I have a verification link like this:
http://nailsalon.gwiddle.co.uk/nailsalon/verify.php?email=email#enail.com&hash=66808e327dc79d135ba18e051673d906.
When I click it or manually insert it to the address bar I get error 500 or File not found. The page which I am trying to access through this link uses the $_GET array.
When I use a link like this:
http://nailsalon.gwiddle.co.uk/nailsalon/index.php?id=1 which leads to a page which doesn't use the $_GET it loads without problem.
There is another question with the same problem but no solution here:
Internal server error on email verification
Here is the code of the target page:
if(isset($_GET['email']) && !empty($_GET['email']) AND isset($_GET['hash']) && !empty($_GET['hash'])){
$email = clear_entry($_GET['email']);
$hash = clear_entry($_GET['hash']);
/*Query that retrieves all users with the given email and hash*/
$result = $mysqli->query("SELECT * FROM users WHERE user_email='$email' AND hash='$hash' AND is_activated='0'");
/*Checks if the account is already verified*/
if ($result->num_rows == 0 ){
$_SESSION['message'] = "Account has already been activated or the URL is invalid!";
header("location: error.php");
}else{
$_SESSION['message'] = "Your account has been successfully activated!";
$mysqli->query("UPDATE users SET is_activated='1' WHERE user_email='$email'") or die($mysqli->error);
$_SESSION['active'] = 1;
header("location: success.php");
}
}else{
$_SESSION['message'] = "Invalid parameters provided for account verification!";
echo "Invalid parameters provided for account verification!";
header("location: error.php");
}
?>
Related
I have this form programmed to log a user in. I have confirmed that it does in fact set a session for a user, but for some reason, it forwards the user to the page to connect to the database. I have this page linked in the code because I obviously need to consult the database to confirm the user has an account, but I don't understand why it goes to this page and then just stays there. Help would be appreciated. Index2.php (set as that right now so users won't see it when they go to the site) is supposed to be set as the redirected page after login. The user is supposed to be able to see the homepage even without logging in, but certain content only appears in the user is logged in.
<?php
session_start();
include("db_connect.php");
if($_SERVER['REQUEST_METHOD'] == "POST")
{
//something was posted
$email = $_POST['email'];
$password = $_POST['password'];
if(!empty($email) && !empty($password))
{
//read from database
$query = "select * from users_listers where email = '$email' limit 1";
$result = mysqli_query($conn, $query);
if($result)
{
if($result && mysqli_num_rows($result) > 0)
{
$user_data = mysqli_fetch_assoc($result);
if($user_data['password'] === $password)
{
$_SESSION['user_lister_id'];
header("Location: ../index2.php");
die;
}
}
}
echo "wrong username or password!";
}else
{
echo "wrong username or password!";
}
}
?>
Thank you for the help!
I assume this can simply be done with permissions, but I cannot seem to get it to work. I was trying to make the page check the user for a permission using the code below, otherwise it redirects to home. It always redirects though and I do not know why.
<?php
if(!isset($_SESSION))
{
session_start();
}
if ($_SESSION['permission'] == 0) {
header("Location: ./index.php");
exit;
} else {
if (!isset($_SESSION['authemail'])) {
header("Location: ./index.php");
exit;//Redirect to the index
}
Edit: I added a session dump and both the userID and permission are null. What am I missing from here as I cannot figure it out?
<?php
session_start();
include ('../config/config.php');
/* basic field validation */
$email = trim($_POST["email"]);
$password = trim ($_POST["password"]);
/* check if details are empty, redirect if they are */
if (empty($email) or empty($password)) {
$_SESSION["message"] = "You must enter your email and password";
//Redirect to index
header("Location: ../index.php");
exit;
}
/* sanitise the input */
$email = strip_tags($email);
$password = strip_tags($password);
/* SQL user selection query, with error handling for the SQL */
$query = "SELECT * FROM users WHERE email = '$email' AND password = '$password'";
$result = mysqli_query($mysqli,$query) or exit("Error in query: $query. " . mysqli_error());
/* on query success, set sessions for email and userid */
if ($row = mysqli_fetch_assoc($result)) {
$_SESSION["authemail"] = $email;
$_SESSION["userid"] = $id;
$_SESSION["permission"] = $permission;
/* redirect the user to the secured page */
header("Location: ../loggedin.php");
} else {
/* display error if login was not successful and redirect to index */
$_SESSION["message"] = "Could not log in as $email - $query";
header("index.php");
}
?>
Try to set a flag in the database for someone who is an admin. Then on any specific page that only admins can access you should check this user variable.
if(!$user->isAdmin()){
header("Location: ./login.php");
exit;
}
If you do not have a $user object available, simply call a function that can query the database for the necessary variable.
if(!isUserAdmin()){
header("Location: ./login.php");
exit;
}
Also since both cases of yours redirect to index.php, you can combine the statements:
if($_SESSION['permission'] == 0 || !isset($_SESSION['authemail'])){
header("Location: ./index.php");
exit;
}
Make sure you are debugging to make sure the SESSION values are set/get as expected. Your code is redirecting because one of the conditions is true. Debug and find the bug.
