Account Activation not working

[dyr]

Hi!  Trying to have it send a link to a user's email upon registration, and set it so they can't login until they click the link from their email.  Here's the register script:

<?php
   
include('config.php');
include('dateindex.php');

if($loggedin == '1')
die("You can't register another account while you're logged in.");

if(isset($_POST['submit']))
{

$callname = mysql_real_escape_string($_POST['callname']);
$uname = mysql_real_escape_string($_POST['username']);  
$password = mysql_real_escape_string($_POST['password']);  
$email = mysql_real_escape_string($_POST['email']);  

if((!isset($_POST['username'])) || (!isset($_POST['callname'])) || (!isset($_POST['email'])) || (!isset($_POST['pass'])) || ($uname == '') || ($_POST['pass'] == ''))
die("Please fill out the form completely. <br><br>
<a href=register.php>Continue</a>");

$check = @mysql_query("SELECT id FROM users WHERE username = '$uname'");
$check = @mysql_num_rows($check);

if($check > 0)
die("Sorry, that username has already been taken. Please try again.
<br><br>
<a href=register.php>Continue</a>");

function validateEmailAddress($email) {
return filter_var($email, FILTER_VALIDATE_EMAIL) && preg_match('/@.+\./', $email);
}
if(validateEmailAddress($email) !=1) {
echo "That email address does not exist.<br /><br /><a href=register.php>Continue</a>";
exit();
}

$pass = md5($_POST['pass']);

$date = date("m/d/y");

$a =md5(uniqid(rand(), true));

$newPlayer = @mysql_query("INSERT INTO users (username, password, callname, email, registered, active) VALUES ('$uname', '$pass', '$callname', '$email', '$date', '$a')") or die("Error: ".mysql_error());

if (mysql_affected_rows() == 1) {
$body = "Thank you for registering.  To activate account click this link";

$body .= "http://localhost/testing/mbactivate.php?x=" . mysql_insert_id() . "$y=$a";

mail($_POST['email'], 'Registration Confirmed', $body, 'From:mirrorcat@airpost.net');


echo '<br />You have been registered! A confirmation email has been sent.';

exit();
}
}
else
{

echo '<form action=register.php method=post>
Callname: <input type=text name=callname><br>
Username: <input type=text name=username><br>
Email: <input type=text name=email><br>
Password: <input type=password name=pass><br>
<input type=submit name=submit value=Submit>
</form>';

}

?>

 

login/index:

<?php

include('config.php');

echo '<center><a href=index.php>Main</a> | <a href=myprofile.php>Profile</a> | <a href=inbox.php>Inbox</a> | <a href=page1.php>To-Do List</a> | <a href=logout.php>Logout</a></center>';

print date('g:i a - l, F jS');

echo '<br /><br />';

?>

<?php

if($loggedin == '0')
{
if(isset($_POST['submit']))
{

// Make sure all forms were filled out.

if((!isset($_POST['username'])) || 
(!isset($_POST['pass'])) 
|| ($_POST['username'] == '') || ($_POST['pass'] == ''))
die("Please fill out the form completely. <br><br>
<a href=index.php>Continue</a>");

// Get user's record from database
$player = @mysql_query("SELECT id, username, password, callname, email, registered, lastlogin FROM users WHERE username = '".$_POST['username']."'");
$player = @mysql_fetch_assoc($player);
mysql_real_escape_string($username);
mysql_real_escape_string($password);

if($player['id'] == false)
die("Sorry, that user is not in our database.<br><br>
<a href=index.php>Back</a>");
else if($player['password'] != md5($_POST['pass']))
die("Wrong password!<br><br>
<a href=index.php>Back</a>");

$_SESSION['id'] = $player['id'];
$_SESSION['username'] = $player['username'];
$_SESSION['password'] = $player['password'];
$_SESSION['callname'] = $player['callname'];
$_SESSION['email'] = $player['email'];

$date = date("m/d/y");

$update = @mysql_query("UPDATE users SET lastlogin = '$date' WHERE id = '".$_SESSION['id']."'");

echo 'You are now logged in!';

}
else
{
echo 'You are not logged in. <br><br>
<form action=index.php method=post>
Username: <input type=text name=username><br>
Password: <input type=password name=pass><br>
<input type=submit name=submit value=Submit>
</form>
Would you like to <a href=register.php>register?</a>';
}
}

else
{
echo 'You are logged in! 
Welcome, '.$_SESSION['callname'].'!';

