-1

I am sending to me a email when a new User has sign-up to aprove it. Now I have this verify.php Code:

<?php
mysql_connect("localhost", "database", "pw", "databasename") or die(mysql_error()); // Connect to database server(localhost) with username and password.
mysql_select_db("databasename") or die(mysql_error()); // Select registration database.

if(isset($_GET['email']) && !empty($_GET['email']) AND isset($_GET['hash']) && !empty($_GET['hash'])){
    // Verify data
    $email = mysql_escape_string($_GET['email']); // Set email variable
    $hash = mysql_escape_string($_GET['hash']); // Set hash variable

    $search = mysql_query("SELECT email, hash, active FROM users WHERE email='".$email."' AND hash='".$hash."' AND active='0'") or die(mysql_error()); 
    $match  = mysql_num_rows($search);

    if($match > 0){
        // We have a match, activate the account
        mysql_query("UPDATE users SET active='1' WHERE email='".$email."' AND hash='".$hash."' AND active='0'") or die(mysql_error());
        echo '<div class="statusmsg">Your account has been activated, you can now login</div>';
    }else{
        // No match -> invalid url or account has already been activated.
        echo '<div class="statusmsg">The url is either invalid or you already have activated your account.</div>';
    }

}else{
    // Invalid approach
    echo '<div class="statusmsg">Invalid approach, please use the link that has been send to your email.</div>';
}
?>

I get everything.. the mail with correct link:

http://www.yourwebsite.com/verify.php?email='.$email.'&hash='.$hash.'

But once I click the link it just stays in blank Website.. No error but no Change to... :(... Pretty sure there is small error I cant find..

Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
Jerome
  • 27
  • 1
  • 5
  • no errors; well I don't see error reporting syntax anywhere – Funk Forty Niner Feb 04 '18 at 14:23
  • Same.. But once I click the link the site stays just in blank.. and no changes done in the database :) – Jerome Feb 04 '18 at 14:27
  • Site blank, suggests to me a 500 and php death. Probably from the use of `mysql_*` functions... – IncredibleHat Feb 04 '18 at 14:27
  • Every time you use [the `mysql_`](http://stackoverflow.com/questions/12859942/why-shouldnt-i-use-mysql-functions-in-php) database extension in new code **[this happens](https://media.giphy.com/media/kg9t6wEQKV7u8/giphy.gif)** it is deprecated and has been for years and is gone for ever in PHP7. If you are just learning PHP, spend your energies learning the `PDO` or `mysqli` database extensions and prepared statements. [Start here](http://php.net/manual/en/book.pdo.php) – RiggsFolly Feb 04 '18 at 14:29
  • I don't understand what you mean by you get mail with link `http://www.yourwebsite.com/verify.php?email='.$email.'&hash='.$hash.'` ... what is that. Where is that. I don't see that link being made in your code. And if thats the link you get, then thats not a correct link at all. – IncredibleHat Feb 04 '18 at 14:31
  • 1
    Do you think it is secure to send _via Email, a very insecure mechanism_ the users hashed password??? I assume that the hashed password – RiggsFolly Feb 04 '18 at 14:33
  • @RiggsFolly I dont know what he is trying to do, but that does look horribly scary. – IncredibleHat Feb 04 '18 at 14:35
  • Ist just to active the user.. The Mail I get Comes from the sign-up from: `Please click this link to activate your account: http://www.website.com/verify.php?email='.$email.'&hash='.$hash.'` On the Mail it Looks right.. the Link I send its just source Code. – Jerome Feb 04 '18 at 14:37
  • If `$hash` is a temporary code generated and stored on the user row, then you dont need anything else in the querystring. That code should uniquely identify the user – RiggsFolly Feb 04 '18 at 14:38
  • @RiggsFolly For each user-Signup there is hashcode generated. And when I recive the mail the link is correct.. it Shows the hashcode that is in the DB to.. but still blank site only and no updates – Jerome Feb 04 '18 at 14:39
  • Is it possible that the `real_escape_string()` is changing something in the email or hash string? – RiggsFolly Feb 04 '18 at 14:41
  • Your script is wide open to [SQL Injection Attack](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php) Even [if you are escaping inputs, its not safe!](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) Use [prepared parameterized statements](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php) – RiggsFolly Feb 04 '18 at 14:42
  • I wonder what version PHP he is using.... hmm. Jerome? Also add `ini_set('display_errors', true); error_reporting(E_ALL);` to the top of your script. – IncredibleHat Feb 04 '18 at 14:43
  • @RiggsFolly , I just Change all to mysqli , now at least getting the The url is either invalid or you already have activated your account.. I checked but email and hascode is exactly the same on the DB when I see the Link that I get to confirm. – Jerome Feb 04 '18 at 14:47
  • Please don't edit the title with "Solved" or including the solution in the question. I rolled the question back to a previous revision. Either delete the question or post your own answer below. Then, mark it as solved once it lets you. By doing that, it automatically marks your question as being solved. Questions and answers are two different animals. – Funk Forty Niner Feb 04 '18 at 15:41
  • Maybe a '@' disables error reporting... – Luc M Feb 04 '18 at 15:52

3 Answers3

0

Solved with:

<?php
ini_set('display_errors', true); error_reporting(E_ALL);
$link = $link = mysqli_connect("localhost", "database", "pw!", "database");


// Check connection
if($link === false){
    die("ERROR: Could not connect. " . mysqli_connect_error());
}

if(isset($_GET['email']) && !empty($_GET['email']) AND isset($_GET['hash']) && !empty($_GET['hash'])){
    // Verify data
    $email = mysqli_escape_string($link, $_GET['email']); // Set email variable
    $hash = mysqli_escape_string($link, $_GET['hash']); // Set hash variable
    $passwort = mysqli_escape_string($link, $_GET['passwort']); // Set hash variable

    $passwort_hash = password_hash($passwort, PASSWORD_DEFAULT);

    $search = mysqli_query($link, "SELECT email, hash, active, passwort FROM users WHERE email='".$email."' AND hash='".$hash."' AND active='0'") or die(mysqli_error()); 
    $match  = mysqli_num_rows($search);

    if($match > 0){
        // We have a match, activate the account
        mysqli_query($link, "UPDATE users SET active='1' WHERE email='".$email."' AND hash='".$hash."' AND active='0'") or die(mysqli_error()); 
        echo '<div class="statusmsg">Your account has been activated, you can now login</div>';

    }else{
        // No match -> invalid url or account has already been activated.
        echo '<div class="statusmsg">The url is either invalid or you already have activated your account.</div>';
    }

}else{
    // Invalid approach
    echo '<div class="statusmsg">Invalid approach, please use the link that has been send to your email.</div>';
}
?>
Funk Forty Niner
  • 74,450
  • 15
  • 68
  • 141
Jerome
  • 27
  • 1
  • 5
-1

Check this line:

if(isset($_GET['email']) && !empty($_GET['email']) AND isset($_GET['hash']) && !empty($_GET['hash'])){

You have used "AND" here. It should be:

if((isset($_GET['email']) && !empty($_GET['email'])) && (isset($_GET['hash']) && !empty($_GET['hash']))){

I have checked your script, It is working with some modifications. Possible error according to me is status datatype. it should be 'int' Please check below.: 

if(isset($_GET['email']) && !empty($_GET['email']) AND isset($_GET['hash']) && !empty($_GET['hash'])){
    // Verify data
    $email = mysql_escape_string($_GET['email']); // Set email variable
    $hash = mysql_escape_string($_GET['hash']); // Set hash variable

    $search = mysql_query("SELECT * FROM test_users WHERE u_email='".$email."' AND u_hash='".$hash."' ") or die(mysql_error()); 
    $match  = mysql_num_rows($search);

    if($match > 0){
        // We have a match, activate the account
        mysql_query("UPDATE test_users SET u_status='1' WHERE u_email='".$email."' AND u_hash='".$hash."'") or die(mysql_error());
        echo '<div class="statusmsg">Your account has been activated, you can now login</div>';
    }else{
        // No match -> invalid url or account has already been activated.
        echo '<div class="statusmsg">The url is either invalid or you already have activated your account.</div>';
    }

}else{
    // Invalid approach
    echo '<div class="statusmsg">Invalid approach, please use the link that has been send to your email.</div>';
}
?>
Ajinkya
  • 21
  • 6
-2

It's a bad idea to use die(), if this happens the error is logged to the Apache error log and you are left with a blank screen. You should consider moving away from using this way of interacting with mysql and consider using PDO (https://phpdelusions.net/pdo) with prepared statements.

To see what the actual error is follow your web server error log and see what is being logged.

jjamieson
  • 1
  • 1
  • 1
    I think you misunderstood what `die( _some_string_here_ )` does. It does not send that string to an apache error log. It displays it to the browser. If he used errorno, then it would exit with that code. (ps: I was not the downvoter) – IncredibleHat Feb 04 '18 at 14:34
  • Without die() it still leaves me on blank Screen :) ... Yeah I know.. but I startet like this now :( – Jerome Feb 04 '18 at 14:35