I have had my script running on a localhost WampServer 1st which where it worked and then exported it to my online live domain.
After some adjustments i got the script partically working again but i am still getting below error
Call to undefined function filter_var()
The purpose of this script is when an user wants to registrate it will validate the email address and add the user to the database and send an validation link to the users emailaddress.
Here is the script:
<?PHP
error_reporting(E_ALL);
ini_set('display_errors', 1);
// connection towards database with a include function
include ('connection.php');
if (isset($_REQUEST['send']))
{
if(isset($_REQUEST['NAAM']))
{
$naam = $_REQUEST['NAAM'];
}
function spamcheck($field)
{
//filter_var() sanitizes the e-mail
//address using FILTER_SANITIZE_EMAIL
$field = filter_var($field, FILTER_SANITIZE_EMAIL);
//filter_var() validates the e-mail
//address using FILTER_VALIDATE_EMAIL
if(filter_var($field, FILTER_VALIDATE_EMAIL))
{
return TRUE;
}else
{
return FALSE;
}
}
//if "email" is filled out, proceed
if (isset($_REQUEST['mail']))
{
//check if the email address is invalid
$mailCheck = spamcheck($_REQUEST['mail']);
if ($mailCheck == TRUE)
{
$email = $_REQUEST['mail'];
}else
{
$mailCheck = FALSE;
echo "Invalid input email";
}
}
if(isset($_REQUEST['question']))
{
$quest = $_REQUEST['question'];
// checks if the filled in Question is de same as the answer novice or Novice
if ($quest =="novice" or $quest =="Novice")
{
$questCheck = TRUE;
}else
{
$questCheck = FALSE;
echo "Your answer to the question was incorrect!<br>";
}
}
if(isset($_REQUEST['wachtwoord'] , $_REQUEST['c_wachtwoord']))
{
$WW = $_REQUEST['wachtwoord'];
$c_WW = $_REQUEST['c_wachtwoord'];
// checks if the filled in password is de same as the confirmation password
if ($WW == $c_WW)
{
$pwCheck = TRUE;
}else
{
$pwCheck = FALSE;
echo "Your filled in passwords are not the same try again!<BR>";
}
}
// checks if both password confirmation and question are TRUE continue else retrieve fault
if ($pwCheck && $questCheck && $mailCheck == TRUE)
{
$hash = md5( rand(0,1000) );
// insert all filled in values into the database
$opdracht1 = "INSERT INTO users (ID , name , password , mail , staffLevel , hash , active) VALUES ('','$naam','$WW','$email','0','$hash','0')";
// run query
if (mysql_query ($opdracht1))
{
header( "refresh:5;url=http://www.debeerislos.nl/inlog_user.php" );
echo "Your account has succesfully been created! Please check your email to validate your account!<BR>";
$to = $email; //Send email to our user
$subject = 'Signup | Verification'; //// Give the email a subject
$message = '
Thanks for signing up!
Your account has been created!
You can login with the following credentials:
------------------------
Username: '.$naam.'
Password: '.$WW.'
------------------------
After you have activated your account you will have the rights so you can fully use it.
Please click this link to activate your account:
http://www.debeerislos.nl/verify_user.php?email='.$email.'&hash='.$hash.'&name='.$naam.'
'; // Our message above including the link
$headers = 'From:info#debeerislos.nl' . "\r\n"; // Set from headers
mail($to, $subject, $message, $headers); // Send the email
}else
{
echo "Woops something went wrong please contact the Administrator of the website or fill in the form again!<br> <A href='http://www.debeerislos.nl/form_register_user.html'>CLICK HERE!</A> to fill in the forum again";
}
}elseif ($pwCheck && $questCheck == FALSE)
{
echo "you filled both the password confirmation and the answer to the question incorrect!<br>";
}
}else
{
echo "Either you haven't send anything! or you haven't filled in the form<br>";
}
?>
In advance thank you.
Kind Regards,
StaleDevil
where have you defined filter_var() function? It is not defined in your given code. If you are defining it in the same page then how are you defining? provide example. otherwise if you are definfing it in another page then include the page.
Related
I am trying to allow users to edit their email address in my PHP system but also prevent them from setting one that already exist, I am also trying run them through FILTER_VALIDATE_EMAIL. However it stops somewhere for me. The checks works fine in same function, but updating the the new one if the checks that I tried to setup are passed doesn't work. I am using a HTML form for updating them. I thought I did it right, I read here check if email exists in MySQL database that it should be possible to do it this way.
