Email activation for a particular person

Hey guys!

I am trying to do an email activation but at the moment, if I were to click the email link for that particular user, all of the users in my database will be set to activate. I am thinking about doing something like this but it still doesn’t work


include_once 'dbh.php';

$sql = "SELECT user_uid from users";
$result = mysqli_query($conn, $sql);
$resultCheck = mysqli_num_rows($result);
if ($resultCheck > 0) {
   while ($row = mysqli_fetch_assoc($result)){
      $userid = $row['user_uid'];

   $sql = "UPDATE users
        SET user_activate = '1' WHERE user_uid='$userid'";
   mysqli_query($conn, $sql);

I am trying to set activate = 1 only for that particular user…

You should probably take some time and study some login/registration tutorials to get the logic down. It’s going to be a slow process if you try to hack through this step by step not understanding what you’re doing.

The issue is that this query retrieves all users. If you are hoping to select a user by their email address, then you need to pass that email address into the code, and use it as a condition in your query. If the users table includes both the user-id and the email address, though, there’s no need to run the first query, retrieve the user id and then update the table:

UPDATE users SET user_activate = '1' WHERE user_email = ?"

and then pass the selected email address into the query as your parameter.

I have seen another website where they did something like this…

$sql=" select user_email user_token user_account where user_email=‘$email and user_token=’$token’ and user_token=‘0’";

Finding some results in the database then updating the user but are you doing prepare statement because you have ? In your user_email? Why did you put a question mark?

I also realised that all of them use get instead of post… is that because get can obtain the information from the url?

Yes, I was using a prepared statement.

Maybe, it can be less complex to have a hyperlink to pass the information via the URL than to have a form to post it, though it’s only a minor thing. But it’s a bit easier to spoof the information that gets passed around using a URL (but apparently only a bit easier), which is another reason for using a prepared statement to help with your security.

Surely that would only work if $token is ‘0’, or was that a typo towards the end? You’ve also got a missing single quote in there which would throw a syntax error, and if your token included a quote, that would also throw a syntax error after you fixed the first one. But it wouldn’t if you used a prepared statement, because that handles quotes for you.

You have to use prepared statements when there is a user input being passed. The reason why people use prepared statements is that it is a safer way for dealing with user input field. Prepared statements will not execute the input as a literal SQL statement. Whereas if you don’t use prepared statements and the user supplies inputs that are SQL, then you are screwed. This is where the term SQL Injection comes from. SQL Injection doesn’t come from PHP specifically. It comes from bad coding and inexperience. Where ever you have

  • SET

Then you will have to use prepared statements. Since there are 2 different database libraries, then there are 2 different ways. mysqli_ only has the question mark placeholders while PDO have the named placeholders and question mark placeholders.

1 Like

Here’s a good example of why I was telling you you need to step back and study the logic and understand it. The email and the token column should be unique in the database, therefore you do not need both in a where condition. In the case of validating a users email, you only need to have the token in the where since that’s what you are comparing. No two users should ever have the same token. Once the token is validated it should be deleted and the status set to 1. Make sure your token generation code is up to current coding standards. Use random bites to generate a CSPRNG that is available in PHP 7. If you’re running a version less than that it’s time to upgrade.

Thanks… i found a website on how to do this… i just forgot that each user should haveca different email address because i was testing out on my local server with 2 users having the same email but that didn’t work…if they have a different email, then it does work

You need to set a unique constraint on the email, token and username columns. The databases is the foundation of all the code you will ever write against it. Is important to make sure that the database is correct before you start writing code.

1 Like

User accounts are typically a two stage process. eg. A new user fills out a form and submits it . The form sends the POST values to the server and the information is entered into the database.

At this point the user is registered, but not authenticated (activated).

The server then sends an email to the given address something like “If this is really you, click this link”. The email does not have a POST form, it has a URL with a (short lived) hashed token as a GET query parameter. When the link is followed, it can be reasonably assumed that the submitted registration information was correct.

At this point the user is authenticated.

IMHO it would be wise to not combine the registration and authentication into a single step.

1 Like

This topic was automatically closed 91 days after the last reply. New replies are no longer allowed.