1

I am trying to create an activation page that will GET the API & ACT codes from the url.

Then I am trying to query the DB on those codes to check if they're valid.

If they are not valid, I would like to echo an error stating echo "<strong><font color=red>Your Activation Code has Expired, or Your Activation Code is not Valid!</font></strong>";

If it is valid, then I would like to update with the 2nd SQL Query - "UPDATE users SET status='1', date_activated='$Activation_Date', Activation='' WHERE Activation='$Activation' AND API='$API' AND status='0'"

If there is NO API&ACT code in the URL, I would like to echo "CONTENT"

   <?
    require 'admin/config.php';
    require 'Connection.php';
    error_reporting(E_ALL);
    $API = $_REQUEST['api'];
    $Activation = $_REQUEST['act'];

    $sql= mysql_query("SELECT * WHERE Activation='$Activation'");

    if ($sql = 0) { echo"ERROR";}
    else {
    $Activation_Date = date('m-j-y - h-iA');
    $sql = mysql_query("UPDATE users 
                        SET status='1', date_activated='$Activation_Date', Activation='' 
                        WHERE Activation='$Activation' AND API='$API' AND status='0'");
    if($sql == 0){
        echo "<strong><font color=red>Your Activation Code has Expired, or Your Activation Code is not Valid!</font></strong>";
    } elseif ($sql > 0) {
    echo "content";
    }
    }
    ?>
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
levi
  • 1,566
  • 3
  • 21
  • 37
  • ok, so is there a problem with your code? you only state that you'd like to show one message or the other. besides this `if ($sql = 0)` which is incorrect, you fail to actually fetch here. – Funk Forty Niner Jan 11 '16 at 23:29
  • I am having difficulty instructing it correctly to do as I want. I've gotten this far with it, but stuck now. It just keeps displayign success. Even if there isnt the keys in the url. I fairly green :( @Fred-ii- – levi Jan 12 '16 at 00:01
  • Trying to do if ($Activation & $API) is valid in the url, then execute the query to the database to validate if the API key is still active (has not been activated). If it is not active I would like it to echo "not valid", if it is active and then echo "content". If no API & Activation is in the url echo "error" ---- IF the Activation code is active (the md5 has will be there) if its not active it will be default `NULL` @Fred-ii- – levi Jan 12 '16 at 00:04
  • I posted something for you below. – Funk Forty Niner Jan 12 '16 at 00:28
  • 1
    Your code is extremely prone to SQL injection btw. Someone could input the activation code: ' or 1=1 LIMIT '1 to always return 1 row and pass the test. – Dylan James McGannon Jan 12 '16 at 00:36

3 Answers3

5

What you need to check for, is if a row exists.

To check if it exists and base yourself on the following model: 

$sql = mysql_query("SELECT * WHERE Activation='$Activation'");

if(mysql_num_rows($sql) > 0){
    //do something here or show error because relation already exists
}
else{
   //relation already do not exists. so you can insert the record here
}

Then, to check if your UPDATE was truly successful, use mysql_affected_rows():

Sidenote: This function may require that you pass a db connection variable to it.

$sql = mysql_query("UPDATE users .... ");

if(mysql_affected_rows() > 0){

   // do something
   }

else {
   // do something else
   }

Check for errors against your PHP and MySQL:

Add error reporting to the top of your file(s) right after your opening PHP tag for example <?php error_reporting(E_ALL); ini_set('display_errors', 1); then the rest of your code, to see if it yields anything. Also add or die(mysql_error()) to mysql_query().

If you get errors about deprecation notices, then you will need to switch over to either mysqli_ or PDO.

You can consult one of my answers here https://stackoverflow.com/a/22253579/1415724 to check if a row exists.

It uses a few methods, including a prepared statement which is something you should be using because you are open to an SQL injection.

Sidenote: The connection API that you are using is unknown. Make sure that you are using the same one as your query being mysql_. If it's mysqli_ or PDO, those different APIs do not intermix. You must use the same one from connecting to querying.

Also, just a quick note about if ($sql = 0). The single equal sign "assigns" instead of "comparing" such as == or ===.

You stated in comments:

"IF the Activation code is active (the md5 has will be there)"

I hope you're not using that for password storage. If so, don't. That function is no longer safe to use to store passwords with.