Here's my code, does anyone see what I am doing wrong? Where am I missing out?
function EmailCheck($sql) {
if (isset($_POST['email'])) {
$newemail = $_POST["email"];
if (!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) {
echo "Invalid e-mail, please try a different.";
exit;
}
$check_email = $sql->query("SELECT email FROM auth WHERE email='$newemail'");
if ($check_email-> num_rows) {
echo "E-mail is already in use.";
exit;
}
}
else {
mysqli_query($sql, "UPDATE auth SET email='$newemail' WHERE username = '$this->username'");
header("Location: userinfo.php");
exit;
}
}
Your Update query looks like it is in the wrong place. According to your code, if the posted email value is not set, you are updating the DB. I am guessing that is not what you want to do. The other problem I see is you are only passing the $sql variable to the function. The posted value will never be set.
//initalize flags
$flag1 = "no";
$flag2 = "no";
if( isset($_POST['email'])){
if(!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) {
echo "Invalid e-mail, please try a different.";
exit;
}else{
//use flag here for for last if
$flag1 = "yes";
}
$check_email = $sql->query("SELECT email FROM auth WHERE email='$newemail'");
if ($check_email-> num_rows) {
echo "E-mail is already in use.";
exit;
}else{
//set 2nd flag here
$flag2 = "yes";
}
if( $flag1 == "yes" && $flag2 == "yes"){
//update query for new email here
}
}else{
//do something when no email is posted
}
Basically I set up a self signed SSL certificate and all of a sudden my register forum stopped working, it almost feels as if it goes into a redirect loop but it doesn't, the way my register works is that you need to verify you account by email. When you click the register, the page doesn't load for a couple of minutes and then it eventually gives you the notification that the verification sent but it doesn't send to your email address. Also before I set up the self signed SSL it did work, I believe it's because SSL doesn't see my register.php forum as secure therefor it doesn't send it because it's uncrypted, if there is a bypass or a way to fix this it would be greatly appreciated.
<?php
define('DIRECT', TRUE);
function getRealIpAddr()
{
if (!empty($_SERVER['HTTP_CLIENT_IP'])) //check ip from share internet
{
$ip=$_SERVER['HTTP_CLIENT_IP'];
}
elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) //to check ip is pass from proxy
{
$ip=$_SERVER['HTTP_X_FORWARDED_FOR'];
}
else
{
$ip=$_SERVER['REMOTE_ADDR'];
}
return $ip;
}
/* Registration process, inserts user info into the database
and sends account confirmation email message
*/
// Set session variables to be used on activate.php page
$_SESSION['email'] = $_POST['email'];
$_SESSION['username'] = $_POST['firstname'];
// Escape all $_POST variables to protect against SQL injections
$username = $mysqli->escape_string($_POST['firstname']);
$ip=$_SERVER['REMOTE_ADDR'] = getRealIpAddr();
$dateTime = date('Y/m/d G:i:s');
$email = $mysqli->escape_string($_POST['email']);
$uncryptpass = $mysqli->escape_string($_POST['password']);
$password = $mysqli->escape_string(password_hash($_POST['password'], PASSWORD_BCRYPT));
$hash = $mysqli->escape_string( md5( rand(0,1000) ) );
// Check if user with that email already exists
$result = $mysqli->query("SELECT * FROM users WHERE email='$email'") or die($mysqli->error());
// We know user email exists if the rows returned are more than 0
if ( $result->num_rows > 0 ) {
$_SESSION['message'] = 'An account with ' .$email. ' already exists!';
header("location: /login/index.php");
}
else { // Email doesn't already exist in a database, proceed...
// active is 0 by DEFAULT (no need to include it here)
$sql = "INSERT INTO users (username, email, uncryptpass, password, hash, ip, date) "
. "VALUES ('$username','$email','$uncryptpass','$password', '$hash', '$ip', '$dateTime')";
// Add user to the database
if ( $mysqli->query($sql) ){
$_SESSION['active'] = 0; //0 until user activates their account with verify.php
$_SESSION['logged_in'] = true; // So we know the user has logged in
$_SESSION['message'] =
"Confirmation link has been sent to $email, please verify
your account by clicking on the link in the message!";
// Send registration confirmation link (verify.php)
$to = $email;
$subject = 'Account Verification';
$message_body = '
'.$username.',
***DO NOT RESPOND BACK TO THIS EMAIL***
https://example.com/login/verify.php?email='.$email.'&hash='.$hash;
mail( $to, $subject, $message_body );
header("location: activate.php");
}
else {
$_SESSION['message'] = 'Registration failed!';
header("location: /login/index.php");
}
}
I have created a registration system with email verification and when I signed up everything was ok. But when I clicked on link in email it said error. Can you help me please?
<?php session_start();
include_once 'dbconnect.php';
if (isset($_GET['email'])){
$email = $_GET['email'];
}
if (isset($_GET['status']) && (strlen($_GET['status']) == 32)) {
$status = $_GET['status'];
}
if (isset($email) && isset($status)) {
$query_activate_account = "UPDATE users SET status='Active' WHERE(email ='$email' AND status='$status')";
$result_activate_account = mysqli_query($query_activate_account);
echo '<div>Your account is now active. You may now Log in</div>';
} else {
echo '<div>Oops !Your account could not be activated. Please recheck the link or contact the system administrator.</div>';
}
?>
The url you are sending to user is wrong
It does not contain email and status
To use code like this,
if (isset($_GET['email'])){
$email = $_GET['email'];
}
if (isset($_GET['status']) && (strlen($_GET['status']) == 32)) {
$status = $_GET['status'];
}
your email should be like this,
$email = "email here";
$message = "http://chat-web.net/activate.php?status=$status&email=$email";
I'm working on a PHP page that allows the user to reset their password. I have got to the point where a username is entered and an email is sent with a link to change the password.
However when I go to change the password I'm getting the following errors
Notice: Undefined index: email in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\reset-password.php on line 112
Notice: Undefined index: hash in C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\reset-password.php on line 112
This is my code for reset-password.php...
<?php
$msg = "";
// If user is visiting using the link provided in the email
if(isset($_GET['email']) && !empty($_GET['email']) AND isset($_GET['hash']) && !empty($_GET['hash']))
{
$email = checkInput($_GET['email']); // Set email variable
$hash = checkInput($_GET['hash']); // Set hash variable
$search = mysql_query("SELECT email, hash FROM users WHERE email='".$email."' AND hash='".$hash."'") or die(mysql_error());
$match = mysql_num_rows($search);
if($match > 0)
{
// There is a match -> show change password form
changePassForm();
}
else
{
// No match -> dont show password form (invalid url)
$msg .= '<div class="success" align="center">An email with a link to reset your password has been sent to your registered email account. Please click the link to reset your password.</div>';
}
}
// Else user is not visting from a link provided in an email.
else
// First check if user has already submitted form to send change password link
{
if(isset($_POST['submit-request']))
{
$username = checkInput($_POST['username']);
$query = "SELECT username FROM users WHERE username = '$username'";
$result = mysql_query($query);
$search = mysql_num_rows($result);
// Checks if the username they entered exists - if so, call sendResetMail function.
if($search > 0)
{
$msg .= '<div class="success" align="center">An email with a link to reset your password has been sent to your registered email account. Please click the link to reset your password.</div>';
sendResetMail(); // Calls the sendMail function - sends the activation email to the user.
}
// Else username does not exist in database
else
{
$msg .= '<div class="error" align="center">That username does not exist. Please try again.</div>';
requestForgotPassEmail();
}
}
// If user has not already submitted form, show them form.
else
{
requestForgotPassEmail();
$msg .= "request email";
}
}
/* Initialize empty containers for the errors */
$rpnewpass_errors = "";
$rpnewpasschk_errors = "";
$msg = "";
// If changePassForm has been submitted
if(isset($_POST['submit-change']))
{
$newpass=isset($_POST['newpass']) ? checkInput($_POST['newpass']) : '';
$newpasschk=isset($_POST['newpasschk']) ? checkInput($_POST['newpasschk']) : '';
/* Checks all fields were entered */
if(!$_POST['newpass'] || !$_POST['newpasschk'])
{
$msg .= '<div class="error" align="center">You didn\'t a required field - please complete all the fields</div>';
}
else
{
/* Once all fields are entered - perform form validation */
/* Checks the new password field is entered */
if(empty($newpass))
{
$newpass=false;
$rpnewpass_errors .= "You didn't enter a new password";
}
/* Checks if the password contains at least 8 characters, lower/upper case letters and a number. */
if(preg_match("/^.*(?=.{8,})(?=.*[0-9])(?=.*[a-z])(?=.*[A-Z]).*$/", $newpass) === 0)
{
$msg .= '<div class="error" align="center">Password must be at least 8 characters and contain at least one lower case letter, one upper case letter and a number</div>';
}
/* Checks the verify new password field is entered */
if(empty($newpasschk))
{
$msg .= '<div class="error" align="center">You didnt verify your new password.</div>';
}
/* Checks if the new password and verify new password match */
if($newpass != $newpasschk)
{
$msg .= '<div class="error" align="center">Sorry, your passwords do not match.</div>';
}
/* Checks if all error containers are empty, then proceeds with password change */
if(empty($rpnewpass_errors) && empty($rpnewpasschk_errors))
{
$query="SELECT username FROM users WHERE email = '$email' AND hash = '$hash'";
echo $query; // for troubleshooting purposes, variables are echoing empty
$result=mysql_query($query);
$num=mysql_num_rows($result);
if($num == 1)
{
$row=mysql_fetch_array($result);
$md5newpass=md5($newpass);
$query="UPDATE users SET password = '$md5newpass' WHERE username = '$row[0]'";
$result=mysql_query($query);
if(mysql_affected_rows() == 1)
{
$msg .= '<div class="error" align="center">Your password has been changed successfully</div>';
}
else
{
$msg .= '<div class="error" align="center">Your password could not be changed. Please try again</div>';
}
}
else
{
$msg .= '<div class="error" align="center">Your username and password do not match our records</div>';
}
}
}
}
?>
I guess I'm somewhere/somehow losing the GET variables from the link but not sure how I can get around this - its been a long day and I've been stuck on this for a while so apologies for any obvious mistake!
