Page 1 of 1

help with activation key for email verification script

Posted: Mon Mar 29, 2010 11:52 pm
by rlthompson
Hello, I need help with this script. I am trying to have an activation key generated and emailed to the person registering on my site. Everything seems to work except the activation key itself (I don't get any errors), it seems that it is not being generated. I've verified connection to the database and every other field in that table populated with no issues prior to adding this script. Thanks in advance for any assistance.

Code: Select all

<?php

mysql_connect("localhost", loginname, "mypassword") or die(mysql_error());

mysql_select_db("crashhorizon") or die(mysql_error());

if ($_POST['form_submitted'] == '1') {

$activationKey =  mt_rand() . mt_rand() . mt_rand() . mt_rand() . mt_rand();

$sql="INSERT INTO user_auth (user, password, email, activationkey, status)

VALUES

('$_POST[user]', '$_POST[password]', '$_POST[email]','$activationKey', 'verify')";

if (!mysql_query($sql))

  {

  die('Error: ' . mysql_error());

  }

} else {

}

echo "An email has been sent to $_POST[email] with an activation key. Please check your mail to complete registration.";

##Send activation Email

$to      = $_POST[email];

$subject = " horizonitsolutions.com Registration";

$message = "Welcome to our website!\r\r You, or someone using your email address, has completed registration at horizonitsolutions.com. You can complete registration by clicking the following link: \rhttp://www.horizonitsolutions.com/register/verify.php?$activationKey\r\r If this is an error, ignore this email and you will be removed from our mailing list.\r\r
Regards, horizonitsolutions.com Team";

$headers = 'From: noreply@ horizonitsolutions.com' . "\r\n" .

    'Reply-To: noreply@ horizonitsolutions.com' . "\r\n" .

    'X-Mailer: PHP/' . phpversion();

mail($to, $subject, $message, $headers);

##User isn't registering, check verify code and change activation code to null, status to activated on success

$queryString = $_SERVER['QUERY_STRING'];

$query = "SELECT * FROM user_auth";

$result = mysql_query($query) or die(mysql_error());

  while($row = mysql_fetch_array($result)){

    if ($queryString == $row["activationkey"]){

       echo "Congratulations!" . $row["user"] . " is now a member of horizonitsolutions.com";

       $sql="UPDATE user_auth SET activationkey = '', status='activated' WHERE (id = $row[id])";

       if (!mysql_query($sql))

  {

        die('Error: ' . mysql_error());

  }

    }

  }

Re: help with activation key for email verification script

Posted: Tue Mar 30, 2010 11:21 am
by flying_circus
Is $_POST['form_submitted'] == '1'?

  • $activationKey is a poor random number. openssl_random_pseudo_bytes() might be a better option, or kaisellgren has been working on a nice random generator library. You should be able to find it by searching for his name, and checking out his blog/website.
  • Your script is vulnerable to SQL injection.
  • Your code below "##User isn't registering, check verify code and change activation code to null, status to activated on success" is doomed to failure. You should not be grabbing the entire querystring and running it through a query unescaped. You should instead, pull each value that you expect to receive out of the querystring (such as $_GET['activation_code']), escape the data, and then return only the records from the database with a matching activation code, and only the fields that you need to reference in your code, such as "user" and "id". Try not to use the "*" in your query, as it returns the entire record, weather you use all of the data or not, so why transfer all that data around?

Re: help with activation key for email verification script

Posted: Tue Mar 30, 2010 5:38 pm
by rlthompson
I appreciate your reply but don't know a great deal about php yet. It seems like this should work but it isn't generating an activation key. Is there a more novice way of explaining what's wrong with the script?

Re: help with activation key for email verification script

Posted: Tue Mar 30, 2010 5:55 pm
by flying_circus
Your $activationKey variable is being generated inside of an IF statement. In your script, if $_POST['submit'] is NOT equal to '1', then your $activationKey will not be generated. This is what I suspect is happening.

Learning to troubleshoot your own code is a very important right of passage. In it's most basic form, take advantage of echo() and begin manually walking through your code, to verify that values are equal to what you expect...

example:

Code: Select all

<?php

mysql_connect("localhost", loginname, "mypassword") or die(mysql_error());

mysql_select_db("crashhorizon") or die(mysql_error());

echo("(Debug) Key= _POST['form_submitted'] : Value= {$_POST['form_submitted']}.");
if ($_POST['form_submitted'] == '1') {
  $activationKey =  mt_rand() . mt_rand() . mt_rand() . mt_rand() . mt_rand();
  echo("(Debug) Key= activationKey : Value= {$activationKey}.");

  // etc...
}