I have created a registration system with email verification and when I signed up everything was ok. But when I clicked on link in email it said error. Can you help me please?
<?php session_start();
include_once 'dbconnect.php';
if (isset($_GET['email'])){
$email = $_GET['email'];
}
if (isset($_GET['status']) && (strlen($_GET['status']) == 32)) {
$status = $_GET['status'];
}
if (isset($email) && isset($status)) {
$query_activate_account = "UPDATE users SET status='Active' WHERE(email ='$email' AND status='$status')";
$result_activate_account = mysqli_query($query_activate_account);
echo '<div>Your account is now active. You may now Log in</div>';
} else {
echo '<div>Oops !Your account could not be activated. Please recheck the link or contact the system administrator.</div>';
}
?>
The url you are sending to user is wrong
It does not contain email and status
To use code like this,
if (isset($_GET['email'])){
$email = $_GET['email'];
}
if (isset($_GET['status']) && (strlen($_GET['status']) == 32)) {
$status = $_GET['status'];
}
your email should be like this,
$email = "email here";
$message = "http://chat-web.net/activate.php?status=$status&email=$email";
Related
I am trying to allow users to edit their email address in my PHP system but also prevent them from setting one that already exist, I am also trying run them through FILTER_VALIDATE_EMAIL. However it stops somewhere for me. The checks works fine in same function, but updating the the new one if the checks that I tried to setup are passed doesn't work. I am using a HTML form for updating them. I thought I did it right, I read here check if email exists in MySQL database that it should be possible to do it this way.
Here's my code, does anyone see what I am doing wrong? Where am I missing out?
function EmailCheck($sql) {
if (isset($_POST['email'])) {
$newemail = $_POST["email"];
if (!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) {
echo "Invalid e-mail, please try a different.";
exit;
}
$check_email = $sql->query("SELECT email FROM auth WHERE email='$newemail'");
if ($check_email-> num_rows) {
echo "E-mail is already in use.";
exit;
}
}
else {
mysqli_query($sql, "UPDATE auth SET email='$newemail' WHERE username = '$this->username'");
header("Location: userinfo.php");
exit;
}
}
Your Update query looks like it is in the wrong place. According to your code, if the posted email value is not set, you are updating the DB. I am guessing that is not what you want to do. The other problem I see is you are only passing the $sql variable to the function. The posted value will never be set.
//initalize flags
$flag1 = "no";
$flag2 = "no";
if( isset($_POST['email'])){
if(!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) {
echo "Invalid e-mail, please try a different.";
exit;
}else{
//use flag here for for last if
$flag1 = "yes";
}
$check_email = $sql->query("SELECT email FROM auth WHERE email='$newemail'");
if ($check_email-> num_rows) {
echo "E-mail is already in use.";
exit;
}else{
//set 2nd flag here
$flag2 = "yes";
}
if( $flag1 == "yes" && $flag2 == "yes"){
//update query for new email here
}
}else{
//do something when no email is posted
}
Basically I set up a self signed SSL certificate and all of a sudden my register forum stopped working, it almost feels as if it goes into a redirect loop but it doesn't, the way my register works is that you need to verify you account by email. When you click the register, the page doesn't load for a couple of minutes and then it eventually gives you the notification that the verification sent but it doesn't send to your email address. Also before I set up the self signed SSL it did work, I believe it's because SSL doesn't see my register.php forum as secure therefor it doesn't send it because it's uncrypted, if there is a bypass or a way to fix this it would be greatly appreciated.
