I am trying to implement this flow:
- User signs up with email address
- User receives email with validation link
- User follows link to a page asking to set a password
- User sets password
Here's the code I have so far:
$email = $_GET['email'];
$verification_code = $_GET['verification_code'];
$validation_message = "";
$self = htmlspecialchars($_SERVER["PHP_SELF"]);
if(isset($_POST['submit'])) {
if ($_POST['password'] == "") {
$validation_message = "Please enter a password";
echo "<form id='verify-email-form' action='$self' method='post'><h1 id='set-password-input' class='h1-splash h1-password'>Choose a password</h1><input type='hidden' name='email' value='$email'><input type='hidden' name='verification_code' value='$verification_code'><input type='password' name='password' class='text-input' placeholder='Password'><button type='submit' name='submit' id='submit-input-splash'>Go!</button></form><p id='validation-message'>$validation_message</p>";
}
else {
echo $_POST['email'];
echo $_POST['password'];
}
}
else {
require 'connect.php';
$sql = "SELECT * FROM users WHERE email='$email' AND verification_code='$verification_code' AND active='0'";
$result = $con->query($sql);
if ($result->num_rows > 0) {
echo "<form id='verify-email-form' action='$self' method='post'><h1 id='set-password-input' class='h1-splash h1-password'>Choose a password</h1><input type='hidden' name='email' value='$email'><input type='password' name='password' class='text-input' placeholder='Password'><button type='submit' name='submit' id='submit-input-splash'>Go!</button></form><p id='validation-message'>$validation_message</p>";
}
else {
echo "Invalid activation code.";
}
}
?>
The URL is in this format: www.example.com/activate.php?email=name@example.com+verification_code=1234567890
I'm tripping up at the eventuality that a user presses submit without typing anything in the password field. It reloads the page to activate.php
but without the variables in the URL, so the email address can't be submitted if the user then does type a password.
Is there a workaround for this, or a better way of structuring it?