User activation help

Question

Tekkno 1 Junior Poster

15 Years Ago

In order for my users to log in they have to activate their account through email. The activation works fine. The trouble I am having is displaying a message at login if the user has not activated. Here is the activation script:

<?php
require "connect.php";

if(isset($_GET['u'])){
//make sure that 'u' is numeric
if(is_numeric($_GET['u'])){
$u=$_GET['u'];
}else{
$u=0;
}
}

if(isset($_GET['a_code'])){
$code=$_GET['a_code'];
}else{
$code=0;
}

//Check to see if the received values are correct
$sql = "SELECT * FROM members WHERE uid = '".$u."' AND actcode = '".md5(0)."'";
if(($u > 0) && (strlen($code)) == 32){

//now activate the user
$sql="UPDATE members SET actcode ='".md5(1)."' WHERE uid = '".$u."'";

$res = mysql_query($sql) or die(mysql_error());

if(mysql_affected_rows() == 1){

//update successful
echo ('Your account is now activated. You may proceed and log in.<br/><br /><a href="http://www.eternalhour.com/login.php">Login Page</a>');
}else{
echo ('Your account could not be activated. Please try again or contact the site admin.<br/><br/><a href="http://www.eternalhour.com/registration_form.php">Registration Page</a>');
}
}
?>

I have tried setting up a query then using a $_GET to compare the codes.
But I am imagining the code for the login script will look something like:

if(isset($_GET['u'])){
$u=$_GET['u'];
}

$sql = "SELECT * FROM members WHERE uid = '".$u."' AND actcode = '".md5."'";
if($row['actcode']) == (md5(1)){

}else{
$msg = "You need to activate your account before logging in.";
}

But what I don't understand, is how to verify that the string == md5(1). Could someone help me please?

php

3 Contributors
8 Replies
228 Views
1 Day Discussion Span
Latest Post 15 Years Ago Latest Post by Tekkno

Josh Connerty 20 Unverified User

15 Years Ago

When a user registers you must provide a link to the verification page with two get variables U & AID (activation ID), you must also store these details in the table.

When it verifies a user then remove all values from the AID field thus leaving it blank.

Then when it comes to logging them in then you only need to check if the field value is true, if it is then they haven't vrified there account if it isn't then they have and you can create the cookie.

somedude3488 228 Nearly a Posting Virtuoso

15 Years Ago

My script goes on its own page called activate.php.

In your login script you should get the user via a username/email which you have probably already done.
ex.

$username = mysql_real_escape_string( $_POST['user'] ); //username from form
$query = mysql_query("SELECT `password`,`active` FROM `table_name` WHERE `username` = '{$user}' LIMIT 1");
if ( mysql_num_rows( $query ) == 0 ) {
  $msg = 'Username and/or Password incorrect'; //never be specific
}
else {
  list( $password,$active ) = mysql_fetch_row( $query );
  if ( $active !== 1 ) {
    $msg = 'You need to activate your account before logging in.';
  }
  else {
    //check the password and set login session here. Your passwords should be hashed.
  }
}

Make sure your passwords are hashed as well.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

Tekkno 1 Junior Poster · Answer 1 · 2009-08-28T11:59:15+00:00

I have an activation script in place, which works just fine. I'd rather not change the script I have, because everything works perfectly as it is. The users can log in, if they have activated. I am just looking for a way to find out if they have activated from my login script, so I can notify them that they need to activate in order to log in.

somedude3488 228 Nearly a Posting Virtuoso · Answer 2 · 2009-08-28T12:58:28+00:00

You aren't understanding how an activation script works. As of right now yours makes no sense. The values you are passing via get are not even being used in your queries.

The point of an activation script is to send a unique random number that is hard to guess (md5 of 1 will be the same every time, thats pointless). This helps make sure that the link was sent to their email address only and no one elses. The activation script needs to get the values from the url and use them in the database to identify the user that registered and mark them as 'active'.

Tekkno 1 Junior Poster · Answer 3 · 2009-08-28T13:53:25+00:00

Well forgive me for not being an expert, but why do you think I am here asking? You may know PHP better than I do, but your people skills really need some work. My script is obviously incorrect, thanks for the criticism.

somedude3488 228 Nearly a Posting Virtuoso · Answer 4 · 2009-08-28T14:22:36+00:00

On forums I tend to say things without the other persons feelings in mind (probably this is is because its not a face to face conversation). I didn't realize how rude that sounded until after I read again. For that, I apologize.

To make up for it, I will tell you exactly what to do.

On your registration page you need to create the link, email it, and save the random string in the database. I usually use a column named 'active' for this.

//this is after form validates and you are about to insert the data into the database
function randString( $length ) {
	$array = array("b","c","d","f","g","h","j","k","l","m","n","p","q","r","s","t","v","w","x","y","z","B","C","D","F","G","H","J","K","L","M","N","P","Q","R","S","T","V","W","X","Y","Z","0","1","2","3","4","5","6","7","8","9");
	$i = 0;
	$code = '';
	while ( $i < $length ) {
		$rand = rand( 0,( count( $array ) - 1 ) );
		$code .= $array[$rand];
	$i++;
	}
	return $code;
}
$code = randString(50);
mysql_query("INSERT INTO `members` (....column names....,'active') VALUES (....values here....,'{$code}')") or die(mysql_error()); //shows how you insert the code
$message = "Welcome to something.com,\n\nTo activate your account click the link below:\n\nhttp://www.something.com/activate.php?id=" . mysql_insert_id() . "&code={$code}\n\nBest regards,\n\nAdmin\nSomething.com (info@something.com)";
mail('email of user from form','Email Confirmation',$message,"From: Something.net<no-reply@something.net>"); //sends the activation email with the id of the user and activation code.

On activate.php, we use the id and the code the id the user and set them to active.

if ( isset( $_GET['id'],$_GET['code'] ) ) {
  $id = (int) $_GET['id'];
  $code = mysql_real_escape_string( $_GET['code'] );
  $query = mysql_query("SELECT `active` FROM `members` WHERE `id` = {$id}");
  if ( mysql_num_rows( $query ) == 1 ) {
    list( $active ) = mysql_fetch_rows( $query );
    if ( $active == 1 ) {
       die('User account has already been activated');
    }
    elseif ( $active == $code ) {
      mysql_query("UPDATE `members` SET `active` = 1 WHERE `id` = {$id}"); //sets the member to active.
    }
    else {
      die('Invalid activation code');
    }
  }
  else {
    die('User not found!');
  }
}
else {
  die('Malformed URL');
}

In your login script all you need to do is add ' AND `active` = 1' in your query.

Tekkno 1 Junior Poster · Answer 5 · 2009-08-29T01:34:49+00:00

Apology accepted, it was obviously not intentional. Thanks for this code keith, but this brings me back to my original question. With your script, how do I notify the user at login that they need to activate their account in order to log in?

if ( isset( $_GET['id'],$_GET['code'] ) ) {
  $id = (int) $_GET['id'];
  $code = mysql_real_escape_string( $_GET['code'] );
  $query = mysql_query("SELECT `active` FROM `members` WHERE `id` = {$id}");

if($row['active']) == 1){
 
}else{

$msg = "You need to activate your account before logging in.";

}

Maybe?

Tekkno 1 Junior Poster · Answer 6 · 2009-08-29T12:15:29+00:00

Unfortunately Keith, I could not get my activation working with the script you posted. However, after changing the way my activation works and adjusting the login script, I was able to get everything working properly. Thanks for your time and effort.