所以我送註冊後的鏈接驗證賬戶,該鏈接包含用戶的電子郵件地址,例如一個32字符代碼:驗證鏈接激活不考慮
$to = $email;
$subject = 'Signup | Verification';
$message = '
Thanks for signing up!
Your account has been created, you can login with the following credentials after you have activated your account by pressing the url below.
------------------------
Username: '.$username.'
Password: '.$password.'
------------------------
Please click this link to activate your account:
localhost:8888/website/verify.php?email='.$email.'&hash='.$hash.'
';
$headers = 'From:[email protected]' . "\r\n";
mail($to, $subject, $message, $headers);
這一切似乎做工精細我收到的電子郵件,像這樣的鏈接:
http://localhost:8888/website/[email protected]&hash=fe646d38bc2145ca6c3cf77d52820cd0
問題是當我跟隨鏈接並嘗試激活帳戶。它帶我到Verify.php很好,但我不斷收到無效的方法,我無法驗證設置爲1。
<?php include "includes/base.php"; ?>
<?php
if(isset($_GET['Email']) && !empty($_GET['Email']) AND isset($_GET['Hash']) && !empty($_GET['Hash'])){
$email = mysql_escape_string($_GET['Email']);
$hash = mysql_escape_string($_GET['Hash']);
$search = mysql_query("SELECT Email, Hash, Validation FROM users WHERE Email = '".$email."' AND Hash = '".$hash."' AND Validation = 0") or die(mysql_error());
$match = mysql_num_rows($search);
if($match > 0){
mysql_query("UPDATE users SET Validation = 1 WHERE Email = '".$email."' AND Hash = '".$hash."' AND Validation = 0") or die(mysql_error());
echo "Your account has been activated, you can now login";
}else{
echo "The url is either invalid or you already have activated your account.";
}
}else{
echo "Invalid approach, please use the link that has been sent to your email.";
}
?>
你的代碼有問題。 SQL注入問題。 –
我知道,這是我的清單上的下一個理清。謝謝 –
你的方法也有問題。絕不要通過郵件發送密碼(除了一次性密碼,像你的散列)!爲什麼你甚至知道密碼呢?你應該(或更好得)立即從提供的密碼創建一個鹽醃哈希,存儲這一塊,而忘記了明文密碼,儘快(從內存擦拭,不記錄或存儲任何東西)。其他的事情:你的散列包含祕密嗎?你使用了安全算法嗎?您的激活鏈接是否有超時? –