Verification link not activating account

Question

So I've sent a link after registration to Verify an account, the link contains the users email address and a 32 character code for example:

                $to      = $email;
                $subject = 'Signup | Verification';
                $message = '

                Thanks for signing up!
                Your account has been created, you can login with the following credentials after you have activated your account by pressing the url below.

                ------------------------
                Username: '.$username.'
                Password: '.$password.'
                ------------------------

                Please click this link to activate your account:
                localhost:8888/website/verify.php?email='.$email.'&hash='.$hash.'
                '; 

                $headers = 'From:myemail@email.com' . "\r\n"; 
                mail($to, $subject, $message, $headers); 

That all seems to work fine I'm receiving the email with a link like this:

http://localhost:8888/website/verify.php?email=myemail@email.com&hash=fe646d38bc2145ca6c3cf77d52820cd0

The problem comes when I follow the link and try to activate the account. It takes me to Verify.php fine but I keep getting Invalid Approach and I'm unable to set Validation to 1.

    <?php include "includes/base.php"; ?>

    <?php

        if(isset($_GET['Email']) && !empty($_GET['Email']) AND isset($_GET['Hash']) && !empty($_GET['Hash'])){
            $email = mysql_escape_string($_GET['Email']); 
            $hash = mysql_escape_string($_GET['Hash']); 
            $search = mysql_query("SELECT Email, Hash, Validation FROM users WHERE Email = '".$email."' AND Hash = '".$hash."' AND Validation = 0") or die(mysql_error()); 
            $match  = mysql_num_rows($search);


            if($match > 0){
                mysql_query("UPDATE users SET Validation = 1 WHERE Email = '".$email."' AND Hash = '".$hash."' AND Validation = 0") or die(mysql_error());
                echo "Your account has been activated, you can now login";
            }else{
                echo "The url is either invalid or you already have activated your account.";
            }

        }else{
            echo "Invalid approach, please use the link that has been sent to your email.";
        }


    ?>

Answer 1

there's capitals in the PHP whereas there are none in the link

$_GET['Email']

verify.php?email=myemail@email.com

Answer 2

1) this code is unsecure as it has SQL injection problem. Use prepared statements Please keep in mind that mysql_* functions are no longer supported and they are depriated

2) Regarding your code I found that your GET request has 'email' and 'hash' all lowercase, but in PHP code you use $_GET['Email'] and $_GET['Hash']. You need to change this:

 if(isset($_GET['Email']) && !empty($_GET['Email']) AND isset($_GET['Hash']) && !empty($_GET['Hash'])){
            $email = mysql_escape_string($_GET['Email']); 
            $hash = mysql_escape_string($_GET['Hash']); 

To this

 if(isset($_GET['email']) && !empty($_GET['email']) AND isset($_GET['eash']) && !empty($_GET['eash'])){
            $email = mysql_escape_string($_GET['email']); 
            $hash = mysql_escape_string($_GET['eash']); 

or change your GET request to the next one:

http://localhost:8888/website/verify.php?Email=myemail@email.com&Hash=fe646d38bc2145ca6c3cf77d52820cd0

Answer 3

Change Hash to hash & Email to email. (Capitalized, but not in link that you send)

Also, your code is prone to sql injection attack as you are directly using the values in the url to query your database. Please use mysql_real_escape_string and perform some sanity checks before making the query.