='".mysql_real_escape_string($email)."' AND `Status`='".mysql_real_escape_string($key)."'");
 if(mysql_num_rows($query1) <= 0) {

This should work..

If that doesn't work, try this:

$query1 = mysql_query("SELECT `Status` FROM `Accounts` WHERE `Email`='".mysql_real_escape_string($email)."' AND `Status`='".mysql_real_escape_string($key)."'", $con);
     if(mysql_num_rows($query1) <= 0) {

====Full Code====

<?php
if($_GET['email'] == "") {
header("Location: http://www.zbrowntechnology.info/yard/register.php?message=Invalid Activation Link!");
exit;
}

if($_GET['key'] == "") {
header("Location: http://www.zbrowntechnology.info/yard/register.php?message=Invalid Activation Link!");
exit;
}

$email = mysql_real_escape_string($_GET['email']);
$key = mysql_real_escape_string($_GET['key']);

$con = mysql_connect('HOST', 'USER', 'PASS');
mysql_select_db('zach_yardad', $con) or die(mysql_error());

$query1 = mysql_query("SELECT `Status` FROM `Accounts` WHERE `Email` = '" . $email . "' AND `Status` = '" . $key ."'", $con);
if(mysql_num_rows($query1) <= 0) {
header("Location: http://www.zbrowntechnology.info/yard/register.php?message=Invalid Activation Link!");
exit();
} else {
mysql_query("UPDATE `Accounts` SET `Status`='Confirmed' WHERE `Email`='$email'", $con);
header("Location: http://www.zbrowntechnology.info/yard/login.php?message=Registration Complete!");
exit();
}
?>
Comments