I'm trying secure more my member system.
So basicly if somebody wants to create an account he needs to activate it by email.
Now when I receive an email with the activation code: he says We cannot find that email This is strange since the email is in the database.
I got a script called activate.php
<?php
if (isset($_GET['succes']) === true && empty ($_GET['succes']) === true) {
?>
<h2>Thanks, your account has been activated!</h2>
<?php
} else if (isset($_GET['email'], $_GET['email_code']) === true) {
$email = trim($_GET['email']);
$email_code = trim($_GET['email_code']);
$user = new User();
if($user->email_exists($email) === false) {
echo 'We cannot find that email';
} else if ($user->activate($email, $email_code) === false) {
echo 'problem activate your account';
}
}
?>
In the classes dir I got a file called User.php
The activate function
function activate ($email, $email_code) {
$email = mysql_real_escape_string($email);
$email_code = mysql_real_escape_string($email_code);
require_once '../config.php';
if ($db->get($db->query("SELECT COUNT(`id`) FROM `users` WHERE `email` = '$email' AND `email_code` = '$email_code' AND `active` = 0"), 0) == 1) {
$db->query("UPDATE `users` SET `group` = 1 WHERE `email` = '$email'");
return true;
} else {
return false;
}
}
And the email_exists function:
function email_exists($email) {
return ($this->_db->get($this->_db->query("SELECT COUNT(`id`) FROM `users` WHERE `email` = '$email'"), 0) == 1) ? true : false;
}
Use urlencode and urldecode funcitons while inserting/gettind email from url
$email = urldecode(trim($_GET['email']));
...
$url = 'http://site/?email='urlencode($email);
Check this:
function email_exists($email) {
var_dump($email);exit;
return ($this->_db->get($this->_db->query("SELECT COUNT(`id`) FROM `users` WHERE `email` = '$email'"), 0) == 1) ? true : false;
}
Related
I have this error "Warning: mysql_result(): user_id not found in MySQL result index 13 in C:\xampp\htdocs\core\functions\users.php on line 14"
I think i don't know how to read from my Database, it looks like
Here is my users code
<?php
function user_exists($username){
$username = sanitize($username);
return (mysql_result(mysql_query("SELECT COUNT(`uID`) FROM `user` WHERE `uUserName` = '$username'"), 0) == 1) ? true : false;
}
function user_active($username){
$username = sanitize($username);
return (mysql_result(mysql_query("SELECT COUNT(`uID`) FROM `user` WHERE `uUserName` = '$username' AND `uActive` = 1"), 0) == 1) ? true : false;
}
function user_id_from_username($username){
$username = sanitize($username);
return mysql_result(mysql_query("SELECT `uID` FROM `user` WHERE `uUserName` = '$username'"), 0, 'user_id');
}
function login($username,$password){
$user_id = user_id_from_username($username);
$username = sanitize($username);
$password = md5($password);
return (mysql_result(mysql_query("SELECT COUNT(`uID`) FROM `user` WHERE `uUserName` = '$username' AND `uPassword` = '$password'"), 0) == 1) ? $user_id : false;
}
?>
This is my login system code
if(empty($_POST) === false){
$username = $_POST['username'];
$password = $_POST['password'];
if(empty($username) === true || empty($password) === true){
$errors[] = 'You need to enter a Username and Password';
} else if(user_exists($username) == false){
$errors[] = 'We cannot find that Username, have you registered?';
} else if(user_active($username) === false){
$errors[] = 'You have not activated your account.';
}
else {
$login = login($username,$password);
if($login === false){
$errors[] = 'The username or password is incorrect';
} else {
echo 'ok';
}
}
print_r($errors);
}
You have an error at line 13 where you specify 'user_id' as an offset.
You can simply get the uID column and store the value if that row exists.
