You may remember that, I was building a member registration and login script few weeks ago.
I am now continuing it.
It has registration.php, login.php and account_activation.php.
So, when a user registers, the users tbl in the database holds the value "0" in the "account_activation" column and holds the "account activation random numbers (hashed)" as part of the account activation link.
User, then gets emailed a link (account activation link that contains the random numbers) to click to confirm his email and activate his account. When the user clicks this account activation link, the "account_activation.php" script gets triggered and takes-over.
That script, first grabs the user's "email" and "account activation random numbers" details (GET Method) and checks them both against the "users" tbl. If it finds a match then it activates the account and creates a session. Names the session under the username. Then, redirects the user to his account homepage. He no longer needs to type his username and password to login as he is auto logged-in the very moment he clicks the link and activates his account.
This is very basic and standard stuff.
I am providing below the account_activation.php. I need you to look at it and tell me if I got the PREPARED STATEMENTS (Binding) correct or not. Throughout the code, I have included comments to make it easy for you to understand what I want the next line of codes to do.
Note that, I have a former version of this account_activation.php that is working 100%. However, that former version does not prevent sql injection (makes no use of PREPARED STATEMENTS). Hence, I created this new version withe the PREPARED STATEMENTS. I am not sure if I got the BINDING correct or not. I tried checking how the script is functioning by uploading the db to my website to test it on my website but having problems importing it to my website. Originally, I created this script and tested it on xampp. hence, the database and tbl is on xampp. I opened a ticket with my webhost for them to upload the db to my website. In the meanwhile, while I wait for their reply, we might aswell check the script and correct any errors. What do you say ?
Thanks for your help. Any code suggestions are welcome.
//Grab User's (account activator's) email and account activation code from account activation link's url. Check for email and account activation code details in the account activation link's url.
if(!isset($_GET["email"], $_GET["account_activation_code"]) === TRUE)
$_SESSION['error']="Invalid Email Address! Invalid Account Activation Link! This email is not registered! Try registering an account if you do not already have one! <a href=\"register.php\">Register here!</a>";
$confirming_email = trim(mysqli_real_escape_string($conn,$_GET["email"])));
$account_activation_code = trim(mysqli_real_escape_string($conn,$_GET["account_activation_code"])));
Check User's Confirmed Email and Account Activation Code against the "users" tbl to see if it has already been registered or not.
Do this by selecting the Confirmed Email and Account Activation code to check against Mysql DB if they match or not.
$stmt = mysqli_prepare($conn, "SELECT emails, accounts_activations_codes FROM users WHERE emails = ? AND accounts_activations_codes = ?");
mysqli_stmt_bind_param($stmt, 'si', $confirming_email, $account_activation_code);
If the account activation code matches with the confirming Email in the same row in the MySql DB then check if user has already activated his account or not.
Check if the associated row is 0" or "1". Must be "0" to indicate account activation is pending.
while($row = mysqli_fetch_assoc($result))
$db_username = $row["usernames"];
$db_confirmed_email = $row["emails"];
$db_account_activation = $row["account_activations"];
//If "account_activation" row shows "not equal to 0 (is: 1)", then show error indicating account has already been activated. Then re-direct user to Log-in Page.
if($db_account_activation != 0)
echo "<script>alert('Since your account is already activated, why are you trying to activate it again ? Do not do that again and just login!')</script>";
echo "Since your account is already activated, why are you trying to activate it again ? Do not do that again and just login from <a href=\"login.php\">this webpage</a> next time! Make a note of that webpage, ok ?";
//Dump the account confirming User's details onto the same row in the "users" table.
// Are lines 42 to 48 (next 5 lines) really necessary ?
$stmt = mysqli_prepare($conn, "SELECT usernames, emails, account_actvations FROM users WHERE usernames = ? AND emails = ? AND account_activations_codes = ?");
mysqli_stmt_bind_param($stmt, 'ssi', $username, $email, $account_activations_code);
$result = mysqli_stmt_get_result($stmt);
// Update 'account_activation' row to '1' to indicate account and email has now been confirmed.
$stmt = mysqli_prepare($conn, "UPDATE users SET account_activations = ? WHERE emails = ? AND account_activation_codes = ?";
mysqli_stmt_bind_param($stmt, 'isi', 1, $db_confirmed_email, $account_activations_code);
//Execute the statement.
//If statement execution a success then create a session under the user's Username.
echo "<h3 style='text-align:center'>Thank you for your confirming your email and activating your account.<br /> Redirecting you to the login page ...</h3>";
$_SESSION["user"] = $db_username;
//Redirecting the newly account activated user to his/her account homepage by identifying the user by his/her session name (username).
//Give error that this email address (from where the user is clicking the account activation and email confirmation link) is not pending registration. Provide the unregistered user the registration link.
echo "<script>alert('Invalid Email Address or Invalid Account Activation Link! This Email $confirming_email was not pending registration with this Account Activation Code $account_activation_code! Try registering an account!')</script>";
echo "Invalid Email Address or Invalid Account Activation Link! This Email $confirming_email was not pending registration with this Account Activation Code $account_activation_code!
Try registering an account if you have not already done so! <a href=\"register.php\">Register here!</a>";
Also, uploading in this post the script. Incase, you want to download it and test it on your computer/server.
activate_account_edited.php (4.6 KB)