0

I am trying to get my email verification to work. Everything works as far as sending out the email with the hash link to confirm, but once it goes to the verify.php link below it does not update my DB active row from 0 to 1. Any suggestions?

if(isset($_GET['email']) && !empty($_GET['email']) AND isset($_GET['email_hash']) && !empty($_GET['email_hash'])){ // Verify data $search = "SELECT email, email_hash, active FROM users WHERE email='".$email."' AND hash='".$email_hash."' AND active='0'"; $match = $database->num_rows( $query ); if($match > 0){ //Fields and values to update $update = array( 'active' => 1 ); //Add the WHERE clauses $where_clause = array( 'email' => '$email', 'email_hash' => '$email_hash', 'active' => '1' ); $updated = $database->update( 'users', $update, $where_clause, 1 ); if( $updated ) { echo '<p>Your account has been activated, you can now login</p>'; } } }else{ echo '<p>Your account is already activated</p>'; }
Improve this question

4 Answers 4

Reset to default
1

Your code is not correct (using $email/$email_hash but not declaring them) this is how it could work:

if(isset($_GET['email']) && !empty($_GET['email']) AND isset($_GET['email_hash']) && !empty($_GET['email_hash'])){ // Verify data $email = $_GET['email']; $email_hash= $_GET['email_hash']; $search = "SELECT email, email_hash, active FROM users WHERE email='".$email."' AND hash='".$email_hash."' AND active='0'"; $match = $database->num_rows( $query ); if($match > 0){ //Fields and values to update $update = array( 'active' => 1 ); //Add the WHERE clauses $where_clause = array( 'email' => '$email', 'email_hash' => '$email_hash', 'active' => '1' ); $updated = $database->update( 'users', $update, $where_clause, 1 ); if( $updated ) { echo '<p>Your account has been activated, you can now login</p>'; } } }else{ echo '<p>Your account is already activated</p>'; }

I would like to add that, in production stage, you MUST escape and validate all incoming data (POST,GET etc).

Improve this answer
Sign up to request clarification or add additional context in comments.

1 Comment

I thinks this code will work, but is a really bad idea to use $GET / $POST cariables in a SQL-statement: owasp.org/index.php/SQL_Injection_Prevention_Cheat_Sheet
1

You should define $email and $email_hash inside the if-clause.

$email = $_GET['email']; $email_hash = $_GET['email_hash'];

Currently, you are relying on a deprecated directive called register_globals.

Improve this answer

3 Comments

Why was this downvoted? It is a correct answer. If you downvote, please write why...
Probably because you're not telling him that this code is dangerous. SQL Injections incoming...
I am just answering the question why the given code is not working. Do we really have to warn everyone about every security issue to avoid downvotes?
1

You're doing some pretty obvious mistakes. First of all you should turn on errors. You have to use error_reporting(-1) and ini_set('display_errors', true) to see and find errors. This is essential, or otherwise you'll have a hard time finding bugs. Make sure to turn this off once the application is in production environment.

In your specific case the if condition can't work. The variable $search is never used. You're referencing an undefined $query variable in $database->num_rows($query). And $email and $email_hash are undefined.

Please don't use $email = $_GET['email'];. You have to sanitize all user input or you'll get sql injections!

Instead use a database specific escape function or prepared statements. Mysql->

$email = mysql_real_escape_string($_GET['email']);

Improve this answer

Comments

0

Your where clause array is bad, it should be 

$where_clause = array( 'email' => $_GET['email'], 'email_hash' => $_GET['email_hash'], 'active' => 0 // not 1 );

By the way, it seems that you are using some abstraction library for database queries - try to change your select query to use placeholders and let the library escape variables for you. Now your code looks vulnerable to SQL Incjections.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.