Cronic Posted May 4, 2012 Share Posted May 4, 2012 Hello Everyone, I'm working on adding a email activation function to my engine, so when someone new signs up, they have to activate their account first before they can play. I'm using this code when they register the account: <? include 'notloggedinh.php'; if (isset($_POST['submit'])) { $username = strip_tags($_POST["newname"]); $username = addslashes($username); $loginname = strip_tags($_POST["newname"]); $loginname = addslashes($loginname); $signuptime = time(); $password = strip_tags($_POST["newpass"]); $password = addslashes($password); $password2 = strip_tags($_POST["newpassagain"]); $password2 = addslashes($password2); $email = strip_tags($_POST["email"]); $email = addslashes($email); $email2 = strip_tags($_POST["email2"]); $email2 = addslashes($email2); $checkuser = mysql_query("SELECT * FROM `grpgusers` WHERE `loginame`='$username'"); $gender = $_POST["gender"]; $activate = '1'; $username_exist = mysql_num_rows($checkuser); @session_start(); if ($_SESSION['AntiSpamImage'] != $_REQUEST['anti_spam_code']) { $_SESSION['AntiSpamImage'] = rand(1,9999999); $message .= "<div>The verification code you entered is invalid.</div>"; } if($username_exist > 0){ $message = "<div>I'm sorry but the username you chose has already been taken. Please pick another one.</div>"; $_POST['newname'] = ""; } if($_POST['tos'] != "agree"){ $message = "<div>You haven't agreed to the Terms of Service.</div>"; } if(strlen($username) < 4 or strlen($username) > 20){ $message = "<div>The username you chose has " . strlen($username) . " characters. You need to have between 4 and 20 characters.</div>"; $_POST['newname'] = ""; } if(strlen($password) < 6 or strlen($username) > 20){ $message = "<div>The password you chose has " . strlen($password) . " characters. You need to have between 6 and 20 characters.</div>"; } if($password != $password2){ $message = "<div>Your passwords don't match. Please try again.</div>"; } if($email != $email2){ $message = "<div>Your emails don't match. Please try again.</div>"; $_POST['email'] = ""; $_POST['email2'] = ""; } $checkemail = mysql_query("SELECT * FROM `grpgusers` WHERE `email` = '$email'"); $email_exist = mysql_num_rows($checkemail); if($email_exist > 0){ $message = "That email is already being used for an account on MafiaHeros."; $_POST['email'] = ""; } $code = rand(11111111,99999999); //Send activation mail $to = $email; $subject = "Activate Account | MafiaHeros"; $headers = "From: [email protected]"; $body = "Thank you for registering at MafiaHeros.\n\nYour Username: $username\nYour Password: $password\n\nPlease click on the link below to activate your account.\nhttp://mafiaheros.com/activate.php?code=$code\n\n"."\n\nThe MafiaHeros Team."; if (!mail($to,$subject,$body,$headers)) echo Message("We couldn't sign you up at this time. Please try again later."); //insert the values if (!isset($message)){ $result = mysql_query("INSERT INTO `grpgusers` (signupip, username, password, email, signuptime, loginame, gender, code, activate)"."VALUES ('".$_SERVER['REMOTE_ADDR']."', '$username', '$password', '$email', '$signuptime', '$loginname', '$gender', '$code', '$activate')"); echo Message("You have been registered successfully! Please check your email ($email) to activate your account."); include 'notloggedinf.php'; if ($_POST['referer'] != ""){ $result12 = mysql_query("SELECT * FROM `grpgusers` WHERE `loginame`='".$loginname."'"); $worked12 = mysql_fetch_array($result12); $result= mysql_query("INSERT INTO `referrals` (`when`, `referrer`, `referred`)". "VALUES ('$signuptime', '".$_POST['referer']."', '".$worked12['id']."')"); } die(); } } if (isset($message)) { echo Message($message); } ?