Thanks.
You positive $email and $hash are set on this line?
$query="SELECT username FROM users WHERE email = '$email' AND hash = '$hash'";
echo $query; // for troubleshooting purposes, variables are echoing empty
You set it here, but only in a conditional:
if(isset($_GET['email']) && !empty($_GET['email']) AND isset($_GET['hash']) && !empty($_GET['hash']))
You should probably not tell the user if the username doesn't exist, and also write the requests to a separate DB table based on a single token instead of relying on a get var for both email and hash. Just my opinion.
Hey guys, I have this sign up script and I'm using mysql_real_escape_string .I know prepared statements are safer but I'm just not experienced enough to use them, I just can't figure out how. Anyway here's the script:
<?php
$username=mysql_real_escape_string($_POST['username']);
$password=sha1($_POST['password']);
$password2=sha1($_POST['password_confirmation']);
$passcheck=$_POST['password'];
$todo=mysql_real_escape_string($_POST['todo']);
$email=mysql_real_escape_string($_POST['email']);
$fname=mysql_real_escape_string($_POST['fname']);
$lname=mysql_real_escape_string($_POST['lname']);
$gender=$_POST['gender'];
$class=$_POST['class'];
$section=$_POST['section'];
if(isset($todo) and $todo=="post"){
$status = "OK";
$msg="";
}
if(!isset($username) OR strlen($username) <3){
$msg=$msg."Username should be equal to or more than 3 characters long.<BR/>";
$status= "NOTOK";
}
if(mysql_num_rows(mysql_query("SELECT username FROM users WHERE username = '$username'"))){
$msg=$msg."Username already exists. Please try another one.<BR/>";
$status= "NOTOK";
}
if(mysql_num_rows(mysql_query("SELECT email FROM users WHERE email = '$email'"))){
$msg=$msg."E-mail is already in use. Please try again.<BR/>";
$status= "NOTOK";
}
if ( strlen($passcheck) < 3 ){
$msg=$msg."Password must be more than 3 charactors long.<BR/>";
$status= "NOTOK";
}
if ( $password <> $password2 ){
$msg=$msg."Passwords are not identical.<BR/>";
$status= "NOTOK";
}
if(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*#[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email)){
$msg=$msg."The email is not a valid email.<br/>";
$status="NOTOK";
}
if($status=="NOTOK"){
echo '<div class="statusmsg">'.$msg.'<br/><input class="submitButton" type="button" value="Retry" onClick="location.href='."'signup.php'\"></div>";
}
else {
$hash = md5( rand(0,1000) );
$hash = mysql_real_escape_string($hash);
if(mysql_query("insert into users(username,password,email,fname,lname,hash,gender,class,section) values('$username','$password','$email','$fname','$lname','$hash','$gender','$class','$section')")or die (mysql_error ())){
echo '<div class="statusmsg">Welcome, You have successfully signed up. Please check the verification e-mail sent to you.</div>';
$to = $email;
$subject = 'Signup | Verification';
$message = '
Thanks for signing up!
Your account has been created, you can login with the following credentials after you have activated your account by pressing the url below.
------------------------
Username: '.$username.'
------------------------
Please click this link to activate your account:
<div id="header">
<h3>JMToday > Sign up</h3>
</div>
http://www.JMtoday.com/verification.php?email='.$email.'&hash='.$hash.'
';
$headers = 'From:noreply#JMtoday.com' . "\r\n";
mail($to, $subject, $message, $headers);
}
else {
echo "Database problem, please contact site admin";
}
}
?>
The user will never see the "database problem" message, as the script will die() out if the query fails. As well, you're embedding HTML into the message, but are not building a proper HTML-format email. Some mail clients may be smart enough to figure out there's HTML and render it as such, but that's just luck.
The hash you generate is limited to generating only 1001 hashes. Given the birthday paradox, after 38 people sign up, the odds of a collision are 50%. After 100 people, the odds are 99.29%. Instead of hashing a random number, do something like:
$hash = md5(serialize($_POST) . $some_other_stuff_in_case_POST_is_empty);