Jump to content

send user account details to user after email verification

Generaljoe

By Generaljoe
in PHP Coding Help

 Share
Go to solution Solved by Psycho,

Recommended Posts

Generaljoe Newbie

Generaljoe

Posted
Posted
Actually, what i want to do is to use the email to fetch the $email,$password and $randomnumber from database after

the $key UPDATES where email is $email and sets it to null, then the fetched variables can be emailed to user's email

 

my code below, doesnt work

 

as expected

 

 

<?php

include ('database_connection.php');

 

if (isset($_GET['email']) && preg_match('/^([a-zA-Z0-9])+([a-zA-Z0-9\._-])*@([a-zA-Z0-9_-])+([a-zA-Z0-9\._-]+)+$/', $_GET['email']))

{

    $email = $_GET['email'];

}

if (isset($_GET['key']) && (strlen($_GET['key']) == 32))//The Activation key will always be 32 since it is MD5 Hash

{

    $key = $_GET['key'];

}

 

 

if (isset($email) && isset($key))

{

 

    // Update the database to set the "activation" field to null

 

    $query_activate_account = "UPDATE members SET Activation=NULL WHERE(email ='$email' AND Activation='$key')LIMIT 1";

 

   

    $result_activate_account = mysqli_query($dbc, $query_activate_account) ;

 

    // Print a customized message:

    if (mysqli_affected_rows($dbc) == 1)//if update query was successfull

    {

// Send the email:

 

 

$message = " Your Account has now been verified, Below are your Details.\n\n";

$message .= "

__________________________________________

Username: $username

Password: $Password

Account Number: $randomnumber

__________________________________________

Please Ensure you keep safely.";

 

    echo '<div class="success">Your account is now active and your Account details sent to you. You may now <a href="login.php">Log in</a></div>';

    mail ($email, "Activation Success",  $message,  'From:My site<no-reply@xxxx.com>'); 

Link to comment
Share on other sites
  • Solution
Psycho Prolific Member

Psycho

Posted
  • Solution
Posted (edited)
my code below, doesnt work . . . as expected

 

That isn't very helpful. What is it doing or not doing that is incorrect?

 

But, I will comment on your logic:

 

1. Why are you passing the email address in the request? The activation code is all you need.

 

2. There is no error logging, so it is impossible to say why the code is not working as expected. The code to update the DB and send the email is wrapped within an if() condition. So, if one of those two values are not set, it will not run. Since we can't see the construction of the URL that is used, it's impossible to know if that may be the source of the problem. Or, the query could be failing for all we know.

 

3. No need to include the DB connection file if you may not run a query . . . but, don't bother doing a pre-validation of the key since if it isn't 32 characters it won't find a match anyway

 

4. You need to prevent SQL injection.

 

5. Why is there a limit on the query? Are you reusing the activation keys? There are more than you can comprehend.

 

6. I don't see anything in the code to define $username, $password or $randomnumber

 

Here is a different take on the process that may help

<?php
 
$activation = isset($_GET['key']) ? $_GET['key'] : false;
 
if (!$activation)
{
    echo "No activation key passed";
}
else
{
    // Update the database to set the "activation" field to null
    include ('database_connection.php');
    $activation = mysqli_real_escape_string($dbc, $activation);
    $query = "UPDATE members SET Activation=NULL WHERE Activation='$key'";
    $result = mysqli_query($dbc, $query);
 
    if(!$result)
    {
        echo "An error occured trying to activate your account";
        //Debug line only, log errors in a production environment
        echo "Query: $query<br>Error: " . mysqli_error($dbc);
    }
    elseif(!mysqli_affected_rows($dbc))
    {
        echo "Your activation code does not appear to be valid";
    }
    else
    {
        //Activation completed. Send a customized message.
 
        ### ADD CODE TO GET USERNAME & ACOUNT NUMBER FROM DB AND TO GENERATE TEMP PASSWORD
 
        $message = " Your Account has now been verified, Below are your Details.\n
        __________________________________________
        Username: $username
        Password: $Password
        Account Number: $randomnumber
        __________________________________________
        Please Ensure you keep safely.";
 
        if(!mail ($email, "Activation Success",  $message,  'From:My site<no-reply@xxxx.com>'))
        {
            echo "There was a problem sending your activation details";
        }
        else
        {
            echo '<div class="success">Your account is now active and your Account details sent to you. You may now <a href="login.php">Log in</a></div>';
        }
    }
}
 
?>
Edited by Psycho
Link to comment
Share on other sites
Generaljoe Newbie

Generaljoe

Posted
  • Author
Posted
<?php

 