Use one of the following:

Other links:

Seeing <? make sure that short tags are enabled. If not, change that to <?php.

HTML stickler.

<font color=red> the <font> tag is deprecated/obsole and isn't supported by HTML5.

It's best to use inline CSS if you are sending anything via Email.

I.e.: <p style="color:red;">Hello world</p>

Here are a few references:

Community
  • 1
  • 1
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
1

Remarks

  • Checking mandatory parameters:
    You can test if parameters are set like this: isset(variable_name).
  • In the SELECT query there is missing the FROM clause which states the table to select from.
    I assume it is "user" like in the UPDATE query.
  • After a SELECT query, the cursor should be freed again, when it is no longer in use: mysql_free_result($sql);

(Error) Tests

  • The result of a query is ===false if the query could not be executed corectly.
  • After having SELECTed records, the function mysql_num_rows() shows the number or records retrieved.
  • After having UPDATed a table, the function mysql_affected_rows() gives the number of affected records.

Code snippet

// Get parameters and check if mandatory parameters are set
$API =        isset($_REQUEST['api']) ? $_REQUEST['api'] : false;
$Activation = isset($_REQUEST['act']) ? $_REQUEST['act'] : false;
if ( ($API===false) || ($Activation===false)) {
    $which =  ($API === false ) ? '"api"' : '';
    $which .= ($Activation === false) ? ((empty($which) ? '' : ', ') . '"act"') : '';
    echo "ERROR: Parameter(s) missing: $which";
    return;
}

// Select activation record
$sql= mysql_query("SELECT * FROM users WHERE Activation='$Activation'");
if ($sql===false) { 
    echo "SQL ERROR: " . mysql_error(); 
    return;
} else {
    $nrows = mysql_num_rows();
    mysql_free_result($sql);
    if ($nrows < 1) { 
        // No matching record found
        echo "ERROR: No activation record found"; 
        return;
    } else {
        // Update users record
        $Activation_Date = date('m-j-y - h-iA');
        $sql = mysql_query("UPDATE users 
                SET status='1', date_activated='$Activation_Date', Activation='' 
                WHERE Activation='$Activation' AND API='$API' AND status='0'");
        if ($sql===false) {
            echo "SQL ERROR: " . mysql_error();
        } elseif(mysql_affected_rows() < 1) {
            // No matching record found for updating
            echo '<span style="color:red; font-weight:bold;">Your Activation Code has Expired, or Your Activation Code is not Valid!</span>';
        } else {
        echo "content";
        }
    }
}
hherger
  • 1,660
  • 1
  • 10
  • 13
0

Here is what I ended up with.

This is a Tweak from @hherger's answer....

// Report all errors
error_reporting(E_ALL);


// Get parameters and check if mandatory parameters are set // Get parameters and check if mandatory parameters are set
$API =        isset($_REQUEST['api']) ? $_REQUEST['api'] : false;
$Activation = isset($_REQUEST['act']) ? $_REQUEST['act'] : false;
if ( ($API===false) || ($Activation===false)) {

}

// Select activation record
$sql= mysql_query("SELECT * FROM users WHERE Activation='$Activation'");
if ($sql===false) { 
    echo "SQL ERROR: " . mysql_error(); 
    return;
} else {
    $nrows = mysql_num_rows($sql);
    mysql_free_result($sql);
    if ($nrows < 1) { 
        // No matching record found
        echo "REDIRECT USER TO HOME PAGE"; 
        return;
    } else {
        // Update users record
        $Activation_Date = date('m-j-y - h-iA');
        $sql = mysql_query("UPDATE users 
                SET status='1', date_activated='$Activation_Date', Activation='' 
                WHERE pinAPP_Activation='$Activation' AND API='$API' AND status='0'");
        if ($sql===false) {
            echo "SQL ERROR: " . mysql_error();
        } elseif(mysql_affected_rows() < 1) {
            // No matching record found for updating
            echo '<span style="color:red; font-weight:bold;">Your Activation Code has Expired, or Your Activation Code is not Valid!</span>';
        } else {
        echo "ECHO SUCCESS DISPLAY!";
        }
    }
}
levi
  • 1,566
  • 3
  • 21
  • 37