> <div id="right_c"> <div class="g_content"> <h3> Register</h3> <div class="g_text"> <center>You will need to register with an valid e-mail address, After signing up you have to activate it.</center> <table width='60%' border='0' align='center' cellpadding='0' cellspacing='2'> <form name='register' method='post' action='register.php'> <br /> <tr> <td><b>Username:</b></td> <td> <input type='text' name='newname' value="<?php echo $_POST['newname']; ?>"> </td> </tr> <tr> <td><b>Password:</b></td> <td> <input type='password' name='newpass'> </td> </tr> <tr> <td><b>Confirm Password:</b></td> <td> <input type='password' name='newpassagain'> </td> </tr> <tr> <td><b>Gender:</b></td> <td> <select name="gender"> <option value="Male">Male</option> <option value="Female">Female</option> </select> </td> </tr> <tr> <td><b>Email Address:</b></td> <td> <input type='text' name='email' value="<?php echo $_POST['email']; ?>"> </td> </tr> <tr> <td><b>Confirm Email:</b></td> <td> <input type='text' name='email2' value="<?php echo $_POST['email2']; ?>"> </td> </tr> <tr> <td><b>ToS:</b></td> <td> I have read and i agree to the ToS <input type="checkbox" name='tos' value="agree" /> </td> </tr> <tr> <td><b>Image Verification:</b></td> <td> <img src="antispam.php" /> </td> </tr> <tr> <td><b>Verify Code Above:</b></td> <td> <input type='text' name='anti_spam_code'> </td> </tr> </tr> <tr> <td> </td> <td> <br /> <input type='hidden' name='referer' value='<? echo $_GET['referer'] ?>'> <input type='submit' name='submit' value='Register'> </td> </tr> </form> </form> </table> </div> </div> </div> <? include 'notloggedinf.php'; ?> So far, all of this does work, then I go to my e-mail to get the activation link and I paste it in url and go to activate it. But the activation table stays on 1 even if I activate it. activation.php <?php include 'global.php'; $code = $_GET['code']; if(!$code) echo "No code supplied"; else { $check = mysql_query("SELECT * FROM `grpgusers` WHERE activate='0'"); if (mysql_num_rows($check)==1) echo "You have already activated your account"; else { $result = mysql_query("UPDATE `grpgusers` SET `activate` = '0' WHERE `activate`='".$code."'"); echo "Your account has been activated!"; } } ?> Does anyone know the fix on this one? So when users go to the activation link it activates and they can play Quote Link to comment Share on other sites More sharing options...
rulerofzu Posted May 4, 2012 Share Posted May 4, 2012 You have set it to check all users and not the user in question in the first query. Quote Link to comment Share on other sites More sharing options...
Ishraq Posted May 4, 2012 Share Posted May 4, 2012 Secure your get variable. mysql_real_escape_string($_GET['code']); Add above. $code = $_GET['code']; Quote Link to comment Share on other sites More sharing options...
rulerofzu Posted May 5, 2012 Share Posted May 5, 2012 Bio needs more than that the whole thing needs securing. Quote Link to comment Share on other sites More sharing options...
Lithium Posted May 5, 2012 Share Posted May 5, 2012 1. As RoZ said you need to secure the whole thing. 2. As it is you might be "activating" more than one account at a time. You should create unique activation codes for each player. The way you have can generate the same code for more than one. 3. SRB pointed the exact spot why you can't update the activation, and never will having that! 4. Use a second token (let's say email address or username) to the activation and make a query somehow along these lines... mysql_query("SELECT `username`, `activate` FROM `grpgusers` WHERE `actcode` = $codesenttomail AND `username` = $usersenttomail"); Quote Link to comment Share on other sites More sharing options...
