0

but when you register your account you need to verify it via email but it doesnt work, so I'm asking how to arrange this code for you to register and once your done registering the account will be saved to my database, and you can login with your email and password thank you in advance

{The Register Code}

<?php
/* Registration process, inserts user info into the database 
   and sends account confirmation email message
 */

// Set session variables to be used on profile.php page
$_SESSION['email'] = $_POST['email'];
$_SESSION['first_name'] = $_POST['firstname'];
$_SESSION['last_name'] = $_POST['lastname'];

// Escape all $_POST variables to protect against SQL injections
$first_name = $mysqli->escape_string($_POST['firstname']);
$last_name = $mysqli->escape_string($_POST['lastname']);
$email = $mysqli->escape_string($_POST['email']);
$password = $mysqli->escape_string(password_hash($_POST['password'],             
PASSWORD_BCRYPT));
$hash = $mysqli->escape_string( md5( rand(0,1000) ) );

// Check if user with that email already exists
$result = $mysqli->query("SELECT * FROM users WHERE email='$email'") or         
die($mysqli->error());

// We know user email exists if the rows returned are more than 0
if ( $result->num_rows > 0 ) {

$_SESSION['message'] = 'User with this email already exists!';
header("location: error.php");

}
else { // Email doesn't already exist in a database, proceed...

// active is 0 by DEFAULT (no need to include it here)
$sql = "INSERT INTO users (first_name, last_name, email, password, hash) " 
        . "VALUES ('$first_name','$last_name','$email','$password',         
'$hash')";

// Add user to the database
if ( $mysqli->query($sql) ){

    $_SESSION['active'] = 0; //0 until user activates their account with         
    verify.php
    $_SESSION['logged_in'] = true; // So we know the user has logged in
    $_SESSION['message'] =

             "Confirmation link has been sent to $email, please verify
             your account by clicking on the link in the message!";

    // Send registration confirmation link (verify.php)
    $to      = $email;
    $subject = 'Account Verification ( Groupa )';
    $message_body = '
    Hello '.$first_name.',

    Thank you for signing up!

    Please click this link to activate your account:

    http://localhost/login/verify.php?email='.$email.'&hash='.$hash;  

    mail( $to, $subject, $message_body );

    header("location: profile.php"); 

}

else {
    $_SESSION['message'] = 'Registration failed!';
    header("location: error.php");
}

}

{The Verify Code}

<?php 
/* Verifies registered user email, the link to this page
   is included in the register.php email message 
*/
require 'db.php';
session_start();

// Make sure email and hash variables aren't empty
if(isset($_GET['email']) && !empty($_GET['email']) AND isset($_GET['hash'])         
&& !empty($_GET['hash']))
{
$email = $mysqli->escape_string($_GET['email']); 
$hash = $mysqli->escape_string($_GET['hash']); 

// Select user with matching email and hash, who hasn't verified their         
account yet (active = 0)
$result = $mysqli->query("SELECT * FROM users WHERE email='$email' AND     
hash='$hash' AND active='0'");

if ( $result->num_rows == 0 )
{ 
    $_SESSION['message'] = "Account has already been activated or the URL is 
invalid!";

    header("location: error.php");
}
else {
    $_SESSION['message'] = "Your account has been activated!";

    // Set the user status to active (active = 1)
    $mysqli->query("UPDATE users SET active='1' WHERE email='$email'") or 
    die($mysqli->error);
    $_SESSION['active'] = 1;

    header("location: success.php");
}
}
else {
    $_SESSION['message'] = "Invalid parameters provided for account         
verification!";
header("location: error.php");
}     
?>
jaedster medina
  • 589
  • 1
  • 4
  • 7
  • do not apply `escape_string` on `password_hash` – Rotimi Oct 18 '17 at 04:49
  • 2
    "It does not work??" I assume you are a programmer. Debug your code yourself and look for the error – Rotimi Oct 18 '17 at 04:52
  • 1
    **WARNING**: Writing your own access control layer is not easy and there are many opportunities to get it severely wrong. Please, do not write your own authentication system when any modern [development framework](http://codegeekz.com/best-php-frameworks-for-developers/) like [Laravel](http://laravel.com/) comes with a robust [authentication system](https://laravel.com/docs/master/authentication) built-in. At the absolute least follow [recommended security best practices](http://www.phptherightway.com/#security) and **never store passwords with a weak, high-speed hash like SHA1 or MD5**. – tadman Oct 18 '17 at 04:53
  • what doesn't work is that I can't send email from localhost I changed the SMTP from php.ini of wamp tried third party programs, still nothing – jaedster medina Oct 18 '17 at 04:53
  • 1
    Unless you're doing this purely for academic purposes, **STOP**. That you're calling MD5 on a random value in a narrow range, trivial to crack, is a strong indicator you're going to break something in a way that's going to be cataclysmic. This stuff is hard to get right even if you know what you're doing. Doing this as a first-time project is an express train to disaster. – tadman Oct 18 '17 at 04:54

0 Answers0