$activation = isset($_GET['key']) ? $_GET['key'] : false;

 

if (!$activation)

{

    echo "No activation key passed";

}

else

{

    // Update the database to set the "activation" field to null

    include ('database_connection.php');

    $activation = mysql_real_escape_string($activation);

    $query = "UPDATE members SET Activation=NULL WHERE Activation='$key'";

    $result = mysqli_query($dbc, $query_activate_account);

 

    if(!$result)

    {

        echo "An error occured trying to activate your account";

        //Debug line only, log errors in a production environment

        echo "Query: $query<br>Error: " . mysql_error();

    }

    elseif(!mysqli_affected_rows($dbc))

    {

        echo "Your activation code does not appear to be valid";

    }

    else

    {

        //Activation completed. Send a customized message.

 

       //query

$query = mysql_query("select username, Password, randomnumber from members where key='$key'") or die ('Query is invalid: ' . mysql_error());

 

//write the results

 

while ($row = mysql_fetch_array($query)) {

 

        $message = " Your Account has now been verified, Below are your Details.\n

        __________________________________________

        Username: $username

        Password: $Password

        Account Number: $randomnumber

        __________________________________________

        Please Ensure you keep safely.";

 

        if(!mail ($email, "Activation Success",  $message,  'From:My site<no-reply@xxxx.com>'))

        {

            echo "There was a problem sending your activation details";

        }

        else

        {

            echo '<div class="success">Your account is now active and your Account details sent to you. You may now <a href="login.php">Log in</a></div>';

        }

    }

}

 

?>

 

 

 

i got error in line 57

Link to comment
Share on other sites
Jacques1 Prolific Member

Jacques1

Posted
Posted

Never store passwords as plaintext or even send them around by e-mail. The passwords are highly sensitive data and could be used on other websites as well, which means it's your duty to protect them with state-of-the-art security. If you're unable or unwilling to do that, you should remove the registration feature.

 

Since you happily drop the URL parameters into your query strings, you actually allow anybody to write their own queries and, for example, fetch all plaintext passwords. You might as well publish the database credentials.

 

I strongly recommend that you learn the basics of web security and database access before you even think about storing user data. I'm not saying this to put you down, but leaking the data of other people is simply unacceptable.

 

 

 

Link to comment
Share on other sites
Generaljoe Newbie

Generaljoe

Posted
  • Author
Posted

here is the full code 

 

<?php
 
 
 
include ('database_connection.php');
if (isset($_POST['formsubmitted'])) {
    $error = array();//Declare An Array to store any error message  
    if (empty($_POST['username'])) {//if no name has been supplied 
        $error[] = 'Please Enter Username  ';//add to array "error"
    } else {
        $username = $_POST['username'];//else assign it a variable
 
    }
 
if (empty($_POST['salutation'])) {//if no name has been supplied 
        $error[] = 'Please Enter Salutation  ';//add to array "error"
    } else {
        $salutation = $_POST['salutation'];//else assign it a variable
    }
 
if (empty($_POST['gender'])) {//if no name has been supplied 
        $error[] = 'Please Select Gender  ';//add to array "error"
    } else {
        $gender = $_POST['gender'];//else assign it a variable
    }
 
if (empty($_POST['firstname'])) {//if no name has been supplied 
        $error[] = 'Please Enter Firstname  ';//add to array "error"
    } else {
        $firstname = $_POST['firstname'];//else assign it a variable
    }
 
 
if (empty($_POST['lastname'])) {//if no name has been supplied 
        $error[] = 'Please Enter Lastname  ';//add to array "error"
    } else {
        $lastname = $_POST['lastname'];//else assign it a variable
    }
 
if (empty($_POST['maritialstatus'])) {//if no name has been supplied 
        $error[] = 'Please Enter Marital status  ';//add to array "error"
    } else {
  $maritialstatus = $_POST['maritialstatus'];//else assign it a variable
    }
if (empty($_POST['dob'])) {//if no name has been supplied
 
        $error[] = 'Please Enter Date of Birth  ';//add to array "error"
    } else {
 
        $dob = $_POST['dob'];//else assign it a variable
    }
 
if (empty($_POST['category'])) {//if no name has been supplied 
        $error[] = 'Please Enter Category  ';//add to array "error"
    } else {
 
        $category = $_POST['category'];//else assign it a variable
    }
 
if (empty($_POST['motmaidenname'])) {//if no name has been supplied 
        $error[] = 'Please Enter Mother Maiden name  ';//add to array "error"
    } else {
 
