Email activation issue - php

I'm building a site which requires users to register and login. I have the majority working but the bit that isn't working 100% is the email activation.
When the user registers it sends an email with a link (http://example.com/activate?email=name#example.com&activationCode=e7870fadcf79c39584dca1fc33c47ef9)
If the user clicks on this link it goes to /activate checks to see if the email and code exist in the database and activates the account by changing the value 'active' from 0 to 1 if these do exist but, if the user just logs in it automatically activates the account which I don't want (sort of defeats the purpose of the activation email).
LOGIN
if (isset($_POST['submit'])) { // Create variables from submitted data
$uname = mysqli_real_escape_string($db_connect, $_POST['uname']);
$password = mysqli_real_escape_string($db_connect, $_POST['loginPassword']);
$passHash = md5($password); // Encrypt password
$query1 = mysqli_query($db_connect, "SELECT * FROM `users` WHERE `uname` = '".$uname."' AND `password` = '".$passHash."' AND `active` = '1' ") or die(mysqli_connect_error()); // Uname and password match and account is active
$result1 = (mysqli_num_rows($query1) > 0);
$query2 = mysqli_query($db_connect, "SELECT * FROM `users` WHERE `uname` = '".$uname."' AND `password` = '".$passHash."' AND `active` = '0' ") or die(mysqli_connect_error()); // Uname and password match and account is not active
$result2 = (mysqli_num_rows($query2) > 0);
if ($result1) { // If uname and password match and account is active
$_SESSION['uname'] = $_POST['uname'];
header("Location: /profile");
} else if ($result2) { // If uname and password match but account is not active
echo "<p>Your account has not been activated! Please check your email inbox.</p><br />";
back();
} else { // If uname and password do not match
echo "<p>The combination of username and password is incorrect!</p><br />";
back();
forgotPword();
register();
}
} else {
login();
forgotPword();
register();
}
ACTIVATE PAGE
if (isset($_GET['email'], $_GET['activationCode']) === true) { // If email and email code exist in URL
$email = trim($_GET['email']);
$activationCode = trim($_GET['activationCode']);
$query1 = mysqli_query($db_connect, "SELECT * FROM `users` WHERE `email` = '".$email."' ") or die(mysqli_connect_error());
$result1 = (mysqli_num_rows($query1) > 0);
$query2 = mysqli_query($db_connect, "SELECT * FROM `users` WHERE `activationCode` = '".$activationCode."' ") or die(mysqli_connect_error());
$result2 = (mysqli_num_rows($query2) > 0);
$query3 = mysqli_query($db_connect, "SELECT COUNT(`userID`) FROM `users` WHERE `email` = '".$email."' AND `activationCode` = '".$activationCode."' AND `active` = '0' ") or die(mysqli_connect_error());
$result3 = (mysqli_num_rows($query3) > 0);
// Check email exists in database
if ($result1) {
// Check activation code exists in database
if ($result2) {
// THIS IS THE PART NOT DOING IT'S JOB PROPERLY
// Check active status
if ($result3) {
mysqli_query($db_connect, "UPDATE `users` SET `active` = '1' WHERE `email` = '".$email."' AND `activationCode` = '".$activationCode."' AND `active` = '0' ") or die(mysqli_connect_error()); // Activate account
echo "<p>Your account is now activated. You may <a href='/login'>Log In</a></p>";
exit();
} else {
echo "<p>Your account has already been activated. You may <a href='/login'>Log In</a></p>";
exit();
}
// ------------------------------------------------------------------------------------
} else { // Activation code is invalid
echo "<p>Hmmm, the activation code seems to be invalid!</p>";
exit();
}
} else { // Email does not exist
echo "<p>Hmmm, ".$email." email does not seem to exist in our records!</p>";
exit();
}
} else {
header("Location: /login");
exit();
}
Any help on where i'm going wrong is much appreciated.


You could add an " AND active = 1" condition to your sql query on login


After several painful hours of looking through and rewriting code, I have figured out what was causing the issue.
It was actually the registration page where the email is sent. I have wrapped the activation link in the body of the message in single quotes and it now works perfectly. You see them in the email...
'http://www.example.com/activate?email=".$email."&activationCode=".$activationCode."'
but the link works so I am sticking with it.
Cheers for all your help, really appreciate it.

Related

PHP MySQL: Updating users profile

I got a problem for my profile page in my login system. When I want to update the user's username and email, I can only update one of the two. Look where I putted the points. If I use username it only updates the username and the same goes for the email.
Here is my code:
function updateProfile($db, $errors)
{
$id = $_SESSION['user']['id'];
$username = mysqli_real_escape_string($db, $_POST['username']);
$email = mysqli_real_escape_string($db, $_POST['email']);
$field_check_query = "SELECT * FROM users WHERE username='$username' email='$email'";
$result = mysqli_query($db, $field_check_query);
$field = mysqli_fetch_assoc($result);
// Checks if username is already taken
if ($field) {
if ($field['username'] === $username) {
array_push($errors, "Gebruikersnaam is al reeds ingenomen");
}
// Checks if email is already taken
if ($field['email'] === $email) {
array_push($errors, "E-mailadres is al reeds ingenomen");
}
}
if (count($errors) == 0) {
if (isset($_POST['.......'])) {
$query = "UPDATE users SET username='$username' email='$email' WHERE id=$id";
mysqli_query($db, $query);
header('location: profile.php?profileeditedsuccesfully');
die($query);
}
}
}

