Guys,
I can’t believe it’s been 21 days since my last post on this thread!
I was working on the activate_account.php.
This is the script that activates the user’s member account once he clicks the link he gets emailed to confirm his email and activate his account.
Originally, that script was working fine. But tonight, I replaced some of the working code that had risk of sql injection. I was helped by mlucak89 on prepared statements on the register.php and it was working fine. Tonight, I added the prepared statements on the activate_account.php and wanted to see if it works. In order to test it, I tried opening a member account on my xampp but for some reason I get an error on the register.php which was working few days back. Check my previous post! I really haven’t made any changes to this file but changed a variable name tonight.
Anyway, here’s the full code and error:
<?php
include 'config.php';
// check if user is already logged in
if (is_logged() === true) {
die("You are logged in, can't register.");
}
if ($_SERVER['REQUEST_METHOD'] == "POST")
{
if (isset($_POST["username"]) &&
isset($_POST["password"]) &&
isset($_POST["password_confirmation"]) &&
isset($_POST["email"]) &&
isset($_POST["email_confirmation"]) &&
isset($_POST["first_name"]) &&
isset($_POST["gender"]) &&
isset($_POST["surname"])) {
// create random hash for email confirmation
$account_activation_code = sha1(mt_rand(5, 30));
// THIS IS NOT GETTING EMAILED !!!
$account_activation_link = "http://www.'".$site_domain."'.com/'".$social_network_name."'/activate_account.php?email='".$_POST['email']."'&hash='".$account_activation_code."'";
// remove space in start of string
/*
* passwords and email are leaved unescaped here because
* if you put them into mysqli_real_escape_string they are not empty
*/
$username = trim(mysqli_real_escape_string($conn, $_POST["username"]));
$password = $_POST["password"];
$password2 = $_POST["password_confirmation"];
$first_name = trim(mysqli_real_escape_string($conn, $_POST["first_name"]));
$surname = trim(mysqli_real_escape_string($conn, $_POST["surname"]));
$gender = trim(mysqli_real_escape_string($conn, $_POST["gender"]));
$email = $_POST["email"];
$email_confirmation = $_POST["email_confirmation"];
$email2 = trim(mysqli_real_escape_string($conn, $email)); // Escaped email for inserting into database.
$account_activation = 0; // 1 = active | 0 = not active
//Hashed Password.
$hashed_password = password_hash("$password", PASSWORD DEFAULT);
//Select Username and Email to check against Mysql DB if they are already registered or not.
$stmt = mysqli_prepare($conn, "SELECT usernames, emails FROM users WHERE usernames = ? OR emails = ?");
mysqli_stmt_bind_param($stmt, 'ss', $username, $email);
mysqli_stmt_execute($stmt);
$result = mysqli_stmt_get_result($stmt);
$row = mysqli_fetch_array($result, MYSQLI_ASSOC);
// Check if inputted Username is already registered or not.
if ($row['usernames'] == $username) {
$_SESSION['error'] = "That username is already registered.";
// Check if inputted Username is between 8 to 30 characters long or not.
} elseif (strlen($username) < 8 || strlen($username) > 30) {
$_SESSION['error'] = "Username must be between 8 to 30 characters long!";
// Check if inputted Email is already registered or not.
} elseif ($row['emails'] == $email) {
$_SESSION['error'] = "That email is already registered.";
// Check if both inputted EMails match or not.
} elseif ($email != $email_confirmation) {
$_SESSION['error'] = "Emails don't match!";
// Check if inputed Email is valid or not.
} elseif (!filter_var($email, FILTER_VALIDATE_EMAIL)) {
$_SESSION['error'] = "Invalid email! Insert your real Email in order for us to email you your account activation details.";
// Check if both inputted Passwords match or not.
} elseif ($password != $password2) {
$_SESSION['error'] = "Passwords don't match.";
// Check if Password is between 8 to 30 characters long or not.
} elseif (strlen($password) < 8 || strlen($password) > 30) {
$_SESSION['error'] = "Password must be between 6 to 30 characters long!";
} else {
//Insert the user's input into Mysql database using php's sql injection prevention method.
