PHP: Hash for verifying E-mail

Question

So, I was doing a complete registering process for my iPhone app with a MySQL-database. Registering a user and finally logging in worked pretty well. But now I want that the user has to verify his E-mail first to be able to log in.

In my knowledge I'm finished, but it doesn't seem to work properly. Here's my code:

//signup.php

header('Content-type: application/json');
if($_POST) {
    $username   = $_POST['username'];
    $password   = $_POST['password'];
    $c_password = $_POST['c_password'];

    if($_POST['username']) {
        if ( $password == $c_password ) {

            $db_name     = 'db';
            $db_user     = 'user1';
            $db_password = 'myPassword';
            $server_url  = 'localhost';

            $mysqli = new mysqli('localhost', $db_user, $db_password, $db_name);

            /* check connection */
            if (mysqli_connect_errno()) {
                error_log("Connect failed: " . mysqli_connect_error());
                echo '{"success":0,"error_message":"' . mysqli_connect_error() . '"}';
            } else {
            $hash = md5( rand(0,1000) ); 
            $stmt = $mysqli->prepare("INSERT INTO users (username, password, hash) VALUES (?, ?, ?)");
                $password = md5($password);
                $stmt->bind_param('sss', $username, $password, $hash);

                /* execute prepared statement */
                $stmt->execute();

                if ($stmt->error) {

                error_log("Error: " . $stmt->error); 
                }

                $success = $stmt->affected_rows;

                /* close statement and connection */
                $stmt->close();

                /* close connection */
                $mysqli->close();
                error_log("Success: $success");

                if ($success > 0) {


                $to      = $username; // Send email to our user
                $subject = 'Signup | Verification'; // Give the email a subject 
                $message = '

                Thanks for signing up!
                Your account has been created, you can login with the following credentials after you have activated your account by pressing the url below.

                ------------------------
                Username: '.$username.'
                Password: '.$password.'
                ------------------------

                Please click this link to activate your account:
                http://www.mywebsite.ch/verify.php?email='.$username.'&hash='.$hash.'

                '; // Our message above including the link

                $headers = 'From:noreply@mywebsite.ch' . "\r\n"; // Set from headers
                mail($to, $subject, $message, $headers); // Send our email


                error_log("User '$username' created.");
                echo '{"success":1}';
                } 
                else {
                    echo '{"success":0,"error_message":"Username Exist."}';
                }
            }
        } 

        else {
            echo '{"success":0,"error_message":"Passwords does not match."}';
        }

    } 

    else {
        echo '{"success":0,"error_message":"Invalid Username."}';
    }
}

else {
    echo '{"success":0,"error_message":"Invalid Data."}';
}

And here's my code for verifying:

//verify.php

header('Content-type: application/json');
$mysqli = new mysqli("localhost", "user", "myPassword", "db");

if (mysqli_connect_errno()) {
    error_log("Connect failed: " . mysqli_connect_error());
    echo '{"success":0,"error_message":"' . mysqli_connect_error() . '"}';
    } 
    else 
    {

        if(isset($_GET['username']) && !empty($_GET['username']) AND isset($_GET['hash']) && !empty($_GET['hash'])){

         $username = mysqli_real_escape_string($GET['username']);
         $hash = mysqli_real_escape_string($GET['hash']);

    $stmt = $mysqli->query("SELECT username, hash, active FROM users WHERE username='".$username."' AND hash='".$hash."' AND active='0'"); 
    $match  = mysqli_num_rows($stmt);

    if($match > 0){
        // We have a match, activate the account
        $mysqli->query("UPDATE users SET active='1' WHERE username='".$username."' AND hash='".$hash."' AND active='0'");
        echo "Your account has been activated, you can now log in.";

    }
}


    else{
        // No match -> invalid url or account has already been activated.
        echo "The url is either invalid or you already have activated your account.";
    }



}

else{
    // Invalid approach
    echo "Invalid approach, please use the link that has been sent to your E-mail.";

}

I get an E-mail with the same username and hash, which is saved in the database, but it still doesn't work. Instead I get a output of "Invalid approach, please use the link that has been sent to your E-mail".

I think it's logic error, because I studied a lot and changed a lot before making here a thread.

Note: I know, I should not use md5 and instead use the given functions from PHP. I promise you, that I will bring this code to the latest stage of PHP, but first I want to bring it to work. I'm actually new in this area, so for any mistakes, I apologize in advance.

Any help would be really appreciated.

`$_GET['username']`should be `$_GET['email']`, check your URL inside **signup.php** — camelCase, Dec 11 '15 at 16:04

Gauthier · Accepted Answer · 2015-12-17T13:23:08.710

2

Your last else statement doesn't have any if before ? Is there the whole file here ? The problem must be in the if statement.

if(???){
    [...]
}else{
    // Invalid approach
    echo "Invalid approach, please use the link that has been sent to your E-mail.";
}

Once indented, your code doesn't look to be fine with the if / else use

if () {
} 
else{
    if(){
        if(){
        }
    }
    else{ 
    }
}
else{
    // Invalid approach
    echo "Invalid approach, please use the link that has been sent to your E-mail.";
}

edited Dec 17 '15 at 13:23

answered Dec 11 '15 at 16:05

Gauthier

1,116
2
16
39

Thank you, this helped me out. – Walker Dec 13 '15 at 20:14

score 1 · Answer 2 · edited May 23 '17 at 11:45

In addition to Gauthier's answer, there are additional errors.

In signup.php you define the URL like

http://www.mywebsite.ch/verify.php?email='.$username.'&hash='.$hash.'

However, in your verify.php your $_GET should be using

$_GET['email']

not

$_GET['username']

Also as just a heads up, checking isset() and !empty() is redundant.

The section should look more like this

if (isset($_GET['email']) && isset($_GET['hash'])) {
    $username = mysqli_real_escape_string($GET['email']);
    $hash = mysqli_real_escape_string($GET['hash']);
    ....

PHP: Hash for verifying E-mail

2 Answers2