        $motmaidenname = $_POST['motmaidenname'];//else assign it a variable
    }
 
if (empty($_POST['fathername'])) {//if no name has been supplied 
        $error[] = 'Please Enter Father name  ';//add to array "error"
    } else {
 
        $fathername = $_POST['fathername'];//else assign it a variable
    }
 
if (empty($_POST['mobileno'])) {//if no name has been supplied 
        $error[] = 'Please Enter Mobile Number  ';//add to array "error"
    } else {
 
        $mobileno = $_POST['mobileno'];//else assign it a variable
    }
 
if (empty($_POST['occtype'])) {//if no name has been supplied 
        $error[] = 'Please Select Occupation Type  ';//add to array "error"
    } else {
 
        $occtype = $_POST['occtype'];//else assign it a variable
    }
 
if (empty($_POST['income'])) {//if no name has been supplied 
        $error[] = 'Please Seclect Income  ';//add to array "error"
    } else {
 
        $income = $_POST['income'];//else assign it a variable
    }
 
if (empty($_POST['sourceoffunds'])) {//if no name has been supplied 
        $error[] = 'Please Select Source of Fund  ';//add to array "error"
    } else {
 
        $sourceoffunds = $_POST['sourceoffunds'];//else assign it a variable
    }
 
if (empty($_POST['state'])) {//if no name has been supplied 
        $error[] = 'Please Enter State  ';//add to array "error"
    } else {
 
        $state = $_POST['state'];//else assign it a variable
    }
 
if (empty($_POST['Country'])) {//if no name has been supplied 
        $error[] = 'Please Select Country  ';//add to array "error"
    } else {
 
 
        $Country = $_POST['Country'];//else assign it a variable
    }
 
 
if (empty($_POST['city'])) {//if no name has been supplied 
        $error[] = 'Please Select City  ';//add to array "error"
    } else {
 
      $city = $_POST['city'];//else assign it a variable
    }
 
 
if (empty($_POST['randomnumber'])) {//if no name has been supplied 
        $error[] = 'AutoGenerate AccountNumber Failed  ';//add to array "error"
    } else {
 
$randomnumber = $_POST['randomnumber'];//else assign it a variable
    }
 
if (empty($_POST['Addressproof'])) {//if no name has been supplied 
        $error[] = 'Please Enter Address  ';//add to array "error"
    } else {
 
$Addressproof = $_POST['Addressproof'];//else assign it a variable
    }
 
 
    if (empty($_POST['email'])) {
        $error[] = 'Please Enter your Email ';
    } else {
 
 
        if (preg_match("/^([a-zA-Z0-9])+([a-zA-Z0-9\._-])*@([a-zA-Z0-9_-])+([a-zA-Z0-9\._-]+)+$/", $_POST['email'])) {
           //regular expression for email validation
            $email = $_POST['email'];
        } else {
             $error[] = 'Your EMail Address is invalid  ';
        }
 
 
    }
 
 
    if (empty($_POST['Password'])) {
        $error[] = 'Please Enter Your Password ';
    } else {
        $Password = $_POST['Password'];
    }
 
 
    if (empty($error)) //send to Database if there's no error '
 
    { // If everything's OK...
 
        // Make sure the email address is available:
        $query_verify_email = "SELECT * FROM members  WHERE email ='$email'";
        $result_verify_email = mysqli_query($dbc, $query_verify_email);
        if (!$result_verify_email) {//if the Query Failed ,similar to if($result_verify_email==false)
            echo ' Database Error Occured ';
        }
 
        if (mysqli_num_rows($result_verify_email) == 0) { // IF no previous user is using this email .
 
 
            // Create a unique  Activation code:
            $Activation = md5(uniqid(rand(), true));
 
 
            $query_insert_user = "INSERT INTO `members` ( `salutation`, `gender`, `firstname`, `middlename`, `lastname`, `maritialstatus`, `dob`, `category`, `motmaidenname`, `fathername`, `email`, `mobileno`, `chkpan`, `occtype`, `education`, `income`, `sourceoffunds`, `others`, `PassportID`, `username`, `Addressproof`, `Password`, `state`, `Country`, `city`, `randomnumber`, `Activation`) VALUES ('$salutation', '$gender', '$firstname', '$middlename', '$lastname', '$maritialstatus', '$dob', '$category', '$motmaidenname', '$fathername', '$email', '$mobileno', '$chkpan', '$occtype', '$education', '$income', '$sourceoffunds', '$others', '$PassportID', '$username', '$Addressproof', '$Password', '$state', '$Country', '$city', '$randomnumber', '$Activation')";
 
 
            $result_insert_user = mysqli_query($dbc, $query_insert_user);
            if (!$result_insert_user) {
                echo 'Query Failed ';
            }
 
            if (mysqli_affected_rows($dbc) == 1) { //If the Insert Query was successfull.
 
