Your code is vulnerable to SQL injection attacks; user-supplied data should never be placed directly into SQL query strings. Instead, first sanitize it with a function such as [man]mysql_real_escape_string/man.
Thanks, I know it was vulnerable, I just was unsure who to fix that, any other tips on make this better I would be happy to learn about and fix :-)
Ok, when I put the mysql_real_escape_string('$user_id') with \" in font and after the function it gives me issue, it does not look up in the database and gives me my else statement as soon as I take them away my script works again.
[man]mysql_affected_rows/man doesn't apply to SELECT queries.
oops, I knew this, I must of forget to fix it, seeing it worked I did not think about it, I was fixing them before I got this post but miss some in another script.
Don't use 'SELECT ' queries (unless you really mean to SELECT all columns, e.g. if doing a database dump) - only SELECT the columns you actually need data from.
bad habit, I also was told this about the insert to use the fields instead of
Is there an index on user_id? Is it a UNIQUE index? Looks like it should be to me.
Yes I have set the index of all tables with user_id as a Unique index, I would how ever like to know how I can have it if I delete from one table it automatic does from the rest, I have 5 tables that all should connect to the parent table, one of these tables need to be allowed to delete with out affecting the rest, as this is the activation table that holds activation keys once activated it delete the key as its no longer good.
No need to count the number of rows - just try to retrieve the first row
SELECTed. If the fetching function (such as mysql_fetch_array() in your code) doesn't find a row, it'll return boolean false.
Good idea, is there a time where you would want to use the affect or num_rows besides if you know it may return more then one?
MySQL error messages should never printed to the user if an error occurs.
Are you talking about the mysql_error() with the use of die, I will remove all of this stuff once the scripts are ready to go live for the real site and not the development site I am going to need alot of help as these scripts get closer to being the public ver to do error handling so I get the errors and they get what they need to know
You can get rid of the two lines before the UPDATE query that calculate the current Unix timestamp; just compare the calculated Unix timestamp of the expiration date to the result of the function [man]time/man.
I think I toke care of this before I got the post but I will at the end of this post repost the processing part of the script
What is in the 'db_close.php' script? Is it nothing more than a call to [man]mysql_close/man? If so, this is unnecessary - there's no need to call this function at your script's end.
Why do you not need this? I througt and see everyone using.
Thanks a lot, I am very grateful for all of your help!
See below for script with more of the fixes, if I missed something please point it out and if I can write something better please do advice me as I am learning slowly but surely :-)
Sincerely,
Christopher
<?php
if(isset($_POST['activate']))
{
include '/home/dev/www/lib/db_config_cr-dev.php';
include '/home/dev/www/lib/db_conn-select.php';
$user_id = $_POST["user_id"];
$activation_code = $_POST["activation_code"];
$activation_date = $_POST["activation_date"];
$query_s = "SELECT timezone, dls FROM user_preferences WHERE user_id = \"mysql_real_escape_string('$user_id')\"";
$result_s = mysql_query($query_s) OR die("Sorry". mysql_error());
$record = mysql_fetch_array($result_s);
if($record == 1)
{
$user_timezone = $record["timezone"];
date_default_timezone_set ( $user_timezone );
}
$query_s = "SELECT activation_code, expire_date FROM activation WHERE user_id = \"$user_id\" AND activation_code = \"$activation_code\" ";
$result_s = mysql_query($query_s) OR die("Sorry". mysql_error());
$record = mysql_fetch_array($result_s);
// If result matched $userid and $activation_code, table row must be 1 row
if($record && $activation_date == date("Y-m-d"))
{
if(isset($user_timezone)){date_default_timezone_set ( "UTC" );}
if ($record["expire_date"] >= time())
{
$query_u = "UPDATE access_credentials SET user_access_status = \"A\" WHERE user_id = \"$user_id\"";
$result_u = mysql_query($query_u)OR die("Sorry was unable to update table!<br />" . mysql_error());
$count = mysql_affected_rows();
if($count)
{
$query_d = "DELETE FROM activation WHERE user_id = \"$user_id\"";
$result_d = mysql_query($query_d)OR die("Sorry was unable to delete record from the table!<br />" . mysql_error());
$count = mysql_affected_rows();
if($count)
{ echo "Account is now activated"; }
}
else
{ echo "Your Account was already activated!";}
}
else
{ echo "Account activation has expired, please request another activation code!"; }
}
else
{
echo "Sorry you did not enter vaild infomation on the activation form, please try again!";
}
include '/home/dev/www/lib/db_close.php';
}
?>
