Im making an email verification system on PHP in cPanel, and when i press register, it sends an email to me with a link like this "../verified.php?code=1cbb402a59e8ec26dac0", i would need to get the full link and would have to chop it so it leaves me with just the code "1cbb402a59e8ec26dac0" so i can check if the code exists in database and then verify the account.
So from this
../verified.php?code=1cbb402a59e8ec26dac0
To This
"1cbb402a59e8ec26dac0
Purchasing the hostings for the first time fried my brains, so would be thankful if anyone could help me,
For getting the text after the code: in the link, you can use the PHP $_GET function. You can use this code in your verified.php to get the text after code:
<?php
if(isset($_GET['code']))
{
$Data=$_GET['code'];
}
else{
echo "Invalid Email Verification";
?>
Now the part after the code= gets stored in the variable Data.
You can change that to your desired variable.
Sometimes even when the code is set, it might be empty, so to check that, the empty() function in PHP can be used.
You can add this code to your verified.php:
<?php
if (empty($Data))
{
echo "Invalid Verification ID";
}
else
{
echo "Email Verification Success";
//your other codes to update it on the server
}
?>
Well you have chosen to pass parameters which will be available in the global $_GET[] (as opposed to $_POST[]).
So in your verified.php you will need to examine for the presence of $_GET['code'] and take the appropriate action.
Using $code = $_GET['code']; is very bad as you need to qualify it.
At a minimum you would need to...
<?php
// Ternary to give $code a value to prevent undefined variable error.
$code = isset($_GET['code']) ? $_GET['code'] : NULL;
if($code === NULL){
// error
} else {
// Check its a valid code and take the appropriate action.
}
Related
is it possible to do this , im trying to validate a form then, it will redirect using header() if TRUE.. but it seems not to be working? or my method is completely wrong ?
if ($_SERVER["REQUEST_METHOD"] == "POST") {
$email = $_POST["clientEmail"];
if ($email != $sentEmailClients) {
echo 'Please enter a valid email';
} else {
$newURL = "http://www.myurl.com";
header('Location: ' . $newURL);
}
}
Give us more details about what actually happens when you run your code. You're likely facing one of the following problems:
You're using header() after you've already sent output to the browser. Headers must be sent before any other output. Check out the docs. If you change that line with die('redirecting') and that text shows up, then this is your problem.
Request method is not POST. Add die($_SERVER['REQUEST_METHOD']). If something other than POST is printed, then this is your problem.
$_POST['clientEmail'] is not set, or is not equal to $email
$email is not what you expect (where does it come from?)
$sentEmailClients is not what you expect (where does it come from?)
Basically, "why doesn't it work?" is not a good question because it doesn't give us much info with which to help you. Be more specific about what is happening.
Show enough of your code that we understand the origin of the variables you use.
Hi It seems that Your outermost if condition is not working thats why your header function is not working i just tried this and it woks fine. That means either your first if condition is false or either second if condition becomes true every time just try to echo your values before checking them.
<?php
if (1) {
$email = $_POST["clientEmail"];
if (0) {
echo 'Please enter a valid email';
} else {
$newURL = "http://www.google.com";
header('Location: ' . $newURL);
}
}
check this print_r($_SERVER["REQUEST_METHOD"]); is POST or not and
$email != $sentEmailClients true or false
Problem: on a form asking for the user's website, a type="url" form field returns an error unless "http://" precedes the domain name (there's even an error with "www.").
Outcome I am seeking: a PHP/HTML* method of partly pre-filling the type="url" field with "http://" so it's more user-friendly for users to type "companywebsite.com" into the field and submit without the error.
In other words, a user just fills in companywebsite.com and I want to pre-fill that with http:// so the end result is http://companywebsite.com
<h5>Website</h5>
<input type="url" name="company_website" id="company_website" value="" />
Image below is a screenshot of a form entry that has returned an error (because "http://" does not precede the stackoverflow.com domain).
* I did find a .js method (https://gist.github.com/cvan/117bc1f88e4dfca6dba7) but I'm a novice and just learning php
There are a couple of ways you could go about this:
<input type="url" name="company_website" id="company_website" value="http://" />
However, I would advise against this because you can never trust the user to input correctly. Instead, assuming you are submitting your form via the POST method, in your php code,
<?php
if(isset($_POST['company_website'])){
$pos = strpos($_POST['company_website'], "http://");
if($pos != 0){
$website = "http://".$_POST['company_website'];
}
// do the rest
}
?>
Well then. For the purpose of learning something about security, I'll write this answer with some example code, so you know how to do this kind of stuff safely in the future.
First, lets write a small form:
<form method="POST" action="your_php_file.php" accept-charset="utf-8">
<input type="url" name="company_website" id="company_website" value="" />
<input type="submit" value="Update website" />
</form>
Now lets start writing our PHP file based on this. First we need to be sure the user is submitting new data and not an empty string:
if(isset($_POST['company_website']) && !empty($_POST['company_website'])){
Next we'll write a function that checks if the string is a website or not:
function isWebsite($url){
To see if a string matches a website, we'll be using regular expressions. Regex can be quite complicated, so at the end of this answer, I'll post a link to learn more about them.
$pattern = '#((https?|ftp)://(\S*?\.\S*?))([\s)\[\]{},;"\':<]|\.\s|$)#i';
Now lets write a simple if statement that returns us true or false. To keep it simple, this statement compares the variable $url (which contains the user data) with the above regular expression pattern in $pattern. It will return true if $url contains a valid website, or false if it doesn't.
if(preg_match($pattern, $url)){
return true;
} else {
return false;
}
}
Next we'll write a function that adds 'http://' in front of the data send by the user:
function addHttp($url){
$url = "http://". $url;
return $url;
}
Now that our functions are complete, all we have to do is use them. First we'll check if the user already sent a valid website:
if(isWebsite($_POST['company_website'])){
//The website is valid, so you can safely add it your database here
} else {
//The website is not valid, but the user might simply have forgotten
//to add http:// in front of it. So lets do it for him:
$website = addHttp($_POST['company_website']);
//Still we can't be sure if it's a valid website. It might be a string
//that will try to mess with your database. So lets verify it again:
if(isWebsite($website)){
//The website is now valid, so you can safely add it your database here
} else {
//The website is still not valid, so we need to return an error
//to your user:
echo "It seems you didn't enter a valid website. Please try again!";
exit;
}
}
}
As you might have noticed, we have 2 places in our code where we need to write the same code to insert everything in the database. You could use a function for that as well:
function addToDatabase($url){
//Write your code to add everything to database here. $url will contain the website
}
So the complete code would become as follows:
<?php
if(isset($_POST['company_website']) && !empty($_POST['company_website'])){
function isWebsite($url){
$pattern = '#((https?|ftp)://(\S*?\.\S*?))([\s)\[\]{},;"\':<]|\.\s|$)#i';
if(preg_match($pattern, $url)){
return true;
} else {
return false;
}
}
function addHttp($url){
$url = "http://". $url;
return $url;
}
function addToDatabase($url){
//Write your code to add everything to database here. $url will contain the website
}
if(isWebsite($_POST['company_website'])){
addToDatabase($_POST['company_website']);
} else {
//The website is not valid, try adding 'http://'
$website = addHttp($_POST['company_website']);
if(isWebsite($website)){
addToDatabase($website);
} else {
//The website is still not valid, return error
echo "It seems you didn't enter a valid website. Please try again!";
exit;
}
}
}
?>
I should add that it still might not be safe to just blindly add the website to your database. To make it absolutely secure, you'll need to use PDO() or MySQLi() in combination with Prepared Statements. But explaining that in this answer would turn this into a book. So make sure to learn about it!
