Validate after user registers

[RedInjection]

Hello all,

 

I have made a script that does what I want but I am asking are there any flaws in my coding that I am missing in terms of security?

 

* When a user registers by default the table sets the column status to pending

* The key generated is a random 5 character string with a mixture of Uppercase and Numbers

	// IF username is missing from URL then redirect
	if ( empty($_GET['username']) ) {
	redirect_to("register.php");
	}	
	// IF key is missing from URL then redirect
	if ( empty($_GET['key']) ) {
	redirect_to("register.php");
	}
	
	// SQL Query
	$sql = "SELECT * from users WHERE username = '{$_GET['username']}'";
	$result = $mysqli->query($sql);
	$row = $result->fetch_assoc();	

	if ( $row['status'] == 'pending' ) {
	
		if ( $_GET['key'] == $row['activation'] ) {
    $sql = "UPDATE users SET status='enabled' WHERE username='{$_GET['username']}' LIMIT 1";
	$result = $mysqli->query($sql);	
    $sql = "UPDATE users SET activation='' WHERE username='{$_GET['username']}' LIMIT 1";
	$result = $mysqli->query($sql);	
		echo 'Your account is now <font color=green><strong>ACTIVE</strong></font>';
		}
	}
	
		if ( $_GET['key'] != $row['activation'] ) {
			redirect_to("register.php");
		}

Thanks for your feedback! I hope I done okay as I am learning

Edited November 6, 2015 by RedInjection

[Ch0cu3r]

 

any flaws in my coding that I am missing in terms of security?

Yes you are not sanitizing your user input values. If you don't do this then your code is open to SQL Injection attacks.

You can use mysqli_real_escape_string to sanitize your values. But as you are using mysqli then you should be using prepared statememts.

 

 

Why the two update queries here?

    $sql = "UPDATE users SET status='enabled' WHERE username='{$_GET['username']}' LIMIT 1";
	$result = $mysqli->query($sql);	
    $sql = "UPDATE users SET activation='' WHERE username='{$_GET['username']}' LIMIT 1";
	$result = $mysqli->query($sql);

You only need to to have the one, you can set the values for both the status and activation columns in the same update query.

    $sql = "UPDATE users SET status='enabled', activation='' WHERE username='{$_GET['username']}' LIMIT 1";
	$result = $mysqli->query($sql);	

[benanamen]

The key generated is a random 5 character string with a mixture of Uppercase and Numbers

 

 

Show you code for the key generation. This is where one of your problems is. @Jaques1 has posted good information on how this should be done so I am not going to repeat it.

Edited November 6, 2015 by benanamen

[RedInjection]

	function generateRandomString($length = 5) {
		$characters = '0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ';
		$charactersLength = strlen($characters);
		$randomString = '';
		for ($i = 0; $i < $length; $i++) {
			$randomString .= $characters[rand(0, $charactersLength - 1)];
		}
		return $randomString;
	}

This is my function - Is this ok?

[benanamen]

No, it is not ok, Delete that whole function and read the post from Jaques1

 

here http://forums.phpfreaks.com/topic/298729-forgotten-password/?hl=%2Bopenssl_random_pseudo_bytes&do=findComment&comment=1523846

 

about

 

http://php.net/manual/en/function.openssl-random-pseudo-bytes.php

 

AND

 

http://php.net/manual/en/function.mcrypt-create-iv.php

Edited November 6, 2015 by benanamen