SMOKEY_TEK Posted May 5, 2012 Share Posted May 5, 2012 (edited) Cronic, Replace your register.php with the code below: <?php include (DIRNAME(__FILE) . '/notloggedinh.php'); function getRealIp() { if (!empty($_SERVER['HTTP_CLIENT_IP'])) { //check ip from share internet $ip=$_SERVER['HTTP_CLIENT_IP']; } elseif (!empty($_SERVER['HTTP_X_FORWARDED_FOR'])) { //to check ip is pass from proxy $ip=$_SERVER['HTTP_X_FORWARDED_FOR']; } else { $ip=$_SERVER['REMOTE_ADDR']; } return $ip; } $ip = getRealIp(); function clean($str) { $str = @trim($str); if(get_magic_quotes_gpc()) { $str = stripslashes($str); } return mysql_real_escape_string($str); } if (isset($_POST['registerSubmit'])) { $login_name = clean($_POST['loginName']); $registerPassword = clean($_POST['registerPassword']); $confirmPassword = clean($_POST['confirmPassword']); $PASSWORD = hash("sha512", $_POST["registerPassword"]); $registerEmail = clean($_POST['registerEmail']); $confirmEmail = clean($_POST['confirmEmail']); $activateCode = clean(rand(11111111,99999999)); $registerToS = $_POST['registerToS']; $registerGender = clean($_POST['registerGender']); $date = time(); @session_start(); if ($_SESSION['AntiSpamImage'] != $_REQUEST['anti_spam_code']) { $_SESSION['AntiSpamImage'] = rand(1,9999999); $message .= "<div>The verification code you entered is invalid.</div>"; } $checkuser = mysql_query("SELECT * FROM `grpusers` WHERE `loginame`='$login_name'"); $username_exist = mysql_num_rows($checkuser); if($username_exist > 0) { $message .= "<div>The Login Name you entered is already in use.</div>"; } $checkemail = mysql_query("SELECT * FROM `grpgusers` WHERE `email` ='$registerEmail'"); $email_exist = mysql_num_rows($checkemail); if($email_exist > 0) { $message .= "<div>The Email you entered is already in use.</div>"; } if(strlen($login_name) < 3 or strlen($login_name) > 16) { $message .= "<div>Your Login Name must be between 3-16 characters.</div>"; } if(strlen($registerPassword) < 5 or strlen($registerPassword) > 16) { $message .= "<div>Your Password must be between 5-16 characters.</div>"; } if($registerPassword != $confirmPassword) { $message .= "<div>Your passwords don't match. </div>"; } if($registerToS != checked) { $message .= "<div>You need to agree with the Terms of Service.</div>"; } if (!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $registerEmail)) { $message .= "<div>The e-mail address you entered was invalid.</div>"; } if($registerEmail != $confirmEmail) { $message .= "<div>Your emails don't match.</div>"; } //insert the values if (!isset($message)){ // now we insert it into the database $insert = mysql_query("INSERT INTO `users` (`loginame`, `username`, `password`, `email`, `ip`, `signuptime`, `lastactive`, `gender`, `verified`, `activateCode`)". "VALUES ('$login_name', '$login_name', '$PASSWORD', '$registerEmail', '$ip', '$date', '$date', '$registerGender', '0', '$activateCode')") or die(mysql_error()); $add_member = mysql_query($insert); $emailSubject = "Mafia Heros: Account Registration Confirmation"; $headers = "From: Mafia Heros"; $headers = "MIME-Version: 1.0"; $headers = "Content-Type: text/html; charset=ISO-8859-1"; $emailBody = " <html><body> <h2>Welcome to Mafia Heros</h2> <p> This email has been sent from http://www.mafiaheros.com. You have received this email because your address was used to register on Mafia Heros. </p> <p> If you did not register, please disregard this email. You do not need to unsubscribe or take any further action. </p> <h3>Activation Instructions</h3> <p> We require that you validate your registration to ensure that the email address you entered was correct. This protects against unwanted spam and malicious abuse. </p> <p> You registered with the login name '".$login_name."' your password: '".$registerPassword."''. To activate your account, simply click on the following link: <a href='http://www.mafiaheros.com/activate.php?activateCode=$activateCode&user=$login_name' target='_blank' onclick='onClickUnsafeLink(event);'>http://www.mafiaheros.com/activate.php?activateCode=$activateCode&user=$login_name</a> </p> <p> For questions or concerns about your account, please contact us via contact form <a href='http://www.mafiaheros.com/contactus.php' target='_blank' onclick='onClickUnsafeLink(event);'>http://www.mafiaheros.com/contactus.php</a> </p> </body></html>"; mail($registerEmail, $emailSubject, $emailBody, $headers); echo Message("You successfully created an account. We sent an activation link to the listed email '<b>".