}

?>

<br /><br />

<b>Activate Account</b><br />

<?php



// Validate $_GET['x'] and $_GET['y'].



if (isset($_GET['x'])) {



$x = (int) $_GET['x'];



} else {



$x = 0;



}



if (isset($_GET['y'])) {



$y = $_GET['y'];



} else {



$y = 0;



}



// If $x and $y aren't correct, redirect the user.



if ( ($x > 0) && (strlen($y) == 32)) {



$query = "UPDATE users SET active=NULL WHERE (id=$x AND active='" . $y . "') LIMIT 1";



$result = mysql_query ($query) or trigger_error("Query: $query\n<br />MySQL Error: " . mysql_error());







// Print a customized message.



if (mysql_affected_rows() == 1) {



echo "<br><br><h3>Your account is now active. You may now log in.</h3>";



} else {



echo '<br><br><p><font color="red" size="+1">Your account could not be activated. Please re-check the link or contact the system administrator.</font></p>';



}



// mysql_close();



} else { // Redirect.



// Start defining the URL.



$url = 'http://' . $_SERVER['HTTP_HOST'] . dirname($_SERVER['PHP_SELF']);



// Check for a trailing slash.



if ((substr($url, -1) == '/') OR (substr($url, -1) == '\\') ) {



$url = substr ($url, 0, -1); // Chop off the slash.

}



// Add the page.

$url .= '/index.php';



ob_end_clean(); // Delete the buffer.



exit(); 


} // End of main IF-ELSE.

?>

 

My problem is it isn't sending the code to the email specified, even though the random letters that should be sent to the email are stored in the database.  And when I test the url anyway, (x=1&y=activationcode) it returns it as false, that the code doesn't exist even though I can clearly see it in my database!  Can anyone spot any errors?

[Drummin]

Remove error suppression. @

Try adding this under your insert query to see if id is being grabbed.

if (mysql_affected_rows() == 1) {
$newid=mysql_insert_id();
echo "$newid";
}

[floridaflatlander]

Is this

id() . "$y=$a"; 

a typo above in your activation email?

 

 

My problem is it isn't sending the code to the email specified

 

Try an echo somewhere on your register page to see if your assigning the email address to the $email variable like you think you are.

[Drummin]

I also don't see where the variable $y is defined in the first bit of code before the insert and email.

[dragon_sa]

As floridaflatlander mentioned about the typo, I think $y=$a is meant to be &y=$a

[dyr]

Thanks, guys!  Email still isn't being sent but I just tried it again so I'll wait 20 minutes or so before declaring it "doesn't work".  I've emptied all my junk mail folders and made sure it will receive the email.  Also, I've moved the 'activation' script from the login page to mbactivate.php where it belongs, sorry if I didn't make that clear earlier. 

 

Drummin, I updated it with your suggestion, the ID is being grabbed like it should.  dragon_sa and floridaflatlander, thanks, that was indeed a typo!  The activation code is being logged in the database but still won't let me activate the account.

[Drummin]

So it seems SENDING the email is the problem, correct?  Maybe you need some header information to pacify your host sever.  Something like this.

 

 

$headers = "From: mirrorcat@airpost.net\r\n";
$headers .= "Reply-To: mirrorcat@airpost.net\r\n";
$headers .= "X-Sender: mirrorcat@airpost.net\r\n";
$headers .= "X-Priority: 3 \r\n";

mail($_POST['email'], 'Registration Confirmed', $body, $headers);

[floridaflatlander]

The activation code is being logged in the database but still won't let me activate the account.

 

But your not getting your emails right?

 

Also test with different email address.

[dyr]

Right, I'm not.  Tested with 3 different email addresses, first two are standard name@server.com, last one is name@server.location.com  to see if it made a difference, and it didn't.  Any ideas why the email's not being sent?

[floridaflatlander]

Is this happening on your local computer or online?

[dyr]

localhost, is that the reason?  If so, I shall feel utterly stupid.  The tutorial I was watching for it showed the person using a localhost so I guess that got me confused.

[floridaflatlander]

If your doing this on your local computer you need to have an email service set up.

[dyr]

Within local host?  I have it connected to a working email address.

[floridaflatlander]

Have you put any other scripts on this server and had them to work?

Can you build a bare bones script to test your server?

[dyr]

Not ones that connect to email.  I have many scripts, such as a messaging system, login, logout, register, etc that all work fine though on my localhost.

[floridaflatlander]

Have you put any other scripts on this server and had them to work?

 

I guess I should have said email scripts.

[dyr]

Ah, no, none of the email scripts (that connect to my email account) I've tried worked.  Ones that use the email address stored, like in the profile codes and such work fine. 

[Drummin]

Instead of fight this, is the program going to be hosted online?  Then assuming you have your send mail scripts setup correctly, you should be fine.

If you are going to be hosting the site on your local machine, then make sure you set it up your SMTP sever to do this.  Just do a search for finding out more about this.

https://www.google.com/search?q=requirements+to+send+email+from+local

 

I would focus on making sure validation codes (URL) received will process as expected, validating user and their email account etc.

[dyr]

I'm going to eventually host this online, yes! 

 

I agree Drummin, however the activation code that should've been sent to the email address upon registering (is stored correctly in database, I can see it) doesn't work when I type the url in to the address bar.  Whether the user got the email or not, hypothetically the url I type in to activate the account still should work, right?  Doesn't seem to do anything, and not sure where I went wrong in the code.  If said url was typed in, the activate account screen should... well... verify and activate the account.

[Drummin]

Well that should be straight forward to fix.  What is your current code for receiving these GET values and what are you doing with them?

[Drummin]

Just based on what I've seen, this should work.

<?php
// Validate $_GET['x'] and $_GET['y'].
if (isset($_GET['x'])) {
$x = (int) $_GET['x'];
} else {
$x = 0;
}
if (isset($_GET['y'])) {
$y = $_GET['y'];
} else {
$y = 0;
}
// If $x and $y aren't correct, redirect the user.
if ( ($x > 0) && (strlen($y) == 32)) {
$query = "UPDATE users SET active=NULL WHERE id='$x' AND active='$y'"; 
$result = mysql_query ($query) or trigger_error("Query: $query\n<br />MySQL Error: " . mysql_error());	
// Print a customized message. 
if (mysql_affected_rows() == 1) { 
echo "<br><br><h3>Your account is now active. You may now log in.</h3>";
} else {
echo '<br><br><p><font color="red" size="+1">Your account could not be activated. Please re-check the link or contact the system administrator.</font></p>';
}
}
?>

[dyr]

Thanks, my current code was the code below the login form on the index.php page, which I then moved to it's separate page mbactivate.php.  I tried your updated code, which seems to make the same sense logically but smaller and more condensed.  Thanks for that, works like a charm! 

 

Now to make it so that if their account isn't activated, they can't login.  For this, I've made some editing to my login code.  Would this make sense?

$player = @mysql_query("SELECT * FROM users WHERE username = '".$_POST['username']."'");
$player = @mysql_fetch_assoc($player);
mysql_real_escape_string($username);
mysql_real_escape_string($password);

if($player['active'] != null)
die("Your account is not activated.");

 

Now obviously that doesn't work, but is it possible to have a variable check to see if it's null in the mysql database or not like I tried above?  I've tried searching to see if it's possible and couldn't find any straight forward answers.

 

[Drummin]

Please stop suppressing errors by using @.

 

I think what you would be looking for would be IS NULL because you make the active field NULL when validating their account.  So your log in processing might look like this.

<?php 
if (isset($_POST['login'])){ 
$username = mysql_real_escape_string($_POST['username']); 
$password = mysql_real_escape_string(md5($_POST['pass']));
$sql = "SELECT id FROM users WHERE password='$password' AND username= '$username' AND active IS NULL";
$result = mysql_query($sql) or die (mysql_error());
if (mysql_num_rows($result)){
$row = mysql_fetch_row($result);
//Do what you want with valid user.
session_start();
$_SESSION['user_id']=$row[0];
header("location: homepage.php");
exit;
}else{
$error="Your account is not activated.";
}
}//if (isset($_POST['login']))
?>
<html>
<body>
<?php if (isset($error)){ echo "$error";}?>
<!-- Add login form here -->
</body>
</html>

[dyr]

Now I now the IS NULL feature.  Thanks for all the help!