User activation help

When a user registers you must provide a link to the verification page with two get variables U & AID (activation ID), you must also store these details in the table.

When it verifies a user then remove all values from the AID field thus leaving it blank.

Then when it comes to logging them in then you only need to check if the field value is true, if it is then they haven't vrified there account if it isn't then they have and you can create the cookie.

I have an activation script in place, which works just fine. I'd rather not change the script I have, because everything works perfectly as it is. The users can log in, if they have activated. I am just looking for a way to find out if they have activated from my login script, so I can notify them that they need to activate in order to log in.

You aren't understanding how an activation script works. As of right now yours makes no sense. The values you are passing via get are not even being used in your queries.

The point of an activation script is to send a unique random number that is hard to guess (md5 of 1 will be the same every time, thats pointless). This helps make sure that the link was sent to their email address only and no one elses. The activation script needs to get the values from the url and use them in the database to identify the user that registered and mark them as 'active'.

Well forgive me for not being an expert, but why do you think I am here asking? You may know PHP better than I do, but your people skills really need some work. My script is obviously incorrect, thanks for the criticism.

On forums I tend to say things without the other persons feelings in mind (probably this is is because its not a face to face conversation). I didn't realize how rude that sounded until after I read again. For that, I apologize.

To make up for it, I will tell you exactly what to do.

On your registration page you need to create the link, email it, and save the random string in the database. I usually use a column named 'active' for this.

//this is after form validates and you are about to insert the data into the database
function randString( $length ) {
	$array = array("b","c","d","f","g","h","j","k","l","m","n","p","q","r","s","t","v","w","x","y","z","B","C","D","F","G","H","J","K","L","M","N","P","Q","R","S","T","V","W","X","Y","Z","0","1","2","3","4","5","6","7","8","9");
	$i = 0;
	$code = '';
	while ( $i < $length ) {
		$rand = rand( 0,( count( $array ) - 1 ) );
		$code .= $array[$rand];
	$i++;
	}
	return $code;
}
$code = randString(50);
mysql_query("INSERT INTO `members` (....column names....,'active') VALUES (....values here....,'{$code}')") or die(mysql_error()); //shows how you insert the code
$message = "Welcome to something.com,\n\nTo activate your account click the link below:\n\nhttp://www.something.com/activate.php?id=" . mysql_insert_id() . "&code={$code}\n\nBest regards,\n\nAdmin\nSomething.com (info@something.com)";
mail('email of user from form','Email Confirmation',$message,"From: Something.net<no-reply@something.net>"); //sends the activation email with the id of the user and activation code.

On activate.php, we use the id and the code the id the user and set them to active.

if ( isset( $_GET['id'],$_GET['code'] ) ) {
  $id = (int) $_GET['id'];
  $code = mysql_real_escape_string( $_GET['code'] );
  $query = mysql_query("SELECT `active` FROM `members` WHERE `id` = {$id}");
  if ( mysql_num_rows( $query ) == 1 ) {
    list( $active ) = mysql_fetch_rows( $query );
    if ( $active == 1 ) {
       die('User account has already been activated');
    }
    elseif ( $active == $code ) {
      mysql_query("UPDATE `members` SET `active` = 1 WHERE `id` = {$id}"); //sets the member to active.
    }
    else {
      die('Invalid activation code');
    }
  }
  else {
    die('User not found!');
  }
}
else {
  die('Malformed URL');
}

In your login script all you need to do is add ' AND `active` = 1' in your query.

Apology accepted, it was obviously not intentional. Thanks for this code keith, but this brings me back to my original question. With your script, how do I notify the user at login that they need to activate their account in order to log in?

if ( isset( $_GET['id'],$_GET['code'] ) ) {
  $id = (int) $_GET['id'];
  $code = mysql_real_escape_string( $_GET['code'] );
  $query = mysql_query("SELECT `active` FROM `members` WHERE `id` = {$id}");

if($row['active']) == 1){
 
}else{

$msg = "You need to activate your account before logging in.";

}

Maybe?

My script goes on its own page called activate.php.

In your login script you should get the user via a username/email which you have probably already done.
ex.

$username = mysql_real_escape_string( $_POST['user'] ); //username from form
$query = mysql_query("SELECT `password`,`active` FROM `table_name` WHERE `username` = '{$user}' LIMIT 1");
if ( mysql_num_rows( $query ) == 0 ) {
  $msg = 'Username and/or Password incorrect'; //never be specific
}
else {
  list( $password,$active ) = mysql_fetch_row( $query );
  if ( $active !== 1 ) {
    $msg = 'You need to activate your account before logging in.';
  }
  else {
    //check the password and set login session here. Your passwords should be hashed.
  }
}

Make sure your passwords are hashed as well.

Unfortunately Keith, I could not get my activation working with the script you posted. However, after changing the way my activation works and adjusting the login script, I was able to get everything working properly. Thanks for your time and effort.