5

我为我的网站编写了一个登录系统。当用户注册时,系统会通过电子邮件将激活链接发送到用户提供的电子邮件地址。该链接包含两个参数,电子邮件和密钥。email 参数有用户的电子邮件地址,key 参数有注册码,这样注册就可以被验证并从待定变为已确认。激活页面应该从电子邮件列中设置了电子邮件参数的行中获取状态列。出于某种原因,脚本确定任何链接都是有效的,并尝试更新帐户的状态,无论它是否存在。

这是我的代码:

<?php

$email = $_GET['email'];
if($email == "") {
  header("Location: http://www.zbrowntechnology.info/yard/register.php?message=Invalid Activation Link!");
  exit;
}
$key = $_GET['key'];
if($key == "") {
  header("Location: http://www.zbrowntechnology.info/yard/register.php?message=Invalid Activation Link!");
  exit;
}

$con = mysql_connect("HOST", "USER", "PASS") or die(mysql_error());
mysql_select_db("zach_yardad", $con) or die(mysql_error());
$query1 = "SELECT `Status` FROM Accounts WHERE `Email`='".mysql_real_escape_string($email)."' AND `Status`='".mysql_real_escape_string($key)."'";
$result1 = mysql_query($query1) or die(mysql_error());
if(mysql_num_rows($result1) <= 0) {
  header("Location: http://www.zbrowntechnology.info/yard/register.php?message=Invalid Activation Link!");
 exit;
} else {
  $query = "UPDATE Accounts SET `Status`='Confirmed' WHERE `Email`='$email'";
  mysql_query($query) or die(mysql_error());
  header("Location: http://www.zbrowntechnology.info/yard/login.php?message=Registration Complete!");
  exit;
}

?>

这是一个有效的激活链接:

http://www.zbrowntechnology.info/yard/activate.php?email=zach@zbrowntechnology.com&key=2772190956485245

它将通过链接激活该帐户,但如果链接无效,它将在激活后重定向到登录页面。

编辑:

这是查询的结果DESCRIBE `Accounts`

First Name  varchar(65) NO      NULL     
Last Name   varchar(65) NO      NULL     
Email   varchar(100)    NO      NULL     
Username    varchar(65) NO      NULL     
Password    varchar(65) NO      NULL     
Status  varchar(65) NO      NULL
4

3 回答 3

4

我注意到您正在选择状态,以检查其是否已确认..

您的状态字段是已确认/未确认的存储位置是否正确?

你不应该检查钥匙吗?

换句话说,而不是:

$query1 = "SELECT `Status` FROM Accounts WHERE `Email`='".mysql_real_escape_string($email)."' AND `Status`='".mysql_real_escape_string($key)."'";

采用:

$query1 = "SELECT `Status` FROM Accounts WHERE `Email`='".mysql_real_escape_string($email)."' AND `Key`='".mysql_real_escape_string($key)."'";

替换Key为您存储 KEY 的字段的名称。因为这是您使用 $_GET 请求、电子邮件和密钥检查的内容。而不是电子邮件和状态。

于 2010-11-27T01:23:23.777 回答
4

您可以尝试将代码更改为:

$query1 = mysql_query("SELECT `Status` FROM `Accounts` WHERE `Email`='".mysql_real_escape_string($email)."' AND `Status`='".mysql_real_escape_string($key)."'");
 if(mysql_num_rows($query1) <= 0) {

这应该工作..

如果这不起作用,请尝试以下操作:

$query1 = mysql_query("SELECT `Status` FROM `Accounts` WHERE `Email`='".mysql_real_escape_string($email)."' AND `Status`='".mysql_real_escape_string($key)."'", $con);
     if(mysql_num_rows($query1) <= 0) {

====完整代码====

<?php
if($_GET['email'] == "") {
header("Location: http://www.zbrowntechnology.info/yard/register.php?message=Invalid Activation Link!");
exit;
}

if($_GET['key'] == "") {
header("Location: http://www.zbrowntechnology.info/yard/register.php?message=Invalid Activation Link!");
exit;
}

$email = mysql_real_escape_string($_GET['email']);
$key = mysql_real_escape_string($_GET['key']);

$con = mysql_connect('HOST', 'USER', 'PASS');
mysql_select_db('zach_yardad', $con) or die(mysql_error());

$query1 = mysql_query("SELECT `Status` FROM `Accounts` WHERE `Email` = '" . $email . "' AND `Status` = '" . $key ."'", $con);
if(mysql_num_rows($query1) <= 0) {
header("Location: http://www.zbrowntechnology.info/yard/register.php?message=Invalid Activation Link!");
exit();
} else {
mysql_query("UPDATE `Accounts` SET `Status`='Confirmed' WHERE `Email`='$email'", $con);
header("Location: http://www.zbrowntechnology.info/yard/login.php?message=Registration Complete!");
exit();
}
?>
于 2010-11-27T01:47:20.663 回答
0

我注意到的第一件事是,在您的 mysql 查询中,您使用状态列作为 where 字段。

$query1 = "SELECT `Status` FROM Accounts WHERE `Email`='".mysql_real_escape_string($email)."' AND `Status`='".mysql_real_escape_string($key)."'";

从您编写代码的方式来看,它似乎应该是:

$query1 = "SELECT `Status` FROM Accounts WHERE `Email`='".mysql_real_escape_string($email)."' AND `Key`='".mysql_real_escape_string($key)."'";

要调试代码,如何注释掉headerandexit命令,然后在定义 $query1 之后,执行

print $query1;

重试该页面,这将帮助您查看传递给 mysql 的内容。

更新:

阅读您最近的输入,我认为这可能对您有用:

if(mysql_num_rows($result1) > 0) {
  $query = "UPDATE Accounts SET `Status`='Confirmed' WHERE `Email`='$email'";
  mysql_query($query) or die(mysql_error());
  header("Location: http://www.zbrowntechnology.info/yard/login.php?message=Registration Complete!");
  exit;

} else {
  header("Location: http://www.zbrowntechnology.info/yard/register.php?message=Invalid Activation Link!");
 exit;
}
于 2010-11-27T01:21:53.980 回答