Php 验证链接未激活帐户
因此,我在注册后发送了一个链接以验证帐户,该链接包含用户的电子邮件地址和32个字符的代码,例如:Php 验证链接未激活帐户,php,mysql,Php,Mysql,因此,我在注册后发送了一个链接以验证帐户,该链接包含用户的电子邮件地址和32个字符的代码,例如: $to = $email; $subject = 'Signup | Verification'; $message = ' Thanks for signing up! Your account has been created
$to = $email;
$subject = 'Signup | Verification';
$message = '
Thanks for signing up!
Your account has been created, you can login with the following credentials after you have activated your account by pressing the url below.
------------------------
Username: '.$username.'
Password: '.$password.'
------------------------
Please click this link to activate your account:
localhost:8888/website/verify.php?email='.$email.'&hash='.$hash.'
';
$headers = 'From:myemail@email.com' . "\r\n";
mail($to, $subject, $message, $headers);
这一切似乎都很好,我收到了一封带有如下链接的电子邮件:
http://localhost:8888/website/verify.php?email=myemail@email.com&hash=fe646d38bc2145ca6c3cf77d52820cd0
当我跟随链接并尝试激活帐户时,问题就出现了。我需要很好地验证.php,但我一直使用无效的方法,无法将Validation设置为1
<?php include "includes/base.php"; ?>
<?php
if(isset($_GET['Email']) && !empty($_GET['Email']) AND isset($_GET['Hash']) && !empty($_GET['Hash'])){
$email = mysql_escape_string($_GET['Email']);
$hash = mysql_escape_string($_GET['Hash']);
$search = mysql_query("SELECT Email, Hash, Validation FROM users WHERE Email = '".$email."' AND Hash = '".$hash."' AND Validation = 0") or die(mysql_error());
$match = mysql_num_rows($search);
if($match > 0){
mysql_query("UPDATE users SET Validation = 1 WHERE Email = '".$email."' AND Hash = '".$hash."' AND Validation = 0") or die(mysql_error());
echo "Your account has been activated, you can now login";
}else{
echo "The url is either invalid or you already have activated your account.";
}
}else{
echo "Invalid approach, please use the link that has been sent to your email.";
}
?>
将Hash
更改为Hash
,Email
更改为Email
。(大写,但不在您发送的链接中)
此外,由于直接使用url中的值来查询数据库,代码很容易受到sql注入攻击。请使用mysql\u real\u escape\u string
并在进行查询之前执行一些健全性检查。1)此代码不安全,因为它有SQL注入问题。使用
请记住,mysql.*函数不再受支持,它们是
2) 关于你的代码,我发现你的GET请求的“email”和“hash”都是小写的,但是在PHP代码中你使用了$u GET[“email”]和$u GET[“hash”]。
您需要更改以下内容:
if(isset($_GET['Email']) && !empty($_GET['Email']) AND isset($_GET['Hash']) && !empty($_GET['Hash'])){
$email = mysql_escape_string($_GET['Email']);
$hash = mysql_escape_string($_GET['Hash']);
对此
if(isset($_GET['email']) && !empty($_GET['email']) AND isset($_GET['eash']) && !empty($_GET['eash'])){
$email = mysql_escape_string($_GET['email']);
$hash = mysql_escape_string($_GET['eash']);
或者将GET请求更改为下一个请求:
http://localhost:8888/website/verify.php?Email=myemail@email.com&Hash=fe646d38bc2145ca6c3cf77d52820cd0
PHP中有大写字母,而链接中没有大写字母
$_GET['Email']
verify.php?email=myemail@email.com
您的代码有问题。SQL注入问题。我知道,这是我清单上要解决的下一个问题。谢谢你的方法也有问题。永远不要通过邮件发送密码(除了一次性密码,比如你的散列密码)!你为什么一开始就知道密码?您应该(或者更好地必须)立即从提供的密码创建一个salted hash,存储这个密码,并尽快忘记明文密码(从内存中删除它,不要记录或存储任何内容)。其他事项:你的散列是否包含秘密?你用了安全算法吗?你的激活链接超时了吗?干杯,好了,我可能应该花点时间讨论SQL注入问题和整个mysql的情况,似乎我在几个问题中都提到了这一点。@MarkBerry:你可能想看看这个: