Redirecting user for Invite/Referral System

Question

I have created an invite/referral system that allows users to invite someone by entering a email address, the email and a the random invite code is stored in the 'referrals' table. An email is then sent out to that person with their email and unique 10 character invite code in the URL link e.g. www.website.com/register.php?email=(emailaddress)&invite_code=1234567890

• I have made some changes, the following script is now in should be redirected to register.php if not then back to the homepage.

I have tested this, and even with a valid URL link users are still redirected to the index.php page. (Also this doesn't stop users from accessing register.php manually)

Table details = 'referrals' with ID | URL | hits | email | inviteCode

I have managed for the page to redirect, though this is no good if they have an actual invite code for their email.

Here is the script I have been modifying the past couple days to try to get working:

 <?php 

   include 'config.php';

   if (isset($_GET['email'],$_GET['inviteCode']))   {   

 $mysqli        = new Mysqli(/* your connection */);
 $email         = $mysqli->real_escape_string($_GET['email']);
 $inviteCode    = $mysqli->real_escape_string($_GET['inviteCode']);
 $sql           = "SELECT email,inviteCode FROM referrals WHERE email='$email' AND    inviteCode='$inviteCode'";
 $query     = $mysqli->query($sql);

 if ($query->num_rows) //check if values are correct and available in database
   {
     header('Location: register.php');
       }
     else
         {
     header('Location: index.php');
     exit;
         }
   }
else
   {
header('Location: index.php'); //Page not accessible if neither email nor referral entered
   }

?>

It should be straight forward, check the URL for the 'email' & 'inviteCode' compare with the table if they have been invited allow access to the page if not redirect. < With the updates they should either be redirected to register.php or index.php. This does not stop access to register.php if accessing without invite.

Answer 1

I know this is a 3 year old question, but there's still some obvious errors within your code.

For Example You say the url is www.website.com/register.php?email=(emailaddress)&invite_code=1234567890 yet, in your php code, you look for $_GET['inviteCode']. So, your url should actually be www.website.com/register.php?email=(emailaddress)&inviteCode=1234567890.

Now, it'll go into the first if statement and be looked up. However as mentioned by Sean and robbmj, you'll now be redirected to the same page just without your GET parameters, meaning it won't enter the first if statement, going straight to the else which redirects to the index.

What you should do is have your registration form within the if statement that checks if the code and email exists within the database. Instead of header('Location: register.php');.

Answer 2

Assuming that the script in the question is named register.php and the script hits this line:

header('Location: register.php');

The browser will redirect the user back to the same page, this time the query string will not contain the email and register authentication code. At this point the register.php script will redirect to the index.php page (making it look like the authentication failed).

What you want to do is redirect the user to something like welcome.php when the email address and authentication code is valid.

welcome.php might contain something like this:

<?php
echo 'Your invitation was validated';

and in register.php change

header('Location: register.php'); to header('Location: welcome.php');