One time use of activation URL - php

Hi I want to know how can I expire an activation link after 2 days sent tru email for my users who doesn't have their accounts activated yet.. My idea was to use COOKIES but I think its not possible to send COOKIES via email.. can I have some tips and other suggestion please? I've been searching for 6 days now...
Here is what I have so far
$con = new PDO("mysql:host=". db_host .";dbname=".db_name.'', db_username , db_password);
$con->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
$c = $_GET['c'];
if($c == 1){
$imputText = $_GET['v'];
$imputKey = "3173aLASOf";
$blockSize = 128;
$mode ="M_CBC";
$es = new ES($imputText, $imputKey, $blockSize,$mode);
$dec=$es->decrypt();
$sql = "SELECT vtokn FROM tmp_user WHERE vtokn = :token LIMIT 1";
$stmt = $con->prepare( $sql );
$stmt->bindValue( "token", $dec, PDO::PARAM_STR );
$stmt->execute();
$sqlups = "UPDATE tmp_user SET conf = :c WHERE vtokn = :token AND conf= 0 LIMIT 1";
$stmtups = $con->prepare( $sqlups );
$stmtups->bindValue( "c", $_GET['c'], PDO::PARAM_STR );
$stmtups->bindValue( "token", $dec, PDO::PARAM_STR );
$stmtups->execute();
$result = $stmt->fetchColumn();
$sqltmps = "SELECT tmstamp FROM tmp_user WHERE vtokn = :token LIMIT 1";
$stmttmps = $con->prepare( $sqltmps );
$stmttmps->bindValue( "token", $dec, PDO::PARAM_STR );
$stmttmps->execute();
$result2 = $stmttmps->fetchColumn();
$tme =time()+60*2;
setcookie('exp','d',$result2);
if(isset($_COOKIE['exp']) ){
if($result === $dec){
$sqltb = "SELECT * FROM tmp_user WHERE vtokn = :token LIMIT 1";
$stmttb = $con->prepare( $sqltb );
$stmttb->bindValue( "token", $dec, PDO::PARAM_STR );
$stmttb->execute();
foreach ($stmttb->fetchAll() as $rows) {
$user=$rows['username'];
$password=$rows['password'];
$firstname=$rows['firstname'];
$lastname=$rows['lastname'];
}
$sql2 = "INSERT INTO ofcl_users(email,password,acct_stat) VALUES( :username,:password,1 )";
$stmt2 = $con->prepare( $sql2 );
$stmt2->bindValue( "username", $user, PDO::PARAM_STR );
$stmt2->bindValue( "password", $password, PDO::PARAM_STR );
$stmt2->execute();
echo $user." "."Is Now Activated<br/>" . "<a href='login.php'>Login Now</a>";
$sqldel = "DELETE FROM tmp_user WHERE vtokn = :token AND conf= :c LIMIT 1";
$stmtdel = $con->prepare( $sqldel );
$stmtdel->bindValue( "c", $_GET['c'], PDO::PARAM_STR );
$stmtdel->bindValue( "token", $dec, PDO::PARAM_STR );
$stmtdel->execute();
}else
{
echo "Account was already activated" . $dec;
}
} else {
echo $_GET['t']."Token Expired" . $tme;
}
}
else
{
echo "Invalid Token Reference: " . $dec;
}
This script will run as soon as my link tru email was click the validation if its a link that is a 2 or 3 days old.. Is this correct?


Make use of Timestamp.
When Inserting a Token, make another field in database, say token_timestamp and use time() function for its value.
Then, at the time of Validating Activation Link, make a check something like this:
$current_time = time();
$max_time = 2*24*60*60; // Time in seconds
if (($current_time - $token_timestamp) > $max_time) {
echo "Link Expired!";
}
else {
// Do your Process for Activation here
}

Related

PHP MYSQL SELECT query parameter includes an ampersand(&)

I am using PHP PDO prepared statements. I am passing in a string and returning the record from MYSQL. I am passing three variables to the method.
The query returns nothing. If I perform the same query in phpmyadmin it returns all the correct data. I believe it is the ampersand(&) in the $team variable but, don't know I to work around it. I am not using a link and it is not a form element. It is a straight call to the method.
The values of the three parameters are
$season = '2018-19';
$league = 20;
$team = "Texas A&M University-Kingsville";
Here is my method:
public static function getTeamGames($season, $league, $team){
$conn = parent::connect();
$sql = "SELECT * FROM rfw_games WHERE season = :season &&
league = :league && home = :team";
try {
$st = $conn->prepare( $sql );
$st->bindValue( ":season", $season, PDO::PARAM_STR );
$st->bindValue( ":team", $team, PDO::PARAM_STR );
$st->bindValue( ":league", $league, PDO::PARAM_INT );
$st->execute();
$games = array();
foreach ( $st->fetchAll() as $row ) {
$games[] = new Game( $row );
}
parent::disconnect( $conn);
return $games;
} catch (PDOException $e ) {
parent::disconnect( $conn );
die( "Query failed: " . $e->getMessage() );
}
}
$weeklyGames = Game::getTeamGames( $season, $league, $tName );
I really appreciate the help of everyone.
Thank you in advance.

I was able to fix the issue.
I had to use html_entity_decode on the $team parameter.
I changed my method to the following:
public static function getTeamGames($season, $league, $team){
$dTeam = html_entity_decode($team);
$conn = parent::connect();
$sql = "SELECT * FROM rfw_games WHERE season = :season && league = :league && home = :team";
try {
$st = $conn->prepare( $sql );
$st->bindValue( ":season", $season, PDO::PARAM_STR );
$st->bindValue( ":team", $dTeam, PDO::PARAM_STR );
$st->bindValue( ":league", $league, PDO::PARAM_INT );
$st->execute();
$games = array();
foreach ( $st->fetchAll() as $row ) {
$games[] = new Game( $row );
}
parent::disconnect( $conn);
return $games;
} catch (PDOException $e ) {
parent::disconnect( $conn );
die( "Query failed: " . $e->getMessage() );
}
}

mysql_query to pdo conversion error on processing

I need help on converting mysql_query to PDO. The MySQL database is not updating when I edit columns. I've tried translating the following code:
<?php
include("connect.php");
if($_GET['id'] and $_GET['data'])
{
$id = $_GET['id'];
$data = $_GET['data'];
$key = $_GET['key'];
if(mysql_query("update information set $key='$data' where id='$id'"))
echo 'success';
}
}
?>
Into this:
<?php
include("connect.php");
if(isset($_GET))
{
$id = $_GET['id'];
$data = $_GET['data'];
$key = $_GET['key'];
}
try {
$pdo = new PDO( DSN, DB_USR, DB_PWD );
$pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$pdo->query( "SET NAMES utf8" );
$stmt = $pdo->prepare(
"UPDATE information
SET
key=:data where id=:id"
);
$stmt->bindValue( ':id', $id, PDO::PARAM_INT );
$stmt->bindValue( ':key', $data, PDO::PARAM_STR );
$stmt->execute();
} catch (PDOException $e){
var_dump($e->getMessage());
}
$pdo = null;

You used :key in your bindValue() call when it should be :data. You also need to put $key into the query (you can't use a placeholder for a column name, so this requires variable substitution).
$stmt = $pdo->prepare(
"UPDATE information
SET
$key = :data where id=:id"
);
$stmt->bindValue( ':id', $id, PDO::PARAM_INT );
$stmt->bindValue( ':data', $data, PDO::PARAM_STR );
$stmt->execute();
You should validate $key before substituting it, to prevent SQL injection. Something like:
$allowed_keys = array('col1', 'col2', 'col3');
if (!in_array($key, $allowed_keys)) {
die("Bad key $key");
}

How to add parameter to clause in PDO query

I am using code to run a Mysql query that defines a clasue ($datimeClause). I would like to run the query with a second parameter (:method) but if I change the syntax of the clause at all, the query won't run. I am fairly new to PDO could someone please tell me how I can reformat the clause to query for the second parameter.
This is the Query
public static function getList( $numRows=1000000, $datimeId=null ) {
$conn = new PDO( DB_DSN, DB_USERNAME, DB_PASSWORD );
$datimeClause = $datimeId ? "WHERE DatimeId = :datimeId" : "";
$sql = "SELECT SQL_CALC_FOUND_ROWS * FROM notify $datimeClause";
$st = $conn->prepare( $sql );
$st->bindValue( ":numRows", $numRows, PDO::PARAM_INT );
$st->bindValue( ":datimeId", $datimeId, PDO::PARAM_INT );
$st->execute();
$list = array();
while ( $row = $st->fetch() ) {
$text = new Text( $row );
$list[] = $text;
}
This is the function that calls it.
function newAutoText() {
$results = array();
$datimeId = ( isset( $_GET['datimeId'] ) && $_GET['datimeId'] ) ? (int)$_GET['datimeId'] : null;
$results['datime'] = Text::getById( $datimeId );
$data = Text::getList( 100000, $results['datime'] ? $results['datime']->id : null);
$results['texts'] = $data['results'];
$results['totalRows'] = $data['totalRows'];
require( TEMPLATE_PATH . "/sms.php" );
}

so just try:
public static function getList( $numRows=1000000, $datimeId=null, $andClause=null ) {
and here :
$data = Text::getList( 100000, $results['datime'] ? $results['datime']->id : null, 'testMethod');
and off course here:
$sql = "SELECT SQL_CALC_FOUND_ROWS * FROM notify $datimeClause";
if ($andClause!=null ) $sql .= " AND method= :method ";
$st = $conn->prepare( $sql );
$st->bindValue( ":numRows", $numRows, PDO::PARAM_INT );
$st->bindValue( ":datimeId", $datimeId, PDO::PARAM_INT );
if ($andClause!=null )
$st->bindValue( ":method", $andClause, PDO::PARAM_STR );

Okay, the first getById query I ran in my call function was arbitrary.
This works:
public static function getList( $numRows=1000000, $datimeId, $method=1 ) {
$conn = new PDO( DB_DSN, DB_USERNAME, DB_PASSWORD );
$datimeClause = $datimeId ? "WHERE DatimeId = :datimeId" : "";
$sql = "SELECT SQL_CALC_FOUND_ROWS * FROM notify $datimeClause AND Method= :method LIMIT :numRows";
$st = $conn->prepare( $sql );
$st->bindValue( ":numRows", $numRows, PDO::PARAM_INT );
$st->bindValue( ":datimeId", $datimeId, PDO::PARAM_INT );
$st->bindValue( ":method", $method, PDO::PARAM_INT );
$st->execute();
$list = array();
while ( $row = $st->fetch() ) {
$text = new Text( $row );
$list[] = $text;
}
// Now get the total number of articles that matched the criteria
$sql = "SELECT FOUND_ROWS() AS totalRows";
$totalRows = $conn->query( $sql )->fetch();
$conn = null;
return ( array ( "results" => $list, "totalRows" => $totalRows[0] ) );
}
function newAutoText() {
$results = array();
$datimeId = ( isset( $_GET['datimeId'] ) && $_GET['datimeId'] ) ? (int)$_GET['datimeId'] : null;
$data = Text::getList( 100000, $datimeId, '1');
$results['texts'] = $data['results'];
$results['totalRows'] = $data['totalRows'];
require( TEMPLATE_PATH . "/sms.php" );
}

MySQL update, skip blank fields with PDO

I would like to update a MySQL row via the form below. The form works great as is but, if I leave a field blank, it changes the field in MySQL to blank as well. I would like to update the sql but skip over any fields that are blank.
I have read a few ways of doing this but they didn't seem logical. I.e. using if statements in the sql string itself. (Having MySQL do the work that should be done in PHP).
if($_SERVER['REQUEST_METHOD'] != 'POST')
{
echo '<form method="post" action="">
ID: <input type="text" name="a" /><br>
Program: <input type="text" name="b" /><br>
Description: <textarea row="6" cols="50" name="c"></textarea><br>
Cost: <input type="text" name="d"><br>
<input type="submit" value="Add Link" />
</form>';
}
try {
$dbh = new PDO($dsn, $user, $pass);
$dbh->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
$stmt = $dbh->prepare('UPDATE links SET Program = :program , Descr = :descr, Cost = :cost WHERE Id= :id');
$stmt->bindParam(":id", $_POST["a"]);
$stmt->bindParam(":program", $_POST["b"]);
$stmt->bindParam(":descr", $_POST["c"]);
$stmt->bindParam(":cost", $_POST["d"]);
$stmt->execute();
if (!$stmt) {
echo "\nPDO::errorInfo():\n";
print_r($dbh->errorInfo());}
$dbh = null;
}
}catch (PDOException $e) {
print "Error!: " . $e->getMessage() . "<br/>";
die();
}

