[SOLVED] Incorrect Activation Code - Needing help

[Irresistable]

I have header errors, session errors, managed to fix them up. Though now, it doesn't match the activation codes. The one in the database, is the same as the one as recieved in the email to activate. It might be because it's not recieving the code from the email.. though Im not sure.

 

This is my code below.

 

<?php
session_start();
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Developers Community - Currently Down</title>
<style type="text/css">
<!--
#wrapper h1 {
color: #F00;
font-style: normal;
}
-->
</style>
<style>
div#wrapper {
margin-left: auto;
margin-right: auto;
width: 825px;
text-align: center;
font-weight: bold;
font-family: "Comic Sans MS", cursive;
color: #000;
}.text {
text-align: center;
font-family: "Comic Sans MS", cursive;
color: #F00;
}
.forever {
font-style: italic;
}
</style>

<div id="wrapper">  <h1 class="forever"><u>Developers Community</u></h1>
<p>You will be redirected to the homepage within 10 seconds.<br />
If you do not get redirected please click <a href="http://www.developers-community.com" class="text">here<br />
<br />
</a>
<?php 
include ('include/session.php');
include ('include/constants.php'); 
if (!isset($_GET['email']) && !isset($_GET['activ_code']) )
{
$msg = "ERROR: Invalid code...";
exit();
}
$rsCode = mysql_query("SELECT activ_code from emails where email='$_GET[email]'") or die(mysql_error());
list($acode) = mysql_fetch_array($rsCode);
if ($_GET['activ_code'] == $acode)
{
mysql_query("update emails set activated=2 where email='$_GET[email]'") or die(mysql_error());
echo "<h3>Thank you </h3>Email confirmed and account activated. You are now subscribed to the Developers Community newsletter!";
} else
{ echo "ERROR: Incorrect activation code"; }
?>
</p></div>

 

Thanks if you can help

[DavidAM]

It looks like you sent an email with the activation code.  Was that a link that they clicked to get to this page, or is this page from a form where the user typed it?

 

If it was a link, did you urlencode() the email and/or activation code in the <A> tag?  If you did, you need to urldecode() them here, if you didn't, then you probably should.

 

If it was a form, did you use GET (or POST) as the method?

 

Also, a couple of notes:

1) your if(!isset) is using AND, so the exit there will only occur if BOTH are blank, I would use OR.

2) use mysql_real_escape() before sending any $_GET or $_POST data to the database otherwise you ar leaving yourself open to sql attacks.  As it is if I provide an email of ' OR 'a'='a that query will return every row in your database.

[Irresistable]

This is the mail that users recieve.

<? 

class Mailer
{
   /**
    * sendWelcome - Sends a welcome message to the newly
    * registered user, also supplying the username and
    * password.
    */
   function sendWelcome($email, $activ_code){
      $from = "From: ".EMAIL_FROM_NAME." <".EMAIL_FROM_ADDR.">";
      $subject = "Developers-Community Newsletter Activation";
      $body = "You have just applied for the DC newsletter to the email: ".$email."\n\n"
		 ."To activate your subscription, please use the following link below \n"
		 ."http://www.developers-community.com/Newsletter%20Beta/activate.php?email=$email&activationkey=$activ_code \n\n"
             ."If for some reason you recieved this email and you never applied for a newsletter, "
             ."then go to http://www.developers-community.com and contact us telling us to remove your email from our server \n"
             ."Any questions, don't hesitate to contact us.\n\n"
             ."Admin \n"
		 ."Developers Community";

      return mail($email,$subject,$body,$from);
   }
};

/* Initialize mailer object */
$mailer = new Mailer;

?>

 

And for example of how it comes out like when you click it, in the URL bar will show:

http://www.developers-community.com/Newsletter%20Beta/activate.php?email=the-day-that-never-comes@hotmail.co.uk&activationkey=1494650

 

I think I understand what you said, but not sure.. what to do?

 

I use a form, and the method is post.

You can test it out for yourself on here..

www.developers-community.com

It' a newsletter subscription. You'll recieve an activation email etc.

 

For the OR part, would it look like

if (!isset($_GET['email']) OR !isset($_GET['activ_code']) )

Or is that wrong..

For the mysql real escape, I use this..

	  $email = mysql_real_escape_string($email);
  $activ_code = mysql_real_escape_string($activ_code);

[Irresistable]

Does anyone know what I have to do?

[Irresistable]

I had a go trying to fix it, but I failed... still nobody knows?

[Jnerocorp]

for this line:

 

if (!isset($_GET['email']) OR !isset($_GET['activ_code']) )

 

why dont you use this:

if (isset($_GET['email'] && $_GET['activ_code'])) {

//If it is set process the stuff here

} else {

echo "Email or Activation Code Not Set";

}

 

so that way it checks both the email and activation code are set

[Irresistable]

Where would I put the else function.

 

I dont see how that'd check it though, that'd check.. if the email is wrong, and the code is right?

[gizmola]

Well it looks kinda simple to me -- nothing that a few print_r()'s or echo statements for debugging wouldn't show you.

 

For some reason you are looking for a get param named 'active_code'.  However, your email creates a url, where the activation code in a param named: 'activationkey'

 

ie. email=$email&activationkey=$activ_code

 

So you compare this empty string and of course it does not match. 

 

Change

 

if ($_GET['activ_code'] == $acode) ......

 

to

 

if ($_GET['activationkey'] == $acode)

 

And maybe you will have more luck.

[Jnerocorp]

try this:

 

<?php
session_start();
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Developers Community - Currently Down</title>
<style type="text/css">
<!--
#wrapper h1 {
   color: #F00;
   font-style: normal;
}
-->
</style>
<style>
div#wrapper {
   margin-left: auto;
   margin-right: auto;
   width: 825px;
   text-align: center;
   font-weight: bold;
   font-family: "Comic Sans MS", cursive;
   color: #000;
}.text {
   text-align: center;
   font-family: "Comic Sans MS", cursive;
   color: #F00;
}
.forever {
   font-style: italic;
}
</style>

<div id="wrapper">  <h1 class="forever"><u>Developers Community</u></h1>
<p>You will be redirected to the homepage within 10 seconds.<br />
If you do not get redirected please click <a href="http://www.developers-community.com" class="text">here<br />
<br />
</a>
<?php 
include ('include/session.php');
include ('include/constants.php'); 
if (isset($_GET['email'] && $_GET['activ_code'])) {

$rsCode = mysql_query("SELECT activ_code from emails where email='$_GET[email]'") or die(mysql_error());
list($acode) = mysql_fetch_array($rsCode);

if($_GET['activ_code'] == $acode) {
mysql_query("update emails set activated=2 where email='$_GET[email]'") or die(mysql_error());
echo "<h3>Thank you </h3>Email confirmed and account activated. You are now subscribed to the Developers Community newsletter!";
} else { 
echo "ERROR: Incorrect activation code"; 
}
} else {
echo "ERROR: Activation Code or Email is not set";
?>
</p></div>

[Irresistable]

Oh my gosh, why didn't I know that! Thanks for your help. Sorry I was a bit impatient! I'll bookmark this for future reference.