I am making a php registration script and registration works fine and everything is imputed into the database successfully and the activation email works just fine, but whenever I use a mysqli query to select or update info, it doesn't work.
For instance, when I log in with an account I know is in the database, it tells me the username doesn't exist, and when clicking the activation link in the email, the query fails to update the database in the same way.
I'm sure this is a super simple error I'm overlooking in my newbishness, but I couldn't find a suitable answer after a few hours of looking. I'm not really sure what the issue is.
Activate.php
require "/functions.php";
if (isset($_GET['user'])) {
$user = $_GET['user'];
}
if (isset($_GET['key']) && (strlen($_GET['key']) == 32)){
$key = $_GET['key'];
}
if (isset($user) && isset($key)) {
$sql = <<<SQL
UPDATE users
SET validation = NULL
WHERE username='$user'
AND validation='$key',
user_group = 'member'
SQL;
$count = $db->affected_rows;
if ($count == 1)
{
echo '<div>Your account is now active. You may now <a href="login.php">Log in</a></div>';
} else {
echo '<div>Oops! Your account could not be activated. Please recheck the link or contact the system administrator.</div>';
}
ob_end_flush();
} else {
echo '<div>Error Occured .</div>';
}
?>
login.php
// Globals & error variable
require "/functions.php";
session_start();
$error = "";
if (isset( $_POST['Submit'])) {
if (empty($_POST['username']) || empty($_POST['password'])) {
$error = "Please fill in all fields!";
}
else {
$username=$_POST['username'];
$password=$_POST['password'];
// Injection-protection!
$username = stripslashes($username);
$password = stripslashes($password);
$username = mysqli_real_escape_string($db, $username);
$password = mysqli_real_escape_string($db, $password);
$sql = <<<SQL
SELECT *
FROM `users`
WHERE `username`='$username'
SQL;
$result = $db->query($sql);
$count->num_rows;
if($count==1){
while ($row = mysqli_fetch_array($result)) {
$hash = $row['password'];
$ug = $row['user_group'];
}
salt();
$options=['salt'=>$bcrypt_salt, 'cost'=>12];
$password=$argv[1];
if (crypt($password,$hash) == $hash) {
$_SESSION['login_user']= $username;
$_SESSION['user_group']= $ug;
header("location:index.php");
}
else {
$error = "Username or password is invalid!";
}
}
else {
$error = "That username doesn't exist!";
}
ob_end_flush();
}
}
functions.php
// db connect
$db = new mysqli('HOST', 'USER', 'PASS', 'DB');
if($db->connect_errno > 0){
die('Unable to connect to database [' . $db->connect_error . ']');
}
On a side note, feel free to bring up any glaringly obvious bad-practice things you guys see. I'm new, but I don't want to develop bad habits!