Home/ Questions/Q 9219301
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-18T03:05:03+00:00

So I’ve sent a link after registration to Verify an account, the link contains

  • 0

So I’ve sent a link after registration to Verify an account, the link contains the users email address and a 32 character code for example:

                $to      = $email;
                $subject = 'Signup | Verification';
                $message = '

                Thanks for signing up!
                Your account has been created, you can login with the following credentials after you have activated your account by pressing the url below.

                ------------------------
                Username: '.$username.'
                Password: '.$password.'
                ------------------------

                Please click this link to activate your account:
                localhost:8888/website/verify.php?email='.$email.'&hash='.$hash.'
                '; 

                $headers = 'From:myemail@email.com' . "\r\n"; 
                mail($to, $subject, $message, $headers);

That all seems to work fine I’m receiving the email with a link like this:

http://localhost:8888/website/verify.php?email=myemail@email.com&hash=fe646d38bc2145ca6c3cf77d52820cd0

The problem comes when I follow the link and try to activate the account. It takes me to Verify.php fine but I keep getting Invalid Approach and I’m unable to set Validation to 1. 

    <?php include "includes/base.php"; ?>

    <?php

        if(isset($_GET['Email']) && !empty($_GET['Email']) AND isset($_GET['Hash']) && !empty($_GET['Hash'])){
            $email = mysql_escape_string($_GET['Email']); 
            $hash = mysql_escape_string($_GET['Hash']); 
            $search = mysql_query("SELECT Email, Hash, Validation FROM users WHERE Email = '".$email."' AND Hash = '".$hash."' AND Validation = 0") or die(mysql_error()); 
            $match  = mysql_num_rows($search);


            if($match > 0){
                mysql_query("UPDATE users SET Validation = 1 WHERE Email = '".$email."' AND Hash = '".$hash."' AND Validation = 0") or die(mysql_error());
                echo "Your account has been activated, you can now login";
            }else{
                echo "The url is either invalid or you already have activated your account.";
            }

        }else{
            echo "Invalid approach, please use the link that has been sent to your email.";
        }


    ?>
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    1) this code is unsecure as it has SQL injection problem. Use prepared statements
    Please keep in mind that mysql_* functions are no longer supported and they are depriated

    2) Regarding your code I found that your GET request has ’email’ and ‘hash’ all lowercase, but in PHP code you use $_GET[‘Email’] and $_GET[‘Hash’].
    You need to change this:

     if(isset($_GET['Email']) && !empty($_GET['Email']) AND isset($_GET['Hash']) && !empty($_GET['Hash'])){
            $email = mysql_escape_string($_GET['Email']); 
            $hash = mysql_escape_string($_GET['Hash']);

    To this

     if(isset($_GET['email']) && !empty($_GET['email']) AND isset($_GET['eash']) && !empty($_GET['eash'])){
            $email = mysql_escape_string($_GET['email']); 
            $hash = mysql_escape_string($_GET['eash']);

    or change your GET request to the next one:

    http://localhost:8888/website/verify.php?Email=myemail@email.com&Hash=fe646d38bc2145ca6c3cf77d52820cd0
    • 0