$result = mysql_query("SELECT `uID` FROM `user` WHERE `uUserName` = '$username'");
$user_id = 0; // default value, meaning user not found
if ($result && mysql_num_rows($result) > 0){
$row = mysql_fetch_assoc($result);
$user_id = $row[0];
}
return $user_id;
Then you can modify your login function to check whether user_id > 0 or not. If it's larger than 0, then you got that user's id.
Currently the only problem that I see is your user_id_from_username function.
You're trying to set an offset to a field that doesn't exist and mysql doesn't find it. So it's throwing an error:
function user_id_from_username($username){
$username = sanitize($username);
return mysql_result(mysql_query("SELECT `uID` FROM `user` WHERE `uUserName` = '$username'"), 0, 'uID');
}
Try the above or leave off the uID since it's not a mandatory but rather an optional parameter.
Insert obligatory, you should be using mysqli instead of mysql at this point if your PHP version supports it.
I am trying to write a bit of code that checks if an email exists in my table but keep receiving a "Query was empty" error. I can't seem to find why the query is returning empty?
I am new to PHP and am following a tutorial online for this, the code to which I am following seems to be identical. My code:
recover1.php
<?php require_once('Connections/localhost.php'); ?>
<?php
session_start();
if(isset($_SESSION['MM_Username'])) {
header("Location: My_Account.php");
die;
}
?>
<?php include('functions2.php'); ?>
<?php
$mode_allowed = array('username', 'password');
if (isset($_GET['mode']) === true && in_array($_GET['mode'], $mode_allowed) == true) {
if (isset($_POST['email']) === true && empty($_POST['email']) === false) {
if (email_exists(($_POST['email'])) === true) {
echo "ok";
} else {
echo '<div id="error"> We could not find that email address, please try again. </div>';
}
}
?>
<?php
} else {
header('Location: subscribe.php');
exit();
}
?>
functions2.php
<?php
function sanitize($data) {
return mysql_real_escape_string($data);
}
function recover ($mode, $email) {
$email = sanitize($email);
$mode = sanaitize($mode);
$user_data = user_data(UserID_from_email($email), `Username`);
if ($mode == 'username') {
email($email, 'Your Username', "Hi/n As requested your username is " . $user_data['Username'] . "/n/n Infinity Crates");
} else if ($mode == 'password') {
//recover password
}
}
function email_exists($email) {
$email = sanitize($email);
$query = mysql_query("SELECT COUNT (`UserID`) FROM `users` WHERE `Email` = '$email'");
$result = mysql_query($query) or die(mysql_error());
return (mysql_result($result, 0) == 1) ? true : false;
}
function UserID_from_email($email) {
$email = sanitize($email);
return mysql_result(mysql_query("SELECT `UserID` from `Users` WHERE `Email` = '$email'"), 0, `UserID`);
}
function email($to, $subject, $body) {
mail($to, $subject, $body, 'From: infinitycrate#gmail.com');
}
?>
You're using mysql_query 2 times.
Make it:
function email_exists($email) {
$email = sanitize($email);
$query = "SELECT COUNT (`UserID`) FROM `users` WHERE `Email` = '$email'";
$result = mysql_query($query) or die(mysql_error());
return (mysql_result($result, 0) == 1) ? true : false;
}
You can even modify your function like this:
function email_exists($email) {
$email = sanitize($email);
$result = mysql_query("SELECT * FROM `users` WHERE `Email` = '$email'") or die(mysql_error());
return (mysql_num_rows($result) > 0) ? true : false;
}
Note: Default Mysql API is deprecated from PHP 5.5. Please use PDO and Mysqli instead. For more information you can take a look at http://php.net/manual/en/mysqlinfo.api.choosing.php
Your functions either need to globalize the mysql_connect resource variable or have the resource passed to the function. Check your first require_once file and see if the mysql_connect resource is stored in a variable. If not, modify it to save the resource to a variable like $dbh and modify the "email_exists", "sanitize" and "UserID_from_email" functions by inserting global $dbh; as the first line in those functions.
I created a login form but when i try to login, it says email or password is incorrect but I'm going in the right email and password.
I create user in my database users table but again again i get this error. All error is ok when i try to emtpy email and password it says You need to entere a email and password.
and activated error also ok.I am entering the correct password and email address. Gives me the error.
This is users.php
<?php
function user_exists($email) {
$email = sanitize($email);
return (mysql_result(mysql_query("SELECT COUNT(`id`) FROM `users` WHERE `email` = '$email'"), 0) == 1) ? true : false;
}
function user_active($email) {
$email = sanitize($email);
return (mysql_result(mysql_query("SELECT COUNT(`id`) FROM `users` WHERE `email` = '$email' AND `active` = 1"), 0) == 1) ? true : false;
}
function user_id_from_email($email) {
$email = sanitize($email);
return mysql_result(mysql_query("SELECT `id` FROM `users` WHERE `email` = '$email'"), 0, 'id');
}
function login($email, $password) {
$id = user_id_from_email($email);
$email = sanitize($email);
$password = md5($password);
return (mysql_result(mysql_query("SELECT COUNT (`id`) FROM `users` WHERE `email` = '$email' AND `password` = '$password'"), 0 ) == 1) ? $id : false;
}
?>
And this is login.php
<?php
include("core/init.php");
if(empty($_POST) === false) {
$email = $_POST['email'];
$password = $_POST['password'];
if (empty($email) === true || empty($password) === true) {
$errors[] = 'You need to enter a email and password';
} else if (user_exists($email) === false) {
$errors[] = 'We can\'t find that email. Have you registered ?';
} else if (user_active($email) === false) {
$errors[] = 'You have\'t activated your account';
} else {
$login = login($email, $password);
if ($login === false) {
$errors[] = 'That email/passowrd cocmbination is incorrect';
}else {
$_SESSION['id'] = $login;
header('Location: main.php');
exit();
}
}
print_r ($errors);
}
?>
Sorry, but there's a whole load of stuff which is wrong - lots of it may be producing errors.
1) there is no 'sanitize' function in php and you haven't told us what it does.
2) your login.php does niclude users.php
3) generating an md5 hash of the password is far from secure (it should be a slated sha1 hash as a minimum)
4) you never check for errors being returned by the DBMS
5) ...actually - that's not true - you compare the return value from the functions in users.php to false - and you'll only get false if the query fails - not if it returns 0 rows
Consider....
function do_something_with_email($email, &$err) {
$email = mysql_real_escape_string($email);
if (!($res=mysql_query("SELECT `id` FROM `users` WHERE `email` = '$email'"))) {
$err=mysql_error();
return false;
}
if (!($data=mysql_fetch_array($res)) {
$err=mysql_error();
return false;
}
return $data[0];
}
switch (do_something_with_email($email, $err)) {
case false:
die ($err);
case 0:
print "No records matched";
break;
default:
print "OK";
break;
}
Okay, so I'm setting up the activation page using $_GET[] from the link the server emails the user.
Here's my activation page.
if (isset($_GET['success']) && $_GET['success'] == false) {
echo 'Your account has been activated, please login to continue.';
} else if (isset($_GET['email'], $_GET['email_code']) === true) {
$email = trim($_GET['email']);
$email_code = trim($_GET['email_code']);
if (email_exists($db, $_GET['email']) == false) {
$errors[] = 'This email address hasn\'t been registered with us.';
} else if (activate($db, $email, $email_code) === false) {
$errors[] = 'We had problems activating your account, please contact an Administrator.';
}
if (empty($errors) === false) {
echo output_errors($errors);
} else {
header('Location: activate.php?success');
exit();
}
} else {
header('Location: index.php');
}
I believe that to be fine, the problem lies within my function activate()
function activate(PDO $db, $email, $email_code) {
$stmt = $db->prepare("SELECT COUNT (`id`) FROM `users` WHERE `email` = :email AND `email_code` = :email_code AND `active` = 0");
$stmt->bindValue(':email', $email);
$stmt->bindValue(':email_code', $email_code);
$stmt->execute();
$row = $stmt->fetch(PDO::FETCH_OBJ);
return $row ? $row->type : 0;
}
At this moment, I'm just trying to get it to return something, yet it doesn't.
What I really need, is for it to do this.
function activate($email, $email_code) {
$email = mysql_real_escape_string($email);
$email_code = mysql_real_escape_string($email_code);
if (mysql_result(mysql_query("SELECT COUNT(`user_id`) FROM `users` WHERE `email` = '$email' AND `email_code` = '$email_code' AND `active` = 0"), 0) ==1) {
mysql_query("UPDATE `users` SET `active` = 1 WHERE `email` = '$email'");
return true;
} else {
return false;
}
}
But I cannot quite translate it.
Any help would be appreciated, thanks.
I thought I'd add this doesn't return any errors, mainly because I haven't put anything in correctly yet for it to return one.
EDIT:
else if (activate($db, $email, $email_code) === 0) {
$errors[] = 'We had problems activating your account, please contact an Administrator.';
}
Then the function
function activate(PDO $db, $email, $email_code) {
$sql = "SELECT `active`, `email_code` FROM `users` WHERE `email` = '?'";
$stmt = $db->prepare($sql);
$stmt->execute(array($email));
$row = $stmt->fetch();
if ($row && $row['active'] == $email_code && !$row['active'] ) {
$sql = "UPDATE `users` SET `active` = 1 WHERE `email` = '?'";
$stmt = $db->prepare($sql);
$stmt->execute(array($email));
return $stmt->rowCount();
} else {
return 0;
}
}
function activate(PDO $db, $email, $email_code) {
$sql = "SELECT active, email_code FROM users WHERE email = ?";
$stmt = $db->prepare($sql);
$stmt->execute(array($email));
$row = $stmt->fetch();
$if ($row && $row['active'] == $email_code && !$row['active'] )
$sql = "UPDATE users SET active = 1 WHERE email = ?");
$stmt = $db->prepare($sql);
$stmt->execute(array($email));
return $stmt->rowCount();
}
}
This is for user activation.
function activate($email, $email_code){
$email = mysql_real_escape_string($email);
$email_code = mysql_real_escape_string($email_code);
if (mysql_result(mysql_query("SELECT COUNT(`user_id`) FROM `users` WHERE `email` = '$email' AND `email_code` = '$email_code' AND `active` = 0"), 0) == 1){
mysql_query("UPDATE `users` SET `active` = 1 WHERE `email` = '$email'");
return true;
}else{
return false;
}
}
Activation.php
if (isset($_GET['success']) === true && empty($_GET['success'])===true){
echo 'Account activated!';
}
else if (isset($_GET['email'], $_GET['email_code']) === true){
$email = trim($_GET['email']);
$email_code = trim($_GET['email_code']);
if(email_exists($email) === false){
$errors[] = 'Oops, something went wrong!';
}else if (activate($email, $email_code === false)){
$errors[] = 'We have problems activating your account!';
}
if (empty($errors) === false){
echo output_errors($errors);
}else{
header('Location:activate.php?success');
exit();
}
}else{
header('Location:go.php');
exit();
}
It says 'Account activated!' as I echoed but it didn't change the field in the table. It didn't activate at all basically. What is the problem here?
You have to change the function like this
function activate($email, $email_code){
$email = mysql_real_escape_string($email);
$email_code = mysql_real_escape_string($email_code);
if (mysql_result(mysql_query("SELECT COUNT(`user_id`) FROM `users` WHERE `email` = '$email' AND `email_code` = '$email_code' AND `active` = 0"), 0) == 1){
if(mysql_query("UPDATE `users` SET `active` = 1 WHERE `email` = '$email'")){
return true;
}
else{
return false;
}
}
}