-1

My question is,condition if(isset... is not seenable. Until now i didnt work with PDO so if someone sees the solution for my problem, please help me if you can, thanks.

    <?php

        mysql_connect("localhost", "xxxx", "") or die(mysql_error()); // Connect to database server(localhost) with username and password.
        mysql_select_db("database") or die(mysql_error()); // Select registration database.

This if condition can't be seen 

if (isset($_GET['e_mail']) && !empty($_GET['e_mail']) AND isset($_GET['hash']) && !empty($_GET['hash'])){
            // Verify data
            $email = mysql_escape_string($_GET['e_mail']); // Set email variable
            $hash = mysql_escape_string($_GET['hash']); // Set hash variable

            $search = mysql_query("SELECT e_mail, hash, active FROM users WHERE e_mail='".$email."' AND hash='".$hash."' AND active='0'") or die(mysql_error()); 
            $match  = mysql_num_rows($search);

I want to do this condition:

            if($match > 0){
                // We have a match, activate the account
                mysql_query("UPDATE users SET active='1' WHERE e_mail='".$email."' AND hash='".$hash."' AND active='0'") or die(mysql_error());
                echo '<div class="statusmsg">Your account has been activated, you can now login</div>';
            }else{
                // No match -> invalid url or account has already been activated.
                echo '<div class="statusmsg">The url is either invalid or you already have activated your account.</div>';
            }


        }

if condition does this:

else{


                // Invalid approach
                echo '<div class="statusmsg">Invalid approach, please use the link that has been send to your email.</div>';

            }
            ?>
Grofman
  • 29
  • 5
  • 1
    ***Please [stop using `mysql_*` functions](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php).*** [These extensions](http://php.net/manual/en/migration70.removed-exts-sapis.php) have been removed in PHP 7. Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [PDO](http://php.net/manual/en/pdo.prepared-statements.php) and [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) and consider using PDO, [it's really pretty easy](http://jayblanchard.net/demystifying_php_pdo.html). – Jay Blanchard May 15 '17 at 18:48
  • 1
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)***. Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard May 15 '17 at 18:48
  • your code failed then; check for errors – Funk Forty Niner May 15 '17 at 18:53

1 Answers1

0

I found where the mistake is, it sounds incredibly but the mistake is in database where the bottom line ( _ ) is set, and when i input email instead of e_mail in database and correct everything, it works perfectly.

I uploaded the answer so it can help others with the same situation.

I really appreciate Jay Blanchard´s advice to work in PDO and i will send his adevice because it is convincing, and thank you Fred for your answer.

Now if someone can help me to do(write,make) this code in PDO and to explain me how PDO works in order to understand it better. Thanks!

Grofman
  • 29
  • 5