Warning: file_get_contents(/data/phpspider/zhask/data//catemap/1/php/255.json): failed to open stream: No such file or directory in /data/phpspider/zhask/libs/function.php on line 167

Warning: Invalid argument supplied for foreach() in /data/phpspider/zhask/libs/tag.function.php on line 1116

Notice: Undefined index: in /data/phpspider/zhask/libs/function.php on line 180

Warning: array_chunk() expects parameter 1 to be array, null given in /data/phpspider/zhask/libs/function.php on line 181
Php 验证链接未激活帐户_Php_Mysql - Fatal编程技术网
Fatal编程技术网
  • php/
  • Php 验证链接未激活帐户

Php 验证链接未激活帐户

php mysql

Php 验证链接未激活帐户,php,mysql,Php,Mysql,因此,我在注册后发送了一个链接以验证帐户,该链接包含用户的电子邮件地址和32个字符的代码,例如: $to = $email; $subject = 'Signup | Verification'; $message = ' Thanks for signing up! Your account has been created

因此,我在注册后发送了一个链接以验证帐户,该链接包含用户的电子邮件地址和32个字符的代码,例如:

                $to      = $email;
                $subject = 'Signup | Verification';
                $message = '

                Thanks for signing up!
                Your account has been created, you can login with the following credentials after you have activated your account by pressing the url below.

                ------------------------
                Username: '.$username.'
                Password: '.$password.'
                ------------------------

                Please click this link to activate your account:
                localhost:8888/website/verify.php?email='.$email.'&hash='.$hash.'
                '; 

                $headers = 'From:myemail@email.com' . "\r\n"; 
                mail($to, $subject, $message, $headers);
这一切似乎都很好,我收到了一封带有如下链接的电子邮件:

http://localhost:8888/website/verify.php?email=myemail@email.com&hash=fe646d38bc2145ca6c3cf77d52820cd0
当我跟随链接并尝试激活帐户时,问题就出现了。我需要很好地验证.php,但我一直使用无效的方法,无法将Validation设置为1

    <?php include "includes/base.php"; ?>

    <?php

        if(isset($_GET['Email']) && !empty($_GET['Email']) AND isset($_GET['Hash']) && !empty($_GET['Hash'])){
            $email = mysql_escape_string($_GET['Email']); 
            $hash = mysql_escape_string($_GET['Hash']); 
            $search = mysql_query("SELECT Email, Hash, Validation FROM users WHERE Email = '".$email."' AND Hash = '".$hash."' AND Validation = 0") or die(mysql_error()); 
            $match  = mysql_num_rows($search);


            if($match > 0){
                mysql_query("UPDATE users SET Validation = 1 WHERE Email = '".$email."' AND Hash = '".$hash."' AND Validation = 0") or die(mysql_error());
                echo "Your account has been activated, you can now login";
            }else{
                echo "The url is either invalid or you already have activated your account.";
            }

        }else{
            echo "Invalid approach, please use the link that has been sent to your email.";
        }


    ?>



Hash
更改为
Hash
Email
更改为
Email
。(大写,但不在您发送的链接中)

此外,由于直接使用url中的值来查询数据库,代码很容易受到sql注入攻击。请使用
mysql\u real\u escape\u string
并在进行查询之前执行一些健全性检查。
1)此代码不安全,因为它有SQL注入问题。使用
请记住,mysql.*函数不再受支持,它们是

2) 关于你的代码,我发现你的GET请求的“email”和“hash”都是小写的,但是在PHP代码中你使用了$u GET[“email”]和$u GET[“hash”]。
您需要更改以下内容:


 if(isset($_GET['Email']) && !empty($_GET['Email']) AND isset($_GET['Hash']) && !empty($_GET['Hash'])){
            $email = mysql_escape_string($_GET['Email']); 
            $hash = mysql_escape_string($_GET['Hash']); 


对此


 if(isset($_GET['email']) && !empty($_GET['email']) AND isset($_GET['eash']) && !empty($_GET['eash'])){
            $email = mysql_escape_string($_GET['email']); 
            $hash = mysql_escape_string($_GET['eash']); 


或者将GET请求更改为下一个请求:


http://localhost:8888/website/verify.php?Email=myemail@email.com&Hash=fe646d38bc2145ca6c3cf77d52820cd0



PHP中有大写字母,而链接中没有大写字母


$_GET['Email']

verify.php?email=myemail@email.com



您的代码有问题。SQL注入问题。我知道,这是我清单上要解决的下一个问题。谢谢你的方法也有问题。永远不要通过邮件发送密码(除了一次性密码,比如你的散列密码)!你为什么一开始就知道密码?您应该(或者更好地必须)立即从提供的密码创建一个salted hash,存储这个密码,并尽快忘记明文密码(从内存中删除它,不要记录或存储任何内容)。其他事项:你的散列是否包含秘密?你用了安全算法吗?你的激活链接超时了吗?干杯,好了,我可能应该花点时间讨论SQL注入问题和整个mysql的情况,似乎我在几个问题中都提到了这一点。@MarkBerry:你可能想看看这个: