PHP-error but still sends what is requested

Question

PHP-error but still sends what is requested

Asked 7 years, 4 months ago

Viewed 47 times

-1

I have the following code, if I do not make a particular request it sends an error, if there is no such error send email to the user. the problem is that in addition to appearing the error and also sends the email (pf see the photo).

<?php
 include("config.php");
if(isset($_POST\['submit_email'\]) && isset($_POST\['email'\])) {
    $email = mysqli_real_escape_string($conn, $_POST\['email'\]);
    $sql = "SELECT * FROM registo WHERE email = '$email'";
    $r = mysqli_query($conn, $sql);
    $count = mysqli_num_rows($r);
    if($count == 1) {
        // Create new hash
        $key = hash('sha256', uniqid("", true));
        // SQL query to update user record with hash value
        $usql = "UPDATE registo set reset_key = '".$key."' where email = '".$email."'";
        if(!mysqli_query($conn, $usql)) {
            echo "Error updating database!";

        }
        // send link to user with generated key
        $link="<a href='http://unn-w17015779.newnumyspace.co.uk/reset.php?key=".$key."'>Click To Reset password</a>";
        $to = $email;
        $subject = 'Reset Password';
        $message = 'Click On This Link to Reset Password '.$link;
        $headers = 'From: Galaxy books shop <**@gmail.com>' . "\r\n" .
                   'Reply-To: **@gmail.com' . "\r\n" .
                   'X-Mailer: PHP/' . phpversion();
        // Send email
        if(mail($to, $subject, $message, $headers)){
            echo "Your reset link has been sent to your email ";
        }else{
            echo "Failed to Recover your password, try again";
        }
    } else {
        echo "User name does not exist";
    }
}
?>

1

The sending of the email is outside the if that checks the error in the update, this is not a problem of PHP or SQL but rather a programming logic problem.

– Gustavo Jantsch

2017/05/19 at 19:51
"if you do not make a request, issue an error" if you refer to that code snippet? echo "Error updating database!";

– Don't Panic

2017/05/19 at 19:53
1

Just so you’re aware uniqid() It’s time-based, it’s good for generating unique data, but not for generating hard-to-find data, that’s different. It uses an extremely predictable generator LGC, Linear congruential Generator,. PHP already has support for CSPRNG, with the random_bytes() or if you want to trust Userspace CSPRNG has the openssl_random_pseudo_bytes(). There is even a RFC to improve uniqid(), currently closed.

– Inkeliz

2017/05/19 at 20:49

3 answers

Browser other questions tagged php sql

You are not signed in. Login or sign up in order to post.

by Guilherme Nascimento • **98,651** points · Answer 1 · 2017-05-20T04:55:55+00:00

By guarantee add the mysqli_real_escape_string at the $key as it did in the $email, I believe the hash does not contain ', but it may be the flaw yet yes:

$key = hash('sha256', uniqid("", true));

$keyescaped = mysqli_real_escape_string($key);

$usql = "UPDATE registo set reset_key = '".$keyescaped."' where email = '".$email."'";

And in the if of mysqli_query use the exit; to stop the code and also use the mysqli_error to find out what failed like this:

if(!mysqli_query($conn, $usql)) {
    echo "Error updating database:", mysqli_error($conn);
    exit;
}

Or use die thus:

mysqli_query($conn, $usql) or die("Error updating database:", mysqli_error($conn);

// send link to user with generated key
$link="<a href='http://unn-w17015779.newnumyspace.co.uk/reset.php?key=".$key."'>Click To Reset password</a>";

Another problem detail in your question (maybe it was the edit that added this), are the backslashes \, really this feels wrong

if(isset($_POST['submit_email']) && isset($_POST['email'])) {
    $email = mysqli_real_escape_string($conn, $_POST['email']);

Or you can simplify to:

if(isset($_POST['submit_email'], $_POST['email'])) {
    $email = mysqli_real_escape_string($conn, $_POST['email']);

After all the isset can check several variables.

by user60252 · Answer 2 · 2017-05-19T23:21:59+00:00

If there is code to run even if there is an error, you can use a condition instead of Exit()

       .............
       .............
       if(!mysqli_query($conn, $usql)) {
           echo "Error updating database!";
       }else{
           // send link to user with generated key
           $link="<a href='http://unn-w17015779.newnumyspace.co.uk/reset.php?key=".$key."'>Click To Reset password</a>";
           $to = $email;
           $subject = 'Reset Password';
           $message = 'Click On This Link to Reset Password '.$link;
           $headers = 'From: Galaxy books shop <**@gmail.com>' . "\r\n" .
               'Reply-To: **@gmail.com' . "\r\n" .
               'X-Mailer: PHP/' . phpversion();
          // Send email
          if(mail($to, $subject, $message, $headers)){
              echo "Your reset link has been sent to your email ";
          }else{
              echo "Failed to Recover your password, try again";
          }
      }

    } else {
       echo "User name does not exist";
   }
}
?>

código ..........
código ..........

by Inkeliz • **20,671** points · Answer 3 · 2017-05-19T20:52:03+00:00

You should use one exit():

    if(!mysqli_query($conn, $usql)) {
        echo "Error updating database!";
        exit();
    }

This way if you fall into this condition you will be shown the error due to the echo, and would close the code due to exit().