$stmt = mysqli_prepare($conn, "INSERT INTO users(usernames, passwords, emails, first_names, surnames, genders, accounts_activations_codes, accounts_activations) VALUES (?, ?, ?, ?, ?, ?, ?, ?)");
mysqli_stmt_bind_param($stmt, 'sssssssi', $username, $hashed_pass, $email2, $first_name, $surname, $gender, $registration_random_numbers, $account_activation);
mysqli_stmt_execute($stmt);
//Check if user's registration data was successful submitted or not.
if (mysqli_stmt_insert_id($stmt)) {
echo "<h3 style='text-align:center'>Thank you for your registration.<br /> Redirecting you to the login page ...</h3>";
//Redirect user to login page after 5 seconds.
header("refresh:5;url=login.php");
//Clear the Session Error so it can no longer be used.
unset($_SESSION['error']);
unset($_POST);
exit();
//Send accoutn activation link by email for user to confirm his email and activate his new account.
$to = $email;
$subject = "Your ".$site_name." account activation !";
$body = nl2br("
===============================\r\n
".$site_name." \r\n
===============================\r\n
From: ".$site_admin_email."\r\n
To: ".$email."\r\n
Subject: Yours ".$subject." account activation \r\n
Message: ".$first_name." ".$surname."\r\n You need to click on following <a href=".$site_domain.'activate_account.php?hash='.$account_activation_link.">link</a> to confirm your email address and activate your account. \r\n");
$headers = "From: " . $site_admin_email . "\r\n";
if (mail($to,$subject,$body,$headers)) {
$_SESSION['error'] = "Registration sucessfull. Check your email for further instructions!";
} else {
$_SESSION['error'] = "Email not sent, please contact website administrator.";
}
*/
} else {
$_SESSION['error'] = "There was a problem in trying to register you! Try again some other time.";
}
}
}
}
?>
<!DOCTYPE html>
<html>
<head>
<title><?php $social_network_name ?> Signup Page</title>
</head>
<body>
<div class ="container">
<?php
// error messages
if (isset($_SESSION['error']) && !empty($_SESSION['error'])) {
echo '<p style="color:red;">'.$_SESSION['error'].'</p>';
}
?>
<form method="post" action="">
<center><h2>Signup Form</h2></center>
<div class="form-group">
<center><label>Username:</label>
<input type="text" placeholder="Enter a unique Username" name="username" required [A-Za-z0-9] value="<?php if(isset($_POST['username'])) { echo htmlentities($_POST['username']); }?>"></center>
</div>
<div class="form-group">
<center><label>Password:</label>
<input type="password" placeholder="Enter a new Password" name="password" required [A-Za-z0-9]></center>
</div>
<div class="form-group">
<center><label>Repeat Password:</label>
<input type="password" placeholder="Repeat a new Password" name="password_confirmation" required [A-Za-z0-9]></center>
</div>
<div class="form-group">
<center><label>First Name:</label>
<input type="text" placeholder="Enter your First Name" name="first_name" required [A-Za-z] value="<?php if(isset($_POST['first_name'])) { echo htmlentities($_POST['first_name']); }?>"></center>
</div>
<div class="form-group">
<center><label>Surname:</label>
<input type="text" placeholder="Enter your Surname" name="surname" required [A-Za-z] value="<?php if(isset($_POST['surname'])) { echo htmlentities($_POST['surname']); }?>"></center>
</div>
<div class="form-group">
<center><label>Gender:</label>
<input type="radio" name="gender" value="male" <?php if(isset($_POST['gender'])) { echo 'checked'; }?> required>Male<input type="radio" name="gender" value="female" <?php if(isset($_POST['gender'])) { echo 'checked'; }?> required>Female</center>
</div>
<div class="form-group">
<center><label>Email:</label>
<input type="email" placeholder="Enter your Email" name="email" required [A-Za-z0-9] value="<?php if(isset($_POST['email'])) { echo htmlentities($_POST['email']); }?>"></center>
</div>
<div class="form-group">
<center><label>Repeat Email:</label>
<input type="email" placeholder="Repeat your Email" name="email_confirmation" required [A-Za-z0-9] value="<?php if(isset($_POST['email_confirmation'])) { echo htmlentities($_POST['email_confirmation']); }?>"></center>
</div>
<center><button type="submit" class="btn btn-default" name="submit">Register!</button></center>
<center><font color="red" size="3"><b>Already have an account ?</b><br><a href="login.php">Login here!</a></font></center>
</form>
</div>
</body>
</html>
It said error on line 42. Line 42 looked like this:
$hashed_password = password_hash($password, PASSWORD DEFAULT);
I now changed it to:
$hashed_password = password_hash(“$password”, PASSWORD DEFAULT);
but error still remains. What do you think is wrong ?