Add AND to WHERE in Select:
$field_check_query = "SELECT * FROM users WHERE username='$username' AND email='$email'";
Add comma to separate the pairs in Update.
=$query = "UPDATE users SET username='$username', email='$email' WHERE id=$id";

Change password not working php

Can you please help me what is wrong with my code? I cannot seem to find the error. My problem is that the new password is not saving in my database. I cannot log in with my new password.
This is my php code.
<?php
session_start();
$uid = $_SESSION["uid"];
if($uid)
{
//user is logged in
if(isset($_POST["changepwbtn"]))
{
// check fields
$oldpw = $_POST['old_pw'];
$newpw = $_POST['new_pw'];
$renewpw = $_POST['c_npw'];
//check pw db
$sql = "SELECT pazzword FROM customer_info where user_id = '$uid'";
$run_query = mysqli_query($con,$sql);
$row = mysqli_fetch_array($run_query);
$oldpwdb = $row['pazzword'];
//check pw
if($oldpw==$oldpwdb)
{
//check two new pw
if($newpw==$renewpw)
{
$query_change = mysql_query("UPDATE customer_info SET pazzword = '$newpw' WHERE user_id = '$uid'");
session_destroy();
die("Your password has been changed! <a href='index.php'>Return</a>");
}
else
die("New passwords doesn`t match!");
}
else
die("Old password doesn`t match");
}
echo" ";
}
else
die("You need to log in!");
?>

you have to pass the connection object to mysqli_query
$query_change = mysqli_query($con, "UPDATE customer_info SET pazzword = '$newpw' WHERE user_id = '$uid'");

Unable to echo response in php

I have two fields in my form email & password.
I am trying to make a registration from a single form
conditions are if your is registered he will be logged in, if not he will get registered.
Unable to get echo response
<?php
include_once('connection.php');
include_once('functions.php');
$username = $_GET['username'];
$password = $_GET['password'];
$response=array();
// Check if that username is already exists.
$find_user = mysqli_query($conDB,"SELECT * FROM `users_info` WHERE `username` = '".$username."'");
if (mysqli_num_rows($find_user) != 0) $error[] = "That username is already exist.";
if (empty($error)){
$hashed_password = sha1($password);
// Check if submitted info is correct or not.
$check = mysqli_query($conDB,"SELECT * FROM `users_info` WHERE `username` = '".$username."' AND `password` = '".$hashed_password."'");
if (mysqli_num_rows($check) == 1) {
$code="login_success";
array_push($response,array("code"=>$code,"email"=>$username));
echo json_encode($response);
} else if (empty($error)){
$result = mysqli_query($conDB," INSERT INTO `users_info` (
`username`,
`password`
) VALUES (
'".$username."',
'".$hashed_password."'
)");
if(confirm_query($result)) {
redirect('login.php?signup=1');
}
} else {
$error[] = "Incorrect username or password.";
}
}
?>

MYSQL/PHP selecting

I have 2 tables :
newpw_ask
email
code
users
id
username
password
email
sid
newpw_code
I have this PHP code:
$code = $_POST['code2'];
$email = mysql_query("SELECT email FROM pw_ask WHERE code='$code'");
if ($pass == $pass2) {
if ($email) {
$pass3 = md5($pass);
mysql_query("UPDATE users SET password='$pass3' WHERE email='$email'");
mysql_query("UPDATE users SET newpw_code='' WHERE email='$email'");
mysql_query("DELETE FROM pw_ask WHERE code='$code'");
header("Location: index.php?ret=pw");
} else {
echo 'Wrong code';
}
}
Only this query got executed:
mysql_query("DELETE FROM pw_ask WHERE code='$code'");
Also when I enter the right code, it says “Wrong code”.

You need to select the email correctly :
$sql = mysql_query("SELECT email FROM pw_ask WHERE code='$code'");
$row = mysql_fetch_array($sql);
$email = $row['email'];
btw you can also update multiple fields in 1 query :
mysql_query("UPDATE users SET password='$pass3' , newpw_code='' where email='$email'");

login with username or email address in php

I am trying to create a login with username or email
My code is:
$username=$_REQUEST['login'];
$email=$_REQUEST['login'];
$password=$_REQUEST['password'];
if($username && $password) {
$query="select * from user_db where username='$username' and password='$password'";
} else if ($email && $password) {
$query="select * from user_db where email='$email' and password='$password'";
}
Login with username is success but login with email is not working. Please help me!