Lastly I promissed to give a resource to learn more about Regular Expressions. The best and safest resource would be from the official PHP website itself. You can find it here: PHP: Pattern Syntax
I am redirecting to a different page with Querystring, say
header('location:abc.php?var=1');
I am able to display a message on the redirected page with the help of querystring value by using the following code, say
if (isset ($_GET['var']))
{
if ($_GET['var']==1)
{
echo 'Done';
}
}
But my problem is that the message keeps on displaying even on refreshing the page. Thus I want that the message should get removed on page refresh i.e. the value or the querystring should not exist in the url on refresh.
Thanks in advance.
You cannot "remove a query parameter on refresh". "Refresh" means the browser requests the same URL again, there's no specific event that is triggered on a refresh that would let you distinguish it from a regular page request.
Therefore, the only option to get rid of the query parameter is to redirect to a different URL after the message has been displayed. Say, using Javascript you redirect to a different page after 10 seconds or so. This significantly changes the user experience though and doesn't really solve the problem.
Option two is to save the message in a server-side session and display it once. E.g., something like:
if (isset($_SESSION['message'])) {
echo $_SESSION['message'];
unset($_SESSION['message']);
}
This can cause confusion with parallel requests though, but is mostly negligible.
Option three would be a combination of both: you save the message in the session with some unique token, then pass that token in the URL, then display the message once. E.g.:
if (isset($_GET['message'], $_SESSION['messages'][$_GET['message']])) {
echo $_SESSION['messages'][$_GET['message']];
unset($_SESSION['messages'][$_GET['message']]);
}
Better use a session instead
Assign the value to a session var
$_SESSION['whatever'] = 1;
On the next page, use it and later unset it
if(isset($_SESSION['whatever']) && $_SESSION['whatever'] == 1) {
//Do whatever you want to do here
unset($_SESSION['whatever']); //And at the end you can unset the var
}
This will be a safer alternative as it will save you from sanitizing the get value and also the value will be hidden from the users
There's an elegant JavaScript solution. If the browser supports history.replaceState (http://caniuse.com/#feat=history) you can simply call window.history.replaceState(Object, Title, URL) and replace the current entry in the browser history with a clean URL. The querystring will no longer be used on either refresh or back/previous buttons.
When the message prompt ask for a non exsisting session. If false, show the message, if true, do nothing. session_start(); is only needed, if there is no one startet before.
session_start();
if ($_GET['var']==1 && !isset($_SESSION['message_shown']))
{
$_SESSION['message_shown'] = 1;
echo 'Done';
}
Try this way [Using Sessions]
<?php
//abc.php
session_start();
if (isset ($_GET['var']))
{
if ($_GET['var']==1)
{
if(isset($_SESSION['views']))
{
//$_SESSION['views']=1;
}
else
{
echo 'Done';
$_SESSION['views']=1;
}
}
}
?>
Think the question mean something like this?
$uri_req = trim($_SERVER['REQUEST_URI']);
if(!empty($_SERVER['REQUEST_URI'])){
$new_uri_req = str_replace('?avar=1', '?', $uri_req);
$new_uri_req = str_replace('&avar=1', '', $new_uri_req);
$pos = strpos($new_uri_req, '?&');
if ($pos !== false) {
$new_uri_req = str_replace('?&', '?', $new_uri_req);
}
}
if( strrchr($new_uri_req, "?") == '?' ){
$new_uri_req = substr($new_uri_req, 0, -1);
}
echo $new_uri_req; exit;
You can use then the url to redirect without vars. You can also do the same in js.
str_replace() can pass array of values to be replaced. First two calls to str_replace() can be unified, and filled with as many vars you like that needs to be removed. Also note that with preg_replace() you can use regexp that can so manage any passed var which value may change. Cheers!
I am running through a jQuery Ajax tutorial here:
http://www.charlieperrins.com/2011/03/ajax-jquery-101/
Everything works perfectly but I have a question about this piece of code:
<?php if ($_POST['user']) : ?>
<?php
$user_id = $_POST['user'];
if (isset($db_data[$user_id])) {
$data = $db_data[$user_id];
} else {
echo 'Sorry, no user data matched your request - please try again';
die;
}
?>
I am most concerned with the very first line. What does that line do? I am trying to keep all the code in 1 set of php tags but I don't know how to do that. If I knew what the first line does, I might be able to figure it out. Any help is appreciated. I am trying to reverse engineer this to fit it into my app but can't do it without knowing what that top line does.