Here is the error:
Parse error: syntax error, unexpected ‘DEFAULT’ (T_DEFAULT), expecting ‘,’ or ‘)’ in C:\xampp\htdocs\test\register_editing.php on line 42
And, here is my activate_account.php, do check the prepared statements. I have a feeling I got it wrong.
<?php
session_start();
require "conn.php";
//Grab User's (account activator's) email and account activation code from account activation link's url. Check for email and account activation code details in the account activation link's url.
if(!isset($_GET["email"], $_GET["registration_account_activation_code"]) === TRUE)
{
$_SESSION['error']="Invalid Email Address! Invalid Account Activation Link! This email is not registered! Try registering an account if you do not already have one! <a href=\"register.php\">Register here!</a>";
exit();
}
else
{
$confirming_email = trim(mysqli_real_escape_string($conn,$_GET["email"])));
$account_activation_code = trim(mysqli_real_escape_string($conn,$_GET["registration_random_numbers"])));
//Check User's Confirmed Email and Account Activation Code against the "users" tbl to see if it has already been registered or not. Do this by selecting the Confirmed Email and Account Activation code to check against Mysql DB if they match or not.
$stmt = mysqli_prepare($conn, "SELECT emails, accounts_activations_codes FROM users WHERE emails = ? OR accounts_activations_codes = ?");
mysqli_stmt_bind_param($stmt, 'si', $confirming_email, $account_activation_code);
mysqli_stmt_execute($stmt);
//If the account activation code matches with the confirmed Email in the same row in the MySql DB then check if user has already activated his account or not.
if (mysqli_stmt_insert_id($stmt))
{
while($row = mysqli_fetch_assoc($result))
{
$db_account_activation = $row["account_activations"];
if($db_account_activation != 0)
{
echo "<script>alert('Since your account is already activated, why are you trying to activate it again ? Do not do that again and just login!')</script>";
echo "Since your account is already activated, why are you trying to activate it again ? Do not do that again and just login from <a href=\"login.php\">this webpage</a> next time! Make a note of that webpage, ok ?";
$conn->close();
exit();
}
else
{
//Dump the account confirming User's details onto the same row in the "users" table.
if (mysqli_stmt_insert_id($stmt))
{
$stmt = "UPDATE users SET account_activations VALUES (?) WHERE emails = '".$db_confirmed_email."'";
//Bind the variables to the parameter as strings an an integer.
mysqli_stmt_bind_param($stmt, 'i', $account_activation);
//Execute the statement.
mysqli_stmt_execute($stmt);
if (mysqli_stmt_insert_id($stmt))
{
echo "<h3 style='text-align:center'>Thank you for your confirming your email and activating your account.<br /> Redirecting you to the login page ...</h3>";
$_SESSION["user"] = $db_username;
//Redirect newly activated user to his/her account homepage.
header("location:home.php");
}
}
}
}
}
else
{
echo "<script>alert('Invalid Email Address or Invalid Account Activation Link! This Email $confirming_email was not pending registration with this Account Activation Code $account_activation_code! Try registering an account!')</script>";
echo "Invalid Email Address or Invalid Account Activation Link! This Email $confirming_email was not pending registration with this Account Activation Code $account_activation_code!
Try registering an account if you have not already done so! <a href=\"register.php\">Register here!</a>";
$conn->close();
exit();
}
}
?>
Basically, when you register an account, the registration.php script ads “0” to column “account_activations” in “users” tbl and emails you the account activation link.
When you click that link and confirm your email, the account_activation.php script is supposed to UPDATE the “0” to “1” on the “account_activations” column. That’s all there is to it. A very simple script.
Thanks for your all help!