The login parameter is the same for both email and username. Not exactly incorrect if you have a single login box that accepts either.
You could put the condition in the query itself if you're not sure if it's an email or username.
$login=$_REQUEST['login'];
$query = "select * from user_db where ( username='$login' OR email = '$login') and password='$password'"
Edit:
A PDO-like solution is much more preferred nowadays as the above is subject to SQL injection. The logic stays the same, but you'd have it look something like this:
$query = "
SET #username = :username
SELECT * FROM user_db
WHERE ( username = #username OR email = #username)
AND password = :password
";
$statement = $pdoObject->prepare($query);
$statement->bindValue(":username", $login, PDO::PARAM_STR);
$statement->bindValue(":password", $password, PDO::PARAM_STR);
$statement->execute();

You are setting the same value to two variables, and then using an if/else. Both if statements are equivalent.
You need to figure out if $_REQUEST[login] contains a valid email address, and if so use the email field of the database. Otherwise, use the username field.
Also, you should not be putting variables directly into the query. Use prepared statements.

Well i know this is an old post but i've found that some people are still going to view it so i wanted to put a easy way to allow both email and username on the same input
my code is as follows
if
(!preg_match("/^[_a-z0-9-]+(\.[_a-z0-9-]+)*#[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$/", $name_of_same_input) )
{
$un_check = mysql_query("SELECT uname FROM eusers WHERE uname = '' ") or die(mysql_error());
echo "loging in with username"; //code
}
elseif
(preg_match("/^[_a-z0-9-]+(\.[_a-z0-9-]+)*#[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$/", $name_of_same_input) )
{
$un_check = mysql_query("SELECT umail FROM eusers WHERE umail = '' ") or die(mysql_error());
echo "loging in with email"; //code
}

<?php
require "connectdb.php";
$email =$_POST["email"];
$mobile = $_POST["mobile"];
$password =$_POST["password"];
//Test variables
//$email = "admin#xyz.com";
//$mobile = "9876543210";
//$password ="#!b7885a$";
$sql_query = "SELECT email FROM RegisterUser WHERE `email` LIKE '$email' OR `mobile` LIKE '$mobile' AND `password` LIKE '$password';";
$result = mysqli_query($con,$sql_query);
if(mysqli_num_rows($result) > 0 )
{
$row = mysqli_fetch_assoc($result);
$email = $row["email"];
echo "Login Successful...Welcome ".$email;
}
else
{
echo "Login Failed...Incorrect Email or Password...!";
}
?>

Hi, for me works something like this:
if ( !isset($_POST['emailuser'], $_POST['userPass']) ) {
// Could not get the data that should have been sent.
die ('Please fill both the username and password field!');
}
$emailuser = ($_POST['emailuser']);
$emailuser = trim($emailuser);
if ($stmt = $con->prepare('SELECT userEmail or userName, userPass FROM users WHERE userEmail = ? or userName = ?')) {
// Bind parameters (s = string, i = int, b = blob, etc), in our case the username is a string so we use "s"
$stmt->bind_param('ss', $emailuser, $emailuser);
$stmt->execute();
// Store the result so we can check if the account exists in the database.
$stmt->store_result();
if ($stmt->num_rows > 0) {
$stmt->bind_result($userName, $userPass);
$stmt->fetch();
// Account exists, now we verify the password.
// Note: remember to use password_hash in your registration file to store the hashed passwords.
if (password_verify($_POST['userPass'], $userPass)) {
// Verification success! User has loggedin!
// Create sessions so we know the user is logged in, they basically act like cookies but remember the data on the server.
session_regenerate_id();
$_SESSION['loggedin'] = true;
$_SESSION['name'] = $emailuser;
$_SESSION['emailuser'] = $userName;
header('location: /menu.php');
} else {
echo 'Incorrect password!';
}
} else {
echo 'Incorrect username!';
}
$stmt->close(); } ?>

$username=$_REQUEST['login'];
$email=$_REQUEST['login'];
This is wrong, you are using $_REQUEST['login'] for both email and username. Why don't you just use email?
If $_REQUEST['login'] doesn't have email address, of course this wont return you anything.
Also, both of your if statements will always execute, unless the fields are empty. right?
Take the login out, enforce the users to login with email addresses. also, take md5 of the password. who stores raw passwords these days?

$username=$_REQUEST['username'];//I'm assuming your code here was wrong
$email=$_REQUEST['email'];//and that you have three different fields in your form
$password=$_REQUEST['password'];
if (validate_username($username)) {
$query="select * from user_db where username='".$username".' and password='".validate_password($password)."'";
} else if (validate_email($email)) {
$query="select * from user_db where email='".$email."' and password='".validate_password($password)."'";
}
//... elsewhere...
function validate_username(&$username) {
if (strlen($username) <= 1) { return false; }
//return false for other situations
//Does the username have invalid characters?
//Is the username a sql injection attack?
//otherwise...
return true;
}
function validate_email(&$email) {
//same deal as with username
}
function validate_password(&$password) {
//same deal as with username
}
Note, if you have only two fields (login and password), then the distinction between email and username is meaningless. Further note that you should really be using PHP PDO to construct and execute your queries, to prevent security breaches and make your life waaay easier.

if (validate_username($username)) {
$query="select * from user_db where username='".$username".' and password='".validate_password($password)."'";
} else if (validate_email($email)) {
$query="select * from user_db where email='".$email."' and password='".validate_password($password)."'";
}

Categories