Verifying Email Confirmation

StackOverflow https://stackoverflow.com/questions/17917247

Question

I'm having a problem getting users accounts to verify. I get it to insert data and then send out a confirmation link but when it's clicked in the email it doesn't update the 'active' row from 0 to 1. I'm been messing with this all night and it's probably something simple but either way if anyone can help I'd greatly appreciate it.

Also if anyone could provide any tips on making this injection proof I'd also be very happy. Thanks!

<?php

require ('classes/class.db.php');
require ('classes/class.pass.php');


try {

if(isset($_GET['email']) && !empty($_GET['email']) AND isset($_GET['email_hash']) && !empty($_GET['email_hash'])){  
    // Verify data  
    $search = "SELECT email, email_hash, active FROM users WHERE email='".$email."' AND hash='".$email_hash."' AND active='0'";
    $match = $db->num_rows( $query );

    if($match > 0){  

    $stmt = $db->prepare('UPDATE users (active) VALUES (:active) WHERE active = 0');
    $status = $stmt->execute(array(
    ':active' => 1));

        if( $status )
        {
            echo '<p>Your account has been activated, you can now login</p>';
        }
    }

}else{  
    echo '<p>Your account is already activated</p>';
}  


} catch (PDOException $e) {
        die($e->getMessage());
    }

?>

UPDATE #1

Tried what Akam suggested but still am getting some errors. Here is what I have for my statement.

$stmt = $db->prepare("UPDATE users SET active ='1' where active = '0' and email=:email AND email_hash=:email_hash");
$status = $stmt->execute(array(
':email' => $_GET['email'],
':email_hash' => $_GET['email_hash']
));

UPDATE #2

Seems like the problem is $_GET['email_hash'] which can't be echoed or stored in a variable. It won't take the random hash string from the signup.php page and carry it over to the verify.php page, but the email address carries over perfectly fine. I'm a bit confused and would love for someone to clarify this for me. Thanks.

UPDATE #3

Problem was as simple as turning $_GET['email_hash'] to $_GET['hash'] . Thanks again!

Was it helpful?

Solution

You can also do all by one query, no need to first query if you write same conditions in the update:

"UPDATE users SET active ='1' where active = '0' and email=:email AND hash=:email"

OTHER TIPS

Your UPDATE query contains a syntax error. Try changing the query to

$stmt = $db->prepare('UPDATE users SET active=:active WHERE active=0 AND email=:email AND email_hash=:email_hash');

And then include $email and $email_hash in your associative array during statement execution.

Just as a side note, calling isset($var) && !empty($var) is roughly equivalent to writing !empty($var). As per the documentation, because

empty($var)

is congruent to

!isset($var) || $var == false,

it follows that !empty($var) is congruent to isset($var) && $var != false.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top