Pezmo Pezmo - 19 days ago 7
PHP Question

Email activation issue

I'm building a site which requires users to register and login. I have the majority working but the bit that isn't working 100% is the email activation.

When the user registers it sends an email with a link (http://example.com/activate?email=name@example.com&activationCode=e7870fadcf79c39584dca1fc33c47ef9)

If the user clicks on this link it goes to /activate checks to see if the email and code exist in the database and activates the account by changing the value 'active' from 0 to 1 if these do exist but, if the user just logs in it automatically activates the account which I don't want (sort of defeats the purpose of the activation email).

LOGIN

if (isset($_POST['submit'])) { // Create variables from submitted data
$uname = mysqli_real_escape_string($db_connect, $_POST['uname']);
$password = mysqli_real_escape_string($db_connect, $_POST['loginPassword']);
$passHash = md5($password); // Encrypt password

$query1 = mysqli_query($db_connect, "SELECT * FROM `users` WHERE `uname` = '".$uname."' AND `password` = '".$passHash."' AND `active` = '1' ") or die(mysqli_connect_error()); // Uname and password match and account is active
$result1 = (mysqli_num_rows($query1) > 0);
$query2 = mysqli_query($db_connect, "SELECT * FROM `users` WHERE `uname` = '".$uname."' AND `password` = '".$passHash."' AND `active` = '0' ") or die(mysqli_connect_error()); // Uname and password match and account is not active
$result2 = (mysqli_num_rows($query2) > 0);

if ($result1) { // If uname and password match and account is active
$_SESSION['uname'] = $_POST['uname'];
header("Location: /profile");
} else if ($result2) { // If uname and password match but account is not active
echo "<p>Your account has not been activated! Please check your email inbox.</p><br />";
back();
} else { // If uname and password do not match
echo "<p>The combination of username and password is incorrect!</p><br />";
back();
forgotPword();
register();
}
} else {
login();
forgotPword();
register();
}


ACTIVATE PAGE

if (isset($_GET['email'], $_GET['activationCode']) === true) { // If email and email code exist in URL
$email = trim($_GET['email']);
$activationCode = trim($_GET['activationCode']);

$query1 = mysqli_query($db_connect, "SELECT * FROM `users` WHERE `email` = '".$email."' ") or die(mysqli_connect_error());
$result1 = (mysqli_num_rows($query1) > 0);
$query2 = mysqli_query($db_connect, "SELECT * FROM `users` WHERE `activationCode` = '".$activationCode."' ") or die(mysqli_connect_error());
$result2 = (mysqli_num_rows($query2) > 0);
$query3 = mysqli_query($db_connect, "SELECT COUNT(`userID`) FROM `users` WHERE `email` = '".$email."' AND `activationCode` = '".$activationCode."' AND `active` = '0' ") or die(mysqli_connect_error());
$result3 = (mysqli_num_rows($query3) > 0);

// Check email exists in database
if ($result1) {
// Check activation code exists in database
if ($result2) {

// THIS IS THE PART NOT DOING IT'S JOB PROPERLY
// Check active status
if ($result3) {
mysqli_query($db_connect, "UPDATE `users` SET `active` = '1' WHERE `email` = '".$email."' AND `activationCode` = '".$activationCode."' AND `active` = '0' ") or die(mysqli_connect_error()); // Activate account
echo "<p>Your account is now activated. You may <a href='/login'>Log In</a></p>";
exit();
} else {
echo "<p>Your account has already been activated. You may <a href='/login'>Log In</a></p>";
exit();
}
// ------------------------------------------------------------------------------------

} else { // Activation code is invalid
echo "<p>Hmmm, the activation code seems to be invalid!</p>";
exit();
}
} else { // Email does not exist
echo "<p>Hmmm, ".$email." email does not seem to exist in our records!</p>";
exit();
}

} else {
header("Location: /login");
exit();
}


Any help on where i'm going wrong is much appreciated.

Answer

After several painful hours of looking through and rewriting code, I have figured out what was causing the issue. It was actually the registration page where the email is sent. I have wrapped the activation link in the body of the message in single quotes and it now works perfectly. You see them in the email... 'http://www.example.com/activate?email=".$email."&activationCode=".$activationCode."' but the link works so I am sticking with it.

Cheers for all your help, really appreciate it.

Comments