验证链接未激活账号
验证链接未激活账号
提问于 2013-01-31 18:47:49
因此,我在注册后发送了一个链接来验证帐户,该链接包含用户的电子邮件地址和32个字符的代码,例如:
$to = $email;
$subject = 'Signup | Verification';
$message = '
Thanks for signing up!
Your account has been created, you can login with the following credentials after you have activated your account by pressing the url below.
------------------------
Username: '.$username.'
Password: '.$password.'
------------------------
Please click this link to activate your account:
localhost:8888/website/verify.php?email='.$email.'&hash='.$hash.'
';
$headers = 'From:myemail@email.com' . "\r\n";
mail($to, $subject, $message, $headers); 这一切看起来都很好,我收到了一封电子邮件,链接如下:
http://localhost:8888/website/verify.php?email=myemail@email.com&hash=fe646d38bc2145ca6c3cf77d52820cd0当我点击链接并尝试激活帐户时,问题就来了。它可以将我带到Verify.php,但是我总是得到无效的方法,并且我无法将Validation设置为1。
<?php include "includes/base.php"; ?>
<?php
if(isset($_GET['Email']) && !empty($_GET['Email']) AND isset($_GET['Hash']) && !empty($_GET['Hash'])){
$email = mysql_escape_string($_GET['Email']);
$hash = mysql_escape_string($_GET['Hash']);
$search = mysql_query("SELECT Email, Hash, Validation FROM users WHERE Email = '".$email."' AND Hash = '".$hash."' AND Validation = 0") or die(mysql_error());
$match = mysql_num_rows($search);
if($match > 0){
mysql_query("UPDATE users SET Validation = 1 WHERE Email = '".$email."' AND Hash = '".$hash."' AND Validation = 0") or die(mysql_error());
echo "Your account has been activated, you can now login";
}else{
echo "The url is either invalid or you already have activated your account.";
}
}else{
echo "Invalid approach, please use the link that has been sent to your email.";
}
?>回答 3
Stack Overflow用户
回答已采纳
发布于 2013-01-31 18:55:27
1)此代码不安全,因为它存在SQL注入问题。使用prepared statements请记住,不再支持mysql_*函数,它们是depriated函数
2)关于您的代码,我发现您的GET请求的'email‘和'hash’都是小写的,但在PHP代码中,您可以使用$_GET'Email‘和$_GET'Hash’。您需要更改以下内容:
if(isset($_GET['Email']) && !empty($_GET['Email']) AND isset($_GET['Hash']) && !empty($_GET['Hash'])){
$email = mysql_escape_string($_GET['Email']);
$hash = mysql_escape_string($_GET['Hash']); 到这个
if(isset($_GET['email']) && !empty($_GET['email']) AND isset($_GET['eash']) && !empty($_GET['eash'])){
$email = mysql_escape_string($_GET['email']);
$hash = mysql_escape_string($_GET['eash']); 或者将GET请求更改为下一个:
http://localhost:8888/website/verify.php?Email=myemail@email.com&Hash=fe646d38bc2145ca6c3cf77d52820cd0Stack Overflow用户
发布于 2013-01-31 18:52:20
将Hash更改为hash,将Email更改为email。(大写,但不在您发送的链接中)
此外,您的代码很容易受到sql注入攻击,因为您直接使用url中的值来查询数据库。请使用mysql_real_escape_string并在进行查询之前执行一些健全性检查。
Stack Overflow用户
发布于 2013-01-31 19:00:17
PHP中有大写字母,而链接中没有大写字母
$_GET['Email']
verify.php?email=myemail@email.com页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/14623923
复制相关文章
相似问题
腾讯云开发者