 
                // Send the email:
                $message = " To activate your account, please click on this link:\n\n";
$message .= "
__________________________________________
 
Username: $username
Password: $Password
 
__________________________________________
Please Ensure you keep safely.";
 
                mail($email, 'Sign Up|Verification', $message, 'From:My Site<no-reply@xxxxx.com>');
 
                // Flush the buffered output.
 
 
                // Finish the page:
                echo '<div class="success">Thank you for
registering! A confirmation email
has been sent to '.$email.' Please click on the Activation Link to Activate your account </div>';
 
 
            } else { // If it did not run OK.
                echo '<div class="errormsgbox">You could not be registered due to a system
error. We apologize for any
inconvenience.</div>';
            }
 
        } else { // The email address is not available.
            echo '<div class="errormsgbox" >That email
address has already been registered.
</div>';
        }
 
    } else {//If the "error" array contains error msg , display them
        
        
 
echo '<div class="errormsgbox"> <ol>';
        foreach ($error as $key => $values) {
            
            echo ' <li>'.$values.'</li>';
 
 
       
        }
        echo '</ol></div>';
 
    }
  
    mysqli_close($dbc);//Close the DB Connection
 
} // End of the main Submit conditional.
?>
 
 
 
 
 
this is the Activation code after verification link is sent 
 
 
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Activate Your Account</title>
 
 
    
    
    
<style type="text/css">
body {
font-family:"Lucida Grande", "Lucida Sans Unicode", Verdana, Arial, Helvetica, sans-serif;
font-size:12px;
}
 
 
 
 .success {
border: 1px solid;
margin: 0 auto;
padding:10px 5px 10px 60px;
background-repeat: no-repeat;
background-position: 10px center;
    
     width:450px;
     color: #4F8A10;
background-color: #DFF2BF;
background-image:url('images/success.png');
     
}
 
 
 
 .errormsgbox {
border: 1px solid;
margin: 0 auto;
padding:10px 5px 10px 60px;
background-repeat: no-repeat;
background-position: 10px center;
 
     width:450px;
    color: #D8000C;
background-color: #FFBABA;
background-image: url('images/error.png');
     
}
 
</style>
 
</head>
<body><?php
include ('database_connection.php');
 
if (isset($_GET['email']) && preg_match('/^([a-zA-Z0-9])+([a-zA-Z0-9\._-])*@([a-zA-Z0-9_-])+([a-zA-Z0-9\._-]+)+$/', $_GET['email']))
{
    $email = $_GET['email'];
}
if (isset($_GET['key']) && (strlen($_GET['key']) == 32))//The Activation key will always be 32 since it is MD5 Hash
{
    $key = $_GET['key'];
}
 
 
if (isset($email) && isset($key))
{
 
    // Update the database to set the "activation" field to null
 
    $query_activate_account = "UPDATE members SET Activation=NULL WHERE(email ='$email' AND Activation='$key')LIMIT 1";
 
   
    $result_activate_account = mysqli_query($dbc, $query_activate_account) ;
 
    // Print a customized message:
    if (mysqli_affected_rows($dbc) == 1)//if update query was successfull
    {
    echo '<div class="success">Your account is now active. You may now <a href="login.php">Log in</a></div>';
 
    } else
    {
        echo '<div class="errormsgbox">Oops !Your account could not be activated. Please recheck the link or contact the system administrator.</div>';
 
    }
 
    mysqli_close($dbc);
 
} else {
        echo '<div class="errormsgbox">Error Occured .</div>';
}
 
 
?>
</body>
</html>
 
 
all i want is to have the user account details e.g username,Password and randomnumber fetched from database and an email  will be sent to user containing account details after account is confirmed. 

 

Link to comment
Share on other sites
Generaljoe Newbie

Generaljoe

Posted
  • Author
Posted

Never store passwords as plaintext or even send them around by e-mail. The passwords are highly sensitive data and could be used on other websites as well, which means it's your duty to protect them with state-of-the-art security. If you're unable or unwilling to do that, you should remove the registration feature.

 

Since you happily drop the URL parameters into your query strings, you actually allow anybody to write their own queries and, for example, fetch all plaintext passwords. You might as well publish the database credentials.

 

I strongly recommend that you learn the basics of web security and database access before you even think about storing user data. I'm not saying this to put you down, but leaking the data of other people is simply unacceptable.

 

i'll have it secured,its still in the development phase, its part of the plan, come on man,i wouldnt want the database injected by some sql injection or some silly tricks

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.