[SOLVED] user activation via email

[runnerjp]

."$url = 'http://www.runnerselite.com/website/activate.php?hash=".md5($userid)."&key="($key);

 

 

 

 

then on the activate.php

 

UPDATE users
SET status = 1
WHERE (userid= "'.md5($_GET['userid']).'") AND (key = '($_GET['key'].') ?>

 

 

is this correct ??? tried it and does not seme to work

[PC Nerd]

hmmm, um try and echo out your actual query variables..... see if its working or actually adding the brackets to the string.....

 

 

i think its better practice to use string concatination eg "string"."string" etc, so id recommend you try that.

 

gdlk

 

[MadTechie]

try

"UPDATE users
SET status = '1'
WHERE userid= '".md5($_GET['hash']."' AND key = '".$_GET['key']."'"

[BlackenedSky]

You're sending the user id to the page via the variable "hash" not "userid", and it's already md5'd in your URL.

 

hash=".md5($userid)

md5($_GET['userid'])

 

Also is userid stored as an md5 in your table? If so why? It adds in extra overhead using it encrypted when there is no need usually. Passwords yes, usernames not really.

[runnerjp]

ahh wait im getting Parse error: syntax error, unexpected '('  for this

 

 

 

."$url = 'http://www.runnerselite.com/website/activate.php?hash=".md5($userid)."&key="($key);

[MadTechie]

."$url = 'http://www.runnerselite.com/website/activate.php?hash=".md5($userid)."&key=($key)";

 

[runnerjp]

Parse error: syntax error, unexpected T_STRING

 

<? UPDATE users
SET status = '1'
WHERE userid= '".md5($_GET['hash']."' AND key = '".$_GET['key']."' ?>

 

 

You're sending the user id to the page via the variable "hash" not "userid", and it's already md5'd in your URL.

 

hash=".md5($userid)

md5($_GET['userid'])

 

Also is userid stored as an md5 in your table? If so why? It adds in extra overhead using it encrypted when there is no need usually. Passwords yes, usernames not really.

 

i used id as id no 1..2...3...4...5..6...7...8...9

i hased them as i belive its safer to do this as i have found if people find id numbers they seem to be able to mess around with code

 

[MadTechie]

missed the last "

<? UPDATE users
SET status = '1'
WHERE userid= '".md5($_GET['hash']."' AND key = '".$_GET['key']."'" ?>

[seb hughes]

Parse error: syntax error, unexpected T_STRING

 

<? UPDATE users
SET status = '1'
WHERE userid= '".md5($_GET['hash']."' AND key = '".$_GET['key']."' ?>

 

 

You're sending the user id to the page via the variable "hash" not "userid", and it's already md5'd in your URL.

 

hash=".md5($userid)

md5($_GET['userid'])

 

Also is userid stored as an md5 in your table? If so why? It adds in extra overhead using it encrypted when there is no need usually. Passwords yes, usernames not really.

 

i used id as id no 1..2...3...4...5..6...7...8...9

i hased them as i belive its safer to do this as i have found if people find id numbers they seem to be able to mess around with code

 

 

If your code was secure. then other people wouldn't be able to mess aroudn with the code.

[runnerjp]

ok now i get Parse error: syntax error, unexpected ';' for WHERE userid= '".md5($_GET['hash']."' AND key = '".$_GET['key']."'"

 

 

and also i dont see the problem with hashing ID to make them more secure?

[MadTechie]

ADD THE ; at the end

 

Theirs a Ton of holes in the code you have posted..

 

even the short code above has a secuity hole

 

Oh i give!

[runnerjp]

; sorry i did actually try adding it before i posted this... sorry shud mentioned that

 

wats the security hole in code above

[seb hughes]

; sorry i did actually try adding it before i posted this... sorry shud mentioned that

 

wats the security hole in code above

 

People are able to do SQL injection and probs do XSS on it tooo.

[runnerjp]

but by blockin all charateristics but letters and numbers this can be stopped yes  ( nd also even with

"UPDATE users
SET status = '1'
WHERE userid= '".md5($_GET['hash']."' AND key = '".$_GET['key']."'";

i still get the error Parse error: syntax error, unexpected ';' in /home/runnerse/public_html/website/activate.php on line 3

 

[MadTechie]

"UPDATE users
SET status = '1'
WHERE userid= '".md5($_GET['hash'])."' AND key = '".$_GET['key']."'";

[runnerjp]

ahh good call   didt see ) was missed

 

 

ok after viewing it and stuff iv noticed that when the email is sent its not getting the random key!

 

function randomkeys($length){

$pattern="1234567890abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ";

for($i=0; $i<$length; $i++) $key.=$pattern{rand(0,61)};

return $key;

 

which is inserted into the database $key

 

so ."$url = 'http://www.runnerselite.com/website/activate.php?hash=".md5($userid)."&key=($key)"; should get the username and the key.... but it only gets the user name.

[MadTechie]

try

 

<?php
$length = 8;
echo substr(md5(mt_rand( 0,65536)),0,$length);

?>

 

its kinda simple but random!

[runnerjp]

yes but the code actually makes the random code

 

its just that "&key=($key)"does not pick it up

 

[runnerjp]

tY25fNtD3qxLMvc27EyLiZ0xwS7dDy --- this was the key that was made

[seb hughes]

yes but the code actually makes the random code

 

its just that "&key=($key)"does not pick it up

 

 

Why do you have $key in ()?

[runnerjp]

well i tired &key=$key and that does not work and im sure u have to put it in ()

[MadTechie]

post that section of code. 

 

As a note

PHP Cookbook by O'Reilly isn't bad

[runnerjp]

."$url = 'http://www.runnerselite.com/website/activate.php?hash=".($usename)."$key";

 

 

 

iv changed it so it matches the user name with the key now! but it still does not work

[MadTechie]

post that section of code. 

 

As a note

PHP Cookbook by O'Reilly isn't bad

[runnerjp]

post wat section of code :S i thought i did