Thanks.
All this does is continues the if block until endif.
There is no endif, so nothing in this script runs unless there is data in $_POST['user'] that doesn't evaluate to false.
I would write this a bit differently:
<?php
if (isset($_POST['user'])) {
$user_id = $_POST['user'];
if (isset($db_data[$user_id])) {
$data = $db_data[$user_id];
} else {
echo 'Sorry, no user data matched your request - please try again';
die;
}
}
?>
The first line tests if the $_POST array has a key user, and that key contains a "truthy" (non-empty, among other things) value, indicating that a form was posted to this script. If no form data was posted, the rest of the script won't execute, such as if someone browsed directly to this PHP script without using the expected form to post to it. It is a technique often used when a form posts back to the same PHP script. Upon first arriving at the script, the $_POST will be empty. When the form is posted back to the same script, different actions can be taken when it contains values.
There need only be one <?php tag:
<?php
if ($_POST['user']) {
$user_id = $_POST['user'];
if (isset($db_data[$user_id])) {
$data = $db_data[$user_id];
} else {
echo 'Sorry, no user data matched your request - please try again';
die;
}
}
?>
This is Alternative syntax for control structures
<?php if ($_POST['user']) : ?> means if $_POST['user'] evaluates to true, execute the following code.
It can be compressed down to this:
<?php if ($_POST['user']) :
$user_id = $_POST['user'];
....
Also,
if ($_POST['user']) :
should be
if (isset($_POST['user']) && !empty(trim($_POST['user']))) :
That makes sure that $_POST['user'] has been set (generally $_POST contains variables from a form), and that it is not empty even with white-space removed.
See
Alternative syntax for control structures
$_POST
empty
trim
The if ($_POST['user']) line is saying this:
If the variable $_POST['user'] exists and is set to a non-false value.
The above condition fails if $_POST['user'] is 0, false, or '' (empty string).
It also isn't safely checking that value.
You are better off using:
if (isset($_POST['user'])) && $_POST['user'] != '')
This way no warning is output when PHP has display_errors and notices turned on.
To practice PHP and MySQL development, I am attempting to create the user registration system for an online chess game.
What are the best practices for:
How I should handle the (likely) possibility that when a user tries to register, the username he has chosen is already in use, particularly when it comes to function return values? Should I make a separate SELECT query before the INSERT query?
How to handle varying page titles?($gPageTitle = '...'; require_once 'bgsheader.php'; is rather ugly)
(An excerpt of the code I have written so far is in the history.)
Do a separate SELECT to check whether the username is already in use before attempting to INSERT.
More importantly, I would suggest something like the following structure for the script you're writing. It has a strong separation of presentation logic (e.g. HTML) from your other processing (e.g. validation, database, business logic.) This is one important aspect of the model-view-controller paradigm and is generally considered a best-practice.
<?php
// The default state of the form is incomplete with no errors.
$title = "Registration";
$form_completed = false;
$errors = array();
// If the user is submitting the form ..
if ($_POST) {
// Validate the input.
// This includes checking if the username is taken.
$errors = validate_registration_form($_POST);
// If there are no errors.
if (!count($errors)) {
// Add the user.
add_user($_POST['username'], $_POST['password']);
// The user has completed.
$form_completed = true;
// Optionally you could redirect to another page here.
} else {
// Update the page title.
$title = "Registration, again!"