I tried implementing a system wherein the user enters his username and phone number, when the form is submitted, it checks the database to verify the number and username based on it's existence. An SMS is sent to that number. He gets a popup to enter the OTP code.
However on entering the OTP code I get an error of redirecting loops. I'll just explain the flow of the files below:
INDEX.PHP -> LOGIN.PHP -> OTP.PHP -> CHECK_OTP.PHP -> HOME.PHP
Those are the files being used. It reaches the otp page and when you enter, it does authenticate successfully but it goes into a loop. I will post the code to see what is wrong with the OTP authentication code.
session_start(); // Starting Session
$error=''; // Variable To Store Error Message
if (isset($_POST['verify'])) {
if (empty($_POST['otp'])) {
$error = "OTP is invalid";
}
else
{
// Post OTP
$otp=$_POST['otp'];
}
$otp = stripslashes($otp);
$otp = pg_escape_string($otp);
$check = "select * from otp where otp = '$otp'";
$ret_check = $dbConnection->executeQuery($check);
$ret_num = $dbConnection->numRows($ret_check);
$cust_code = '';
while($row = $dbConnection->fetchRow($ret_check)){
$cust_code = $row[0];
}
$cust_code;
if($ret_num != 1){
$error = "Wrong OTP entered";
header("Location: otp-home.php");
}
else {
echo $_SESSION['login_user'] = $cust_code;
header("Location: home.php");
}
I hope this is enough. If anything else is required. Please let me know. Any help will be greatly appreciated. Thank you
I am trying to display the error at the end if the use doesn't enter the correct combination of their log in. However, the error message is not showing when I enter the wrong password or email. Any suggestions
<?php
include ("connect.php");
if (isset($_POST["user_login"]) && (isset($_POST["user_pass"]))){
// formatting field via reg replace to ensure email and password only conisists of letters and numbers preg_replace('#[^A-Za-z0-9]#i','',
$login_user = $_POST["user_login"];
$login_password = $_POST["user_pass"];
// password is encryted in DB (MD5) therefore user inputted password will not match encryted password in DB - we have to assign new var
$decrypted_password = md5($login_password);
// Query which finds user (if valid) from DB - Achieving authentication via username and password
$user_query = mysqli_query($connect, "SELECT * FROM users WHERE email = '$login_user' AND password = '$decrypted_password' AND closed = 'no' LIMIT 1");
$check_user = mysqli_num_rows($user_query); // checking to see if there is infact a user which those credentials in the DB
if ($check_user==1){
while ($row = mysqli_fetch_array($user_query)){
$id = $row['user_id'];
$user_type = $row['account'];
}
$_SESSION["user_login"] = $login_user;
// check the user type and redirect according to it
if($user_type == "Student"){
$student_page = "profile_student.php";
header( "Location:{$student_page}" );
} elseif ($user_type == "Landlord"){
$landlord_page = "landlord_profile.php";
header( "Location:{$landlord_page}" );
} elseif ($user_type == "Administrator"){
$admin_page = "admin_profile.php";
header( "Location:{$admin_page}" );
}else {
$refresh_page = "sign_up.php";
header( "Location:{$refresh_page}" ); // refresh page
echo "You have entered an incorrect email or password. Please try again.";
}
}
}
?>
you redirect user if input data is wrong and only after that you try to echo message, thats not how that works. read about headers in php_manual. probably the best way here, is to store error message in session and after redirect check if session error message exists
else {
$refresh_page = "sign_up.php";
$_SESSION['error'] = "your error message"
header( "Location:{$refresh_page}" ); // refresh page
}
in sign_up.php file check if error message exists in session
if(isset($_SESSION["error"])){
echo $_SESSION["error"];
unset($_SESSION["error"]);
}
maybe you should correct this code a little bit))
use unset cause' after you show the message it should be removed from session, in other case if you fail for example 5 times, it will show 5 messages)) also make sure that session is started session_start() hope it helps:)
You only display the error when $user_type doesn't match any of your expected types.
You need a second else after your if ($check_user==1){ block to handle the case where a user with that email or password doesn't exist.
Why would this code for my verification of a user account produced a blank page?
I'm using this as the file to activate accounts from an email, and it comes up blank.
I'm sorry for the previous stupid post.. I pasted the wrong code, here is the file that still produces a blank page..
verify.php
//Require Database Stuff
require("database.class.php");
require("user.php");
if(isset($_GET['email']) && !empty($_GET['email']) AND isset($_GET['hash']) && !empty($_GET['hash']))
{
$verify = $db->prepare('UPDATE users SET active=:active WHERE active=0 AND email=:email and active=:active');
$status = $verify->execute(array(':active' => 1));
if( $status )
{
echo '<p>Your account has been activated, you can now login.</p>';
} else {
echo '<p>Account already active, or account does not exist.</p>';
}
}else{
echo "<p>Invalid URL.</p>";
}
}
Try this, added ':email'=>$_GET['email']
$verify = $db->prepare('UPDATE users SET active=:active WHERE active=0 AND email=:email');
$status = $verify->execute(array(':active' => 1, ':email'=>$_GET['email']));