Something like this should work
.
.
.
$q = array();
if(trim($_POST["b"]) !== ""){
$q[] = "Program = :program";
}
if(trim($_POST["c"]) !== ""){
$q[] = "Descr = :descr";
}
if(trim($_POST["d"]) !== ""){
$q[] = "Cost = :cost";
}
if(sizeof($q) > 0){//check if we have any updates otherwise don't execute
$query = "UPDATE links SET " . implode(", ", $q) . " WHERE Id= :id";
$stmt = $dbh->prepare($query);
$stmt->bindParam(":id", $_POST["a"]);
if(trim($_POST["b"]) !== ""){
$stmt->bindParam(":program", $_POST["b"]);
}
if(trim($_POST["c"]) !== ""){
$stmt->bindParam(":descr", $_POST["c"]);
}
if(trim($_POST["d"]) !== ""){
$stmt->bindParam(":cost", $_POST["d"]);
}
$stmt->execute();
}
.
.
.

Change the statement:
$stmt = $dbh->prepare('UPDATE links SET Program = :program , Descr = :descr, Cost = :cost WHERE Id= :id');
As follows:
$stmt = $dbh->prepare('UPDATE links SET Program = IF(trim(:program)="", Program, :program) , Descr = IF(trim(:descr)="", Descr, :descr), Cost = IF(trim(:cost)="", Cost, :cost) WHERE Id= :id');

Check post field for empty :
It will skip update query if any field data is empty.
If( $_POST["a"] && $_POST["b"] && $_POST["c"] && $_POST["d"]){
try {
$dbh = new PDO($dsn, $user, $pass);
$dbh->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
$stmt = $dbh->prepare('UPDATE links SET Program = :program , Descr = :descr, Cost = :cost WHERE Id= :id');
$stmt->bindParam(":id", $_POST["a"]);
$stmt->bindParam(":program", $_POST["b"]);
$stmt->bindParam(":descr", $_POST["c"]);
$stmt->bindParam(":cost", $_POST["d"]);
$stmt->execute();
if (!$stmt) {
echo "\nPDO::errorInfo():\n";
print_r($dbh->errorInfo());}
$dbh = null;
}
}catch (PDOException $e) {
print "Error!: " . $e->getMessage() . "<br/>";
die();
}
}
Option2 Update all fields except empty:
try {
$sql ="UPDATE links SET ";
if($_POST["a"])
$sql .=" Program = :program ,";
if($_POST["b"])
$sql .=" Descr = :descr ,";
if($_POST["c"])
$sql .=" Cost = :cost ,";
$sql = rtrim($sql,',');
$dbh = new PDO($dsn, $user, $pass);
$dbh->setAttribute( PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION );
$stmt = $dbh->prepare($sql);
if($_POST["a"])
$stmt->bindParam(":id", $_POST["a"]);
if($_POST["b"])
$stmt->bindParam(":program", $_POST["b"]);
if($_POST["c"])
$stmt->bindParam(":descr", $_POST["c"]);
$stmt->execute();
if (!$stmt) {
echo "\nPDO::errorInfo():\n";
print_r($dbh->errorInfo());}
$dbh = null;
}
catch (PDOException $e) {
print "Error!: " . $e->getMessage() . "<br/>";
die();
}

