So I’m working on a website where we want users to sign up for a private beta. When the user clicks submit on the sign up page, a php code puts their name, email, and a randomly generated 32-character hash into a table in my database. It then sends the user an email which contains a verification link which includes the user’s email address and the hash for ultimate security. It looks like this:
domain.com/b/verify.php?email=sample@sample.com&hash=1a2a3a4a5a6a7a8a9a8a7a6a5a4a3a2a
When they click this link,it sends them to the verify.php page, which takes the email and hash from the url and checks for a match in the previously mentioned database. If there’s a match, it generates another message. If there is no match, it says “invalid url or you haven’t signed up.” Also, the database table contains a column called “active,” which is set to 0 by default but changed to 1 when the link is clicked. The verify.php code checks to make sure active is set to 0 before displaying the match message so that the link can only be used once.
The message displayed when it matches gives them a link to my phpbb3 registration page, which has been modified. The link looks like this:
domain.com/phpbb/ucp.php?mode=register&email=sample@sample.com&hash=1a2a3a4a5a6a7a8a9a8a7a6a5a4a3a2a
I’ve modified my ucp.php file in my forum’s root directory to look like this:
case 'register':
// Database info (which I stupidly forgot not to hide prior to this...
if(isset($_GET['email']) && !empty($_GET['email']) AND isset($_GET['hash']) && !empty($_GET['hash'])){
// Verify data
$email = mysql_escape_string($_GET['email']); // Set email variable
$hash = mysql_escape_string($_GET['hash']); // Set hash variable
$search = mysql_query("SELECT email, hash FROM users WHERE email='".$email."' AND hash='".$hash."' AND active='1'") or die(mysql_error());
$match = mysql_num_rows($search);
if($match > 0){
// We have a match, activate the account
mysql_select_db("db2") or die(mysql_error());
if ($user->data['is_registered'] || isset($_REQUEST['not_agreed']))
{
redirect(append_sid("{$phpbb_root_path}index.$phpEx"));
}
$module->load('ucp', 'register');
$module->display($user->lang['REGISTER']);
}else{
// No match -> invalid url or account has already been activated.
mysql_select_db("db2") or die(mysql_error());
if ($user->data['is_registered'] || isset($_REQUEST['not_agreed']))
{
redirect(append_sid("{$phpbb_root_path}index.$phpEx"));
} else {
redirectpage();
}
}
}else{
// No match -> invalid url or account has already been activated.
redirectpage();
}
break;
This same code used on the verify.php page, except I changed it so that active does not have to be set to 0 to work.
This whole thing works for the most part: the page redirects properly if no email or hash is given, or if it is incorrect. The only problem is, when a user clicks the “I Agree” button on the registration agreement page, the redirect comes into play for some reason. It doesn’t take them to the next page where the registration form exists.
This also happened when I tried to skip the registration agreement page. It successfully skipped it, but after I filled the registration form and clicked “Submit” it triggered my redirect function again.
Anyone know why the redirecting happens anytime a submit button is pressed?
I wold imagine the page is being redirected because any time you click on a submit button, it is sending you to the same page, and mode is set to ‘register’, while it doesn’t tack on the email or hash from the form. So, just set up an exception for the redirect for whatever values are passed when you click submit to go to the final page.