<?php
define('DIRECT', TRUE);
function getRealIpAddr()
{
if (!empty($_SERVER['HTTP_CLIENT_IP'])) //check ip from share internet
{
$ip=$_SERVER['HTTP_CLIENT_IP'];
}
elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) //to check ip is pass from proxy
{
$ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
}
else
{
$ip=$_SERVER['REMOTE_ADDR'];
}
return $ip;
}
/* Registration process, inserts user info into the database
and sends account confirmation email message
*/
// Set session variables to be used on activate.php page
$_SESSION['email'] = $_POST['email'];
$_SESSION['username'] = $_POST['firstname'];
// Escape all $_POST variables to protect against SQL injections
$username = $mysqli->escape_string($_POST['firstname']);
$ip=$_SERVER['REMOTE_ADDR'] = getRealIpAddr();
$dateTime = date('Y/m/d G:i:s');
$email = $mysqli->escape_string($_POST['email']);
$uncryptpass = $mysqli->escape_string($_POST['password']);
$password = $mysqli->escape_string(password_hash($_POST['password'], PASSWORD_BCRYPT));
$hash = $mysqli->escape_string( md5( rand(0,1000) ) );
// Check if user with that email already exists
$result = $mysqli->query("SELECT * FROM users WHERE email='$email'") or die($mysqli->error());
// We know user email exists if the rows returned are more than 0
if ( $result->num_rows > 0 ) {
$_SESSION['message'] = 'An account with ' .$email. ' already exists!';
header("location: /login/index.php");
}
else { // Email doesn't already exist in a database, proceed...
// active is 0 by DEFAULT (no need to include it here)
$sql = "INSERT INTO users (username, email, uncryptpass, password, hash, ip, date) "
. "VALUES ('$username','$email','$uncryptpass','$password', '$hash', '$ip', '$dateTime')";
// Add user to the database
if ( $mysqli->query($sql) ){
$_SESSION['active'] = 0; //0 until user activates their account with verify.php
$_SESSION['logged_in'] = true; // So we know the user has logged in
$_SESSION['message'] =
"Confirmation link has been sent to $email, please verify
your account by clicking on the link in the message!";
// Send registration confirmation link (verify.php)
$to = $email;
$subject = 'Account Verification';
$message_body = '
'.$username.',
***DO NOT RESPOND BACK TO THIS EMAIL***
https://example.com/login/verify.php?email='.$email.'&hash='.$hash;
mail( $to, $subject, $message_body );
header("location: activate.php");
}
else {
$_SESSION['message'] = 'Registration failed!';
header("location: /login/index.php");
}
}
I have a verification link like this:
http://nailsalon.gwiddle.co.uk/nailsalon/verify.php?email=email#enail.com&hash=66808e327dc79d135ba18e051673d906.
When I click it or manually insert it to the address bar I get error 500 or File not found. The page which I am trying to access through this link uses the $_GET array.
When I use a link like this:
http://nailsalon.gwiddle.co.uk/nailsalon/index.php?id=1 which leads to a page which doesn't use the $_GET it loads without problem.
There is another question with the same problem but no solution here:
Internal server error on email verification
Here is the code of the target page:
if(isset($_GET['email']) && !empty($_GET['email']) AND isset($_GET['hash']) && !empty($_GET['hash'])){
$email = clear_entry($_GET['email']);
$hash = clear_entry($_GET['hash']);
/*Query that retrieves all users with the given email and hash*/
$result = $mysqli->query("SELECT * FROM users WHERE user_email='$email' AND hash='$hash' AND is_activated='0'");
/*Checks if the account is already verified*/
if ($result->num_rows == 0 ){
$_SESSION['message'] = "Account has already been activated or the URL is invalid!";
header("location: error.php");
}else{
$_SESSION['message'] = "Your account has been successfully activated!";
$mysqli->query("UPDATE users SET is_activated='1' WHERE user_email='$email'") or die($mysqli->error);
$_SESSION['active'] = 1;
header("location: success.php");
}
}else{
$_SESSION['message'] = "Invalid parameters provided for account verification!";
echo "Invalid parameters provided for account verification!";
header("location: error.php");
}
?>
Why would this code for my verification of a user account produced a blank page?
I'm using this as the file to activate accounts from an email, and it comes up blank.
I'm sorry for the previous stupid post.. I pasted the wrong code, here is the file that still produces a blank page..
verify.php
//Require Database Stuff
require("database.class.php");
require("user.php");
if(isset($_GET['email']) && !empty($_GET['email']) AND isset($_GET['hash']) && !empty($_GET['hash']))
{
$verify = $db->prepare('UPDATE users SET active=:active WHERE active=0 AND email=:email and active=:active');
$status = $verify->execute(array(':active' => 1));
if( $status )
{
echo '<p>Your account has been activated, you can now login.</p>';
} else {
echo '<p>Account already active, or account does not exist.</p>';
}
}else{
echo "<p>Invalid URL.</p>";
}
}
Try this, added ':email'=>$_GET['email']
$verify = $db->prepare('UPDATE users SET active=:active WHERE active=0 AND email=:email');
$status = $verify->execute(array(':active' => 1, ':email'=>$_GET['email']));
I have had my script running on a localhost WampServer 1st which where it worked and then exported it to my online live domain.
