3

所以我在注册后发送了一个链接来验证一个帐户,该链接包含用户的电子邮件地址和一个 32 个字符的代码,例如:

                $to      = $email;
                $subject = 'Signup | Verification';
                $message = '

                Thanks for signing up!
                Your account has been created, you can login with the following credentials after you have activated your account by pressing the url below.

                ------------------------
                Username: '.$username.'
                Password: '.$password.'
                ------------------------

                Please click this link to activate your account:
                localhost:8888/website/verify.php?email='.$email.'&hash='.$hash.'
                '; 

                $headers = 'From:myemail@email.com' . "\r\n"; 
                mail($to, $subject, $message, $headers);

一切似乎都很好,我收到了带有如下链接的电子邮件:

http://localhost:8888/website/verify.php?email=myemail@email.com&hash=fe646d38bc2145ca6c3cf77d52820cd0

当我点击链接并尝试激活帐户时,问题就来了。我需要很好地验证.php,但我不断收到无效的方法,我无法将验证设置为 1。

    <?php include "includes/base.php"; ?>

    <?php

        if(isset($_GET['Email']) && !empty($_GET['Email']) AND isset($_GET['Hash']) && !empty($_GET['Hash'])){
            $email = mysql_escape_string($_GET['Email']); 
            $hash = mysql_escape_string($_GET['Hash']); 
            $search = mysql_query("SELECT Email, Hash, Validation FROM users WHERE Email = '".$email."' AND Hash = '".$hash."' AND Validation = 0") or die(mysql_error()); 
            $match  = mysql_num_rows($search);


            if($match > 0){
                mysql_query("UPDATE users SET Validation = 1 WHERE Email = '".$email."' AND Hash = '".$hash."' AND Validation = 0") or die(mysql_error());
                echo "Your account has been activated, you can now login";
            }else{
                echo "The url is either invalid or you already have activated your account.";
            }

        }else{
            echo "Invalid approach, please use the link that has been sent to your email.";
        }


    ?>
4

3 回答 3

2

1) 此代码不安全,因为它存在 SQL 注入问题。使用准备好的语句 请记住mysql_*函数不再受支持,它们已被废弃

2) 关于您的代码,我发现您的 GET 请求的 'email' 和 'hash' 全部小写,但在 PHP 代码中您使用 $_GET['Email'] 和 $_GET['Hash']。你需要改变这个:

 if(isset($_GET['Email']) && !empty($_GET['Email']) AND isset($_GET['Hash']) && !empty($_GET['Hash'])){
            $email = mysql_escape_string($_GET['Email']); 
            $hash = mysql_escape_string($_GET['Hash']);

对此

 if(isset($_GET['email']) && !empty($_GET['email']) AND isset($_GET['eash']) && !empty($_GET['eash'])){
            $email = mysql_escape_string($_GET['email']); 
            $hash = mysql_escape_string($_GET['eash']);

或将您的 GET 请求更改为下一个:

http://localhost:8888/website/verify.php?Email=myemail@email.com&Hash=fe646d38bc2145ca6c3cf77d52820cd0
于 2013-01-31T10:55:26.587 回答
0

更改Hashhash& 。Email_ email(大写,但不在您发送的链接中)

此外,您的代码容易受到 sql 注入攻击,因为您直接使用 url 中的值来查询数据库。请mysql_real_escape_string在进行查询之前使用并执行一些健全性检查。

于 2013-01-31T10:52:20.327 回答
0

PHP中有大写字母,而链接中没有大写字母

$_GET['Email']

verify.php?email=myemail@email.com
于 2013-01-31T11:00:16.703 回答