It is easier to use unnamed parameters for dynamic queries in PDO and passing them as an array in execute(). The statement will not be executed unless at least 1 parameter is passed along with the id. I have left in the echo of the derived statement and the dump of the array.
Example statement
UPDATE `links` SET `Program` = ? , `Cost` = ? WHERE `Id` = ?
Example array
Array ( [0] => 2 [1] => 3 [2] => 2 )
if(isset($_GET['a'])){
$id = $_GET['a'];
$program = isset($_GET['b']) ? $_GET['b'] : NULL;
$descr = isset($_GET['c']) ? $_GET['c'] : NULL;
$cost= isset($_GET['d']) ? $_GET['d'] : NULL;
$params =array();
$sql = "UPDATE `links` SET "; //SQL Stub
if (isset($program)) {
$sql .= " `Program` = ? ,";
array_push($params,$program);
}
if (isset($descr)) {
$sql .= " `Descr` = ? ,";
array_push($params,$descr);
}
if (isset($cost)) {
$sql .= " `Cost` = ? ,";
array_push($params,$cost);
}
$sql = substr($sql, 0, -1);//Remove trailing comma
if(count($params)> 0){//Only execute if 1 or more parameters passed.
$sql .= " WHERE `Id` = ? ";
array_push($params,$id);
echo $sql;//Test
print_r($params);//Test
$stmt = $dbh->prepare($sql);
$stmt->execute($params);
}
}

Invalid argument supplied for foreach() in Comment System showing from SQL

I am creating a comment system for my website, and I am linking the comment to the article ID. Each comment has its own id in an increment order, but different comments can have the same article ID.
Here is the area the on my template form the error is being thrown:
<h1>Comments</h1>
<ul id="headlines" class="archive">
<?php foreach ($craps['comments'] as $comment ) { ?>
<li>
<h2>
<span class="pubDate"><?php echo date('j F Y', $comment->publicationDate)?></span>
</h2>
<p class="summary">
<?php echo htmlspecialchars( $comment->content )?>
</p>
</li>
<?php } ?>
</ul>
Here is the section of my index page with the setting of the variables like the array and data that the php for loop is using:
function viewArticle() {
if ( !isset($_GET["articleId"]) || !$_GET["articleId"] ) {
homepage();
return;
}
$results = array();
$results['article'] = Article::getById( (int)$_GET["articleId"] );
$results['pageTitle'] = $results['article']->title . " | Gaming News";
$craps = array();
$data = Comment::getList( (int)$_GET["articleId"]);
$craps['comments'] = $data['craps'];
require( TEMPLATE_PATH . "/viewArticle.php" );
}
this is where the system is pulling the data from the database with (it is in my Comment.php):
public static function getList( $art, $order="publicationDate DESC", $numRows=10000 ) {
$conn = new PDO( DB_DSN, DB_USERNAME, DB_PASSWORD );
$sql = "SELECT SQL_CALC_FOUND_ROWS *, UNIX_TIMESTAMP(publicationDate) AS publicationDate FROM comments WHERE articleid = :art
ORDER BY " . mysql_escape_string($order) . " LIMIT :numRows";
$st = $conn->prepare( $sql );
$st->bindValue( ":art", $art, PDO::PARAM_INT );
$st->bindValue( ":numRows", $numRows, PDO::PARAM_INT );
$st->execute();
$list = array();
while ( $row = $st->fetch() ) {
$comment = new Comment( $row );
$list[] = $comment;
}
}
I would really appreciate the help. This the last error i have before the comments in the test system are displayed.
here is the new get list code :
public static function getList( $art, $order="publicationDate DESC", $numRows=10000 ) {
$conn = new PDO( DB_DSN, DB_USERNAME, DB_PASSWORD );
$conn->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
$sql = "SELECT SQL_CALC_FOUND_ROWS *, UNIX_TIMESTAMP(publicationDate) AS publicationDate FROM comments WHERE articleid = :art ORDER BY :order LIMIT :numRows";
$st = $conn->prepare( $sql );
$st->bindValue( ":art", $art, PDO::PARAM_INT );
$st->bindValue( ":numRows", $numRows, PDO::PARAM_INT );
$st->bindValue( ":order", $order, PDO::PARAM_INT );
$st->execute();
$list = array();
while ( $row = $st->fetch() ) {
$comment = new Comment( $row );
$list[] = $comment;
}
return $list;
}

Categories