$registerEmail."</b>'."); if ($_POST['referer'] != ""){ $result12 = mysql_query("SELECT * FROM `grpgusers` WHERE `loginame`='".$login_name."'"); $worked12 = mysql_fetch_array($result12); $result= mysql_query("INSERT INTO `referrals` (`when`, `referrer`, `referred`)". "VALUES ('$date', '".$_POST['referer']."', '".$worked12['id']."')"); } die(); } } ?> <? if (isset($message)) { echo Message($message); } ?> <div id="right_c"> <div class="g_content"> <h3> Register</h3> <div class="g_text"> <center>You will need to register with an valid e-mail address, After signing up you have to activate your account.</center> <form name='register' method='post' action='register.php'> <table width='60%' border='0' align='center' cellpadding='0' cellspacing='2'> <tr> <td><b>Username:</b></td> <td><input type='text' name='login_name' size='30'></td> </tr> <tr> <td><b>Email:</b></td> <td><input type='text' name='registerEmail' size='30'></td> </tr> <tr> <td><b>Confirm Email:</b></td> <td><input type='text' name='confirmEmail' size='30'></td> </tr> <tr> <td><b>Password:</b></td> <td><input type='password' name='registerPassword'></td> </tr> <tr> <td><b>Confirm Password:</b></td> <td><input type='password' name='confirmPassword'></td> </tr> <tr> <td><b>Gender:</b></td> <td><select name="registerGender"> <option value="Male">Male</option> <option value="Female">Female</option> </select></td> </tr> <tr> <td><b>ToS:</b></td> <td>I have read and agree to follow the ToS <input type="checkbox" name='tos' value="checked" /></td> </tr> <tr> <td><b>Image Verification:</b></td> <td><img src="antispam.php" /></td> </tr> <tr> <td><b>Verify Code Above:</b></td> <td><input type='text' name='anti_spam_code'></td> </tr> <tr> <td> </td> <td> <input type='hidden' name='referer' value='<? echo $_GET['referer'] ?>'> <input type='submit' name='registerSubmit' value='Register'> </td> </tr> </table> </form> </div> </div> </div> <? include (DIRNAME(__FILE__) . '/notloggedinf.php'); ?> Make a file called activate.php and insert the code below into it and save. <?php include (DIRNAME(__FILE) . '/global.php'); $activateCode = $_GET["activateCode"]; $user = $_GET["user"]; if(!$activateCode){ echo " <div class='content'> <h3>Activate Account</h3> <p>No activation code supplied.</p> </div>"; die(); } else { $check = mysql_query("SELECT * FROM `users` WHERE `activateCode` = '$activateCode' AND `username` = '$user' AND `verified` = '1'"); if($check == 1) { echo " <div class='content'> <h3>Activate Account</h3> <p>You have already activated your account.</p> </div>"; die(); } else { $activate = mysql_query("UPDATE `users` SET `verified` = '1' WHERE `activateCode` = '$activateCode' AND `user` = '$user'"); echo " <div class='content'> <h3>Activate Account</h3> <p>Your account has been successfully activated. You may login now. </p> </div>"; die(); } } ?> Add these to your grpgusers database: verified int(1) NOT NULL default '0' activateCode VARCHAR(200) NOT NULL; Edited May 5, 2012 by SMOKEY_TEK Quote Link to comment Share on other sites More sharing options...
Lithium Posted May 5, 2012 Share Posted May 5, 2012 really? $check = mysql_query("SELECT * FROM `users` WHERE `activateCode` = '$activateCode' AND `username` = '$user' AND `verified` = '1'"); if($check == 1) { I see it failing here. And, after so many times everyone talking about the same... Is it really needed to use the SELECT * to check/update a single value? Quote Link to comment Share on other sites More sharing options...
sniko Posted May 5, 2012 Share Posted May 5, 2012 (edited) How about this for a code generating? // We've registered, and inserted into the database $userid = mysql_insert_id(); $code = gen_code( $user ); // Now insert $code into the database, using mysq_insert_id() to scour the table for the correct user mysql_query("UPDATE `table` SET `code`='{$code}' WHERE `primary_key`=". $user); // And now the function to generate the code function gen_code($user) { $time = $user . microtime(); $code = base_convert($time, 8, 16); $code = substr($code, 0, 10); return strtoupper($code); } That way the code will always be unique, and the user id is involved. Edited May 5, 2012 by sniko Quote Link to comment Share on other sites More sharing options...
Lithium Posted May 5, 2012 Share Posted May 5, 2012 and one other thing i just noticed, eregi() becomes deprecated as of PHP 5.3! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.