}
}
?>
<html>
<head>
<title>Great Site: <?= $title ?></title>
<body>
<?php if ($form_complete): ?>
<p>Thanks for registering!</p>
<?php else: ?>
<?php if (count($errors)): ?>
<ul>
<?php foreach ($errors as $error): ?>
<li><?= $error ?></li>
<?php endforeach; ?>
</ul>
<?php endif; ?>
<form method="post">
Username: <input type="text" name="username">
Password: <input type="password" name="password">
<input type="submit">
</form>
<?php endif; ?>
</body>
</html>
Well, one thing you can do instead of repeating code down near the bottom is this:
if( $result === true ) {
$gPageTitle = 'Registration successful';
$response = <p>You have successfully registered as ' . htmlspecialchars( $username ) . ' on this site.</p>';
} elseif( $result == 'exists' ) {
$gPageTitle = 'Username already taken';
$response = '<p>Someone is already using the username you have chosen. Please try using another one instead.</p>';
} else {
trigger_error('This should never happen');
}
require_once 'bgsheader.php';
echo $response;
require_once 'bgsfooter.php';
Also, you can return false rather than the string 'exists' in the function, not that it makes much difference.
Checking the error number isn't bad, I'm sure that's why it's an included feature. If you really wanted to do something different, you could check if there already is a user by that name by selecting the username. If no result exists, then insert the user, otherwise, give the error.
One thing I like to do with error handling on forms is save all the error strings into an array like $error['username'], $error['email'], etc., and then have it run through the error checking on each input individually to set all the error strings, and then have a function that does something like this:
function error($field)
{
global $error;
if(isset($error[$field]))
{
echo $error[$field];
}
}
and then call that after each field in the form to give error reporting on the form. Of course, the form page must submit to itself, but you could have all the error checking logic in a separate file and do an include if $_POST['whatever'] is set. If your form is formatted in a table or whatever, you could even do something like echo '<tr><td class="error">' . $error[$field] . '</td></tr>, and automatically insert another row directly below the field to hold the error if there is one.
Also, always remember to filter your inputs, even if it should be filtered automatically. Never pass post info directly into a DB without checking it out. I'd also suggest using the specific superglobal variable for the action, like $_POST rather than $_REQUEST, because $_REQUEST contains $_GET, $_POST, and $_COOKIE variables, and someone could feasibly do something strange like submit to the page with ?username=whatever after the page, and then you have both $_POST['username'] and $_GET['username'], and I'm not sure how $_REQUEST would handle that. Probably would make there be a $_REQUEST['username'][0] and $_REQUEST['username'][1].
Also, a bit about the page titles. Don't know if you have it set up like this but you can do something like this in your header:
$pageTitle = "My Website";
if(isset($gPageTitle))
{
$pageTitle .= "- $gPageTitle";
}
echo "<title>$pageTitle</title>";
Which would make the page load normally with "My Website" as the title, and append "- Username already exists" or whatever for "My Website - Username already exists" as the title when $gPageTitle is set.
I think the answer from Mr. Neigyl would require a separate trip to the database, which is not a good idea because it would only add performance overhead to yuor app.
I am not a PHP guru, but I know my way around it, although I don't recall the === operator. == I remember.
You could pass the function call directly into the IF statement.
if (addUser($username, $passwd));
I don't see anything wrong with using the $gPageTitle variable, but you will probably have to declare it "global" first and then use namespaces so you can actually access it within the "header.php" because "header.php" will not know how to address this page's variables.
Although I personally don't like messing with namespaces and I would rather call a function from the "header.php" and pass the page title into it
display_title($pgTitle);
or
display_title("Registration Successfull");
or
$header->display_title("Registration Successfull")
if you like OO style better
Let me know if that helps. :)
You should get into forms and allow your page to redirect to another page where you have there the 'insert username to database'.
Suppose the username entered is in a post variable such as $_POST['username'].
Have your database check where that username exist:
$res = mysql_query("SELECT * FROM table WHERE username='$_POST['username']'") or die(mysql_error());
if(mysql_num_rows($res) > 0) {
echo "Username exists.";
// more code to handle username exist
} else {
// ok here.
}
What is basically done is we check if your table already contains an existing username. mysql_num_rows($res) will return 0 if no username exist.