我为我的网站写了一个登录系统。当用户注册时,系统通过电子邮件将激活链接发送到用户提供的电子邮件地址。该链接包含两个参数,电子邮件和密钥。 email参数具有用户的电子邮件地址,密钥参数具有注册码,以便可以验证注册并从挂起更改为已确认。激活页面应该从“电子邮件”列中设置了电子邮件参数的行中获取“状态”列。出于某种原因,脚本决定任何链接是有效的,并尝试更新帐户的状态是否存在。
这是我的代码:
<?php
$email = $_GET['email'];
if($email == "") {
header("Location: http://www.zbrowntechnology.info/yard/register.php?message=Invalid Activation Link!");
exit;
}
$key = $_GET['key'];
if($key == "") {
header("Location: http://www.zbrowntechnology.info/yard/register.php?message=Invalid Activation Link!");
exit;
}
$con = mysql_connect("HOST", "USER", "PASS") or die(mysql_error());
mysql_select_db("zach_yardad", $con) or die(mysql_error());
$query1 = "SELECT `Status` FROM Accounts WHERE `Email`='".mysql_real_escape_string($email)."' AND `Status`='".mysql_real_escape_string($key)."'";
$result1 = mysql_query($query1) or die(mysql_error());
if(mysql_num_rows($result1) <= 0) {
header("Location: http://www.zbrowntechnology.info/yard/register.php?message=Invalid Activation Link!");
exit;
} else {
$query = "UPDATE Accounts SET `Status`='Confirmed' WHERE `Email`='$email'";
mysql_query($query) or die(mysql_error());
header("Location: http://www.zbrowntechnology.info/yard/login.php?message=Registration Complete!");
exit;
}
?>
以下是有效的激活链接:
http://www.zbrowntechnology.info/yard/activate.php?email=zach@zbrowntechnology.com&key=2772190956485245
它将通过链接激活该帐户,但如果链接无效,它将在激活后重定向到登录页面。
修改
以下是查询DESCRIBE `Accounts`
:
First Name varchar(65) NO NULL
Last Name varchar(65) NO NULL
Email varchar(100) NO NULL
Username varchar(65) NO NULL
Password varchar(65) NO NULL
Status varchar(65) NO NULL
答案 0 :(得分:4)
我注意到您正在选择状态,以检查其是否已确认..
您的状态字段是否存储了已确认/未确认的位置?
你不应该检查Key吗?
换句话说,而不是:
$query1 = "SELECT `Status` FROM Accounts WHERE `Email`='".mysql_real_escape_string($email)."' AND `Status`='".mysql_real_escape_string($key)."'";
使用:
$query1 = "SELECT `Status` FROM Accounts WHERE `Email`='".mysql_real_escape_string($email)."' AND `Key`='".mysql_real_escape_string($key)."'";
将Key
替换为您存储KEY的字段的名称..因为这是您使用$ _GET请求,电子邮件和密钥检查的内容..而不是电子邮件和状态。
答案 1 :(得分:4)
您可以尝试将代码更改为:
$query1 = mysql_query("SELECT `Status` FROM `Accounts` WHERE `Email`='".mysql_real_escape_string($email)."' AND `Status`='".mysql_real_escape_string($key)."'");
if(mysql_num_rows($query1) <= 0) {
这应该有用..
如果这不起作用,请尝试:
$query1 = mysql_query("SELECT `Status` FROM `Accounts` WHERE `Email`='".mysql_real_escape_string($email)."' AND `Status`='".mysql_real_escape_string($key)."'", $con);
if(mysql_num_rows($query1) <= 0) {
====完整代码====
<?php
if($_GET['email'] == "") {
header("Location: http://www.zbrowntechnology.info/yard/register.php?message=Invalid Activation Link!");
exit;
}
if($_GET['key'] == "") {
header("Location: http://www.zbrowntechnology.info/yard/register.php?message=Invalid Activation Link!");
exit;
}
$email = mysql_real_escape_string($_GET['email']);
$key = mysql_real_escape_string($_GET['key']);
$con = mysql_connect('HOST', 'USER', 'PASS');
mysql_select_db('zach_yardad', $con) or die(mysql_error());
$query1 = mysql_query("SELECT `Status` FROM `Accounts` WHERE `Email` = '" . $email . "' AND `Status` = '" . $key ."'", $con);
if(mysql_num_rows($query1) <= 0) {
header("Location: http://www.zbrowntechnology.info/yard/register.php?message=Invalid Activation Link!");
exit();
} else {
mysql_query("UPDATE `Accounts` SET `Status`='Confirmed' WHERE `Email`='$email'", $con);
header("Location: http://www.zbrowntechnology.info/yard/login.php?message=Registration Complete!");
exit();
}
?>
答案 2 :(得分:0)
我注意到的第一件事是,在你的mysql查询中,你使用 status 列作为where字段。
$query1 = "SELECT `Status` FROM Accounts WHERE `Email`='".mysql_real_escape_string($email)."' AND `Status`='".mysql_real_escape_string($key)."'";
从您编写代码的方式来看,它似乎应该是:
$query1 = "SELECT `Status` FROM Accounts WHERE `Email`='".mysql_real_escape_string($email)."' AND `Key`='".mysql_real_escape_string($key)."'";
要调试代码,请注释掉header
和exit
命令,然后在定义$ query1之后,执行
print $query1;
重新尝试页面,这将帮助您查看传递给mysql的内容。
<强>更新强>
阅读您最近的意见我认为这可能适合您:
if(mysql_num_rows($result1) > 0) {
$query = "UPDATE Accounts SET `Status`='Confirmed' WHERE `Email`='$email'";
mysql_query($query) or die(mysql_error());
header("Location: http://www.zbrowntechnology.info/yard/login.php?message=Registration Complete!");
exit;
} else {
header("Location: http://www.zbrowntechnology.info/yard/register.php?message=Invalid Activation Link!");
exit;
}