0

Need to check if both the EMAIL_ADDRESS and ACTIVATION_CODE exist within a MySql Table, if so return "Code is valid",else "Code is NOT valid".

At present it's always returning code not valid, however I've checked the record in the table and the queried code does exist.

$email = $_POST['email'];
$acticode = $_POST['code'];


$result = mysql_query("SELECT * FROM xActivate WHERE EMAIL_ADDRESS='$email' AND ACTIVATION_CODE='$acticode' LIMIT 1");

 if (mysql_fetch_row($result)) {
    echo 'Code is valid';
} else {
    echo 'Code is NOT valid';
}
Improve this question
4
  • 2
    Try with the email address ' OR 1=1 --. Then it'll work. Else try to ask mysql_error() and read up on escaping, or parameterized queries. Commented Apr 13, 2014 at 3:07
  • Can you echo out the query and run it manually to verify everything is correct? Maybe the column names should be lower case? Commented Apr 13, 2014 at 3:08
  • 2
    @mario Should there not be a DROP ALL TABLES thrown in for good measure? Commented Apr 13, 2014 at 3:11
  • @mario where should I insert these? $result = mysql_query("SELECT * FROM xActivate WHERE EMAIL_ADDRESS='$email' AND ACTIVATION_CODE='$acticode' LIMIT 1"); Commented Apr 13, 2014 at 3:14

1 Answer 1

Reset to default
3

But this code is not secure:

$email = $_POST['email'];
$acticode = $_POST['code'];


$result = mysql_query("SELECT * FROM xActivate WHERE EMAIL_ADDRESS='$email' AND ACTIVATION_CODE='$acticode' LIMIT 1");
$data = mysql_fetch_row($result);
 if (mysql_num_rows($result) > 0) {
    echo 'Code is valid';
} else {
    echo 'Code is NOT valid';
}

To secure and prevent SQL Injection:

$email = mysql_real_escape_string($_POST['email']);
$acticode = mysql_real_escape_string($_POST['code']);

Please note:

https://www.php.net/mysql_real_escape_string

Warning

This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQL extension should be used. See also MySQL: choosing an API guide and related FAQ for more information. Alternatives to this function include:

    mysqli_real_escape_string()
    PDO::quote()
Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

mysql is deprecated, use mysqli. Also, use bindParam() for the $email and $acticode parameters.
Yes I am aware of this warning, I will leave a Note in my answer. Thank you

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.