Need to check if both the EMAIL_ADDRESS and ACTIVATION_CODE exist within a MySql Table, if so return "Code is valid",else "Code is NOT valid".
At present it's always returning code not valid, however I've checked the record in the table and the queried code does exist.
$email = $_POST['email'];
$acticode = $_POST['code'];
$result = mysql_query("SELECT * FROM xActivate WHERE EMAIL_ADDRESS='$email' AND ACTIVATION_CODE='$acticode' LIMIT 1");
if (mysql_fetch_row($result)) {
echo 'Code is valid';
} else {
echo 'Code is NOT valid';
}
But this code is not secure:
$email = $_POST['email'];
$acticode = $_POST['code'];
$result = mysql_query("SELECT * FROM xActivate WHERE EMAIL_ADDRESS='$email' AND ACTIVATION_CODE='$acticode' LIMIT 1");
$data = mysql_fetch_row($result);
if (mysql_num_rows($result) > 0) {
echo 'Code is valid';
} else {
echo 'Code is NOT valid';
}
To secure and prevent SQL Injection:
$email = mysql_real_escape_string($_POST['email']);
$acticode = mysql_real_escape_string($_POST['code']);
Please note:
http://ca1.php.net/mysql_real_escape_string
Warning
This extension is deprecated as of PHP 5.5.0, and will be removed in the future. Instead, the MySQLi or PDO_MySQL extension should be used. See also MySQL: choosing an API guide and related FAQ for more information. Alternatives to this function include:
mysqli_real_escape_string() PDO::quote()