After some adjustments i got the script partically working again but i am still getting below error
Call to undefined function filter_var()
The purpose of this script is when an user wants to registrate it will validate the email address and add the user to the database and send an validation link to the users emailaddress.
Here is the script:
<?PHP
error_reporting(E_ALL);
ini_set('display_errors', 1);
// connection towards database with a include function
include ('connection.php');
if (isset($_REQUEST['send']))
{
if(isset($_REQUEST['NAAM']))
{
$naam = $_REQUEST['NAAM'];
}
function spamcheck($field)
{
//filter_var() sanitizes the e-mail
//address using FILTER_SANITIZE_EMAIL
$field = filter_var($field, FILTER_SANITIZE_EMAIL);
//filter_var() validates the e-mail
//address using FILTER_VALIDATE_EMAIL
if(filter_var($field, FILTER_VALIDATE_EMAIL))
{
return TRUE;
}else
{
return FALSE;
}
}
//if "email" is filled out, proceed
if (isset($_REQUEST['mail']))
{
//check if the email address is invalid
$mailCheck = spamcheck($_REQUEST['mail']);
if ($mailCheck == TRUE)
{
$email = $_REQUEST['mail'];
}else
{
$mailCheck = FALSE;
echo "Invalid input email";
}
}
if(isset($_REQUEST['question']))
{
$quest = $_REQUEST['question'];
// checks if the filled in Question is de same as the answer novice or Novice
if ($quest =="novice" or $quest =="Novice")
{
$questCheck = TRUE;
}else
{
$questCheck = FALSE;
echo "Your answer to the question was incorrect!<br>";
}
}
if(isset($_REQUEST['wachtwoord'] , $_REQUEST['c_wachtwoord']))
{
$WW = $_REQUEST['wachtwoord'];
$c_WW = $_REQUEST['c_wachtwoord'];
// checks if the filled in password is de same as the confirmation password
if ($WW == $c_WW)
{
$pwCheck = TRUE;
}else
{
$pwCheck = FALSE;
echo "Your filled in passwords are not the same try again!<BR>";
}
}
// checks if both password confirmation and question are TRUE continue else retrieve fault
if ($pwCheck && $questCheck && $mailCheck == TRUE)
{
$hash = md5( rand(0,1000) );
// insert all filled in values into the database
$opdracht1 = "INSERT INTO users (ID , name , password , mail , staffLevel , hash , active) VALUES ('','$naam','$WW','$email','0','$hash','0')";
// run query
if (mysql_query ($opdracht1))
{
header( "refresh:5;url=http://www.debeerislos.nl/inlog_user.php" );
echo "Your account has succesfully been created! Please check your email to validate your account!<BR>";
$to = $email; //Send email to our user
$subject = 'Signup | Verification'; //// Give the email a subject
$message = '
Thanks for signing up!
Your account has been created!
You can login with the following credentials:
------------------------
Username: '.$naam.'
Password: '.$WW.'
------------------------
After you have activated your account you will have the rights so you can fully use it.
Please click this link to activate your account:
http://www.debeerislos.nl/verify_user.php?email='.$email.'&hash='.$hash.'&name='.$naam.'
'; // Our message above including the link
$headers = 'From:info#debeerislos.nl' . "\r\n"; // Set from headers
mail($to, $subject, $message, $headers); // Send the email
}else
{
echo "Woops something went wrong please contact the Administrator of the website or fill in the form again!<br> <A href='http://www.debeerislos.nl/form_register_user.html'>CLICK HERE!</A> to fill in the forum again";
}
}elseif ($pwCheck && $questCheck == FALSE)
{
echo "you filled both the password confirmation and the answer to the question incorrect!<br>";
}
}else
{
echo "Either you haven't send anything! or you haven't filled in the form<br>";
}
?>
In advance thank you.
Kind Regards,
StaleDevil
where have you defined filter_var() function? It is not defined in your given code. If you are defining it in the same page then how are you defining? provide example. otherwise if you are definfing it in another page then include the page.