Email activation issue

Question

I'm building a site which requires users to register and login. I have the majority working but the bit that isn't working 100% is the email activation.

When the user registers it sends an email with a link (http://example.com/activate?email=name@example.com&activationCode=e7870fadcf79c39584dca1fc33c47ef9)

If the user clicks on this link it goes to /activate checks to see if the email and code exist in the database and activates the account by changing the value 'active' from 0 to 1 if these do exist but, if the user just logs in it automatically activates the account which I don't want (sort of defeats the purpose of the activation email).

LOGIN

if (isset($_POST['submit'])) { // Create variables from submitted data
    $uname = mysqli_real_escape_string($db_connect, $_POST['uname']); 
    $password = mysqli_real_escape_string($db_connect, $_POST['loginPassword']);
    $passHash = md5($password); // Encrypt password

    $query1 = mysqli_query($db_connect, "SELECT * FROM `users` WHERE `uname` = '".$uname."' AND `password` = '".$passHash."' AND `active` = '1' ") or die(mysqli_connect_error()); // Uname and password match and account is active
    $result1 = (mysqli_num_rows($query1) > 0);
    $query2 = mysqli_query($db_connect, "SELECT * FROM `users` WHERE `uname` = '".$uname."' AND `password` = '".$passHash."' AND `active` = '0' ") or die(mysqli_connect_error()); // Uname and password match and account is not active
    $result2 = (mysqli_num_rows($query2) > 0);

        if ($result1) { // If uname and password match and account is active
            $_SESSION['uname'] = $_POST['uname'];
            header("Location: /profile");
        } else if ($result2) { // If uname and password match but account is not active
            echo "<p>Your account has not been activated! Please check your email inbox.</p><br />";
            back();
        } else { // If uname and password do not match
            echo "<p>The combination of username and password is incorrect!</p><br />";
            back();
            forgotPword();
            register();
        }   
} else {
        login();
        forgotPword(); 
        register();
} 

ACTIVATE PAGE

 if (isset($_GET['email'], $_GET['activationCode']) === true) { // If email and email code exist in URL
    $email = trim($_GET['email']);
    $activationCode = trim($_GET['activationCode']);

    $query1 = mysqli_query($db_connect, "SELECT * FROM `users` WHERE `email` = '".$email."' ") or die(mysqli_connect_error());
    $result1 = (mysqli_num_rows($query1) > 0);
    $query2 = mysqli_query($db_connect, "SELECT * FROM `users` WHERE `activationCode` = '".$activationCode."' ") or die(mysqli_connect_error());
    $result2 = (mysqli_num_rows($query2) > 0);  
    $query3 = mysqli_query($db_connect, "SELECT COUNT(`userID`) FROM `users` WHERE `email` = '".$email."' AND `activationCode` = '".$activationCode."' AND  `active` = '0' ") or die(mysqli_connect_error());
    $result3 = (mysqli_num_rows($query3) > 0);

    // Check email exists in database
    if ($result1) {     
        // Check activation code exists in database     
        if ($result2) { 

            // THIS IS THE PART NOT DOING IT'S JOB PROPERLY
            // Check active status
            if ($result3) {             
                mysqli_query($db_connect, "UPDATE `users` SET `active` = '1' WHERE `email` = '".$email."' AND `activationCode` = '".$activationCode."' AND `active` = '0' ") or die(mysqli_connect_error()); // Activate account
                echo "<p>Your account is now activated. You may <a href='/login'>Log In</a></p>";
                exit();         
            } else {
                echo "<p>Your account has already been activated. You may <a href='/login'>Log In</a></p>";
                exit(); 
            }   
            // ------------------------------------------------------------------------------------

        } else { // Activation code is invalid
          echo "<p>Hmmm, the activation code seems to be invalid!</p>"; 
          exit(); 
        }       
    } else { // Email does not exist
      echo "<p>Hmmm, ".$email." email does not seem to exist in our records!</p>";
      exit();
    }       

} else {
    header("Location: /login");
    exit();
}

Any help on where i'm going wrong is much appreciated.

Answer 1

After several painful hours of looking through and rewriting code, I have figured out what was causing the issue. It was actually the registration page where the email is sent. I have wrapped the activation link in the body of the message in single quotes and it now works perfectly. You see them in the email... 'http://www.example.com/activate?email=".$email."&activationCode=".$activationCode."' but the link works so I am sticking with it.

Cheers for all your help, really appreciate it.

Answer 2

You could add an " AND active = 1" condition to your sql query on login