What's wrong with my email verification code?

Question

Okay so today, i edited this code which is supposed to make it so that users can change their email addresses. After they change their email addresses, it will send the user a confirmation email. However, instead i am being redirected to an internal error 500 page. :\ any help? I don't see anything wrong with the code..

<?php

include("session.php");
//Create game account
$mysqli = new mysqli("localhost", "root", "password", "data");

if(mysqli_connect_errno()){
    echo("Sorry, the server is 'Under Maintainance'");
    exit();
}

$newemail = $mysqli->real_escape_string($_POST['email']);
$newemail = strtolower($newemail);
$password = $mysqli->real_escape_string($_POST['password']);
$hash     = sha1(strtolower($name) . $password);

if(!isset($name)){
    header("Location:index");
}else if($password == null || $password == "" || (strlen($password)) < 4 || strpos($password, '<') !== false || strpos($password, '>') !== false){
    header("Location:cemail?error=6");//Invalid password
}else if($newemail == null || $newemail == "" || (strlen($newemail) <= 6 || strpos($newemail, '<') !== false || strpos($newemail, '>') !== false) || strpos($newemail, '@') == false || strpos($newemail, ".com") == false){
    header("Location:cemail?error=7");//Invalid Email address
}else if($email == $newemail){
    header("Location:cemail?error=7");//Invalid Email address
}else{
    $result  = $mysqli->query("SELECT * FROM characters WHERE email='$newemail' && name!='$name");
    $row_cnt = $result->num_rows;
    $result->free();

    if($row_cnt != 0){
        header("Location:cemail?error=3");//Email already taken
    }else{

        $result  = $mysqli->query("SELECT * FROM characters WHERE originemail='$newemail' && name!='$name'");
        $row_cnt = $result->num_rows;
        $result->free();

        if($row_cnt != 0){
            header("Location:cemail?error=3");//Email already taken
        }else{

            $result = $mysqli->query("SELECT * FROM characters WHERE name='$name'");

            /* fetch associative array */
            while($row = $result->fetch_assoc()){
                $pass        = $row['pass'];
                $originemail = $row['originemail'];
            }

            /* free result set */
            $result->free();

            if($hash != $pass){
                header("Location:cemail?error=6");//Invalid Password Match
            }else{
                $mysqli->query("UPDATE characters SET email='$newemail' WHERE name='$name'");

//Send Email to confirm 
                $to      = $newemail . ", " . $originemail;
                $subject = "Your email address has now been successfully changed!";
                $body    = "This is a notification regarding the recent change(s) made to your Legion Online account: " . $username . "
\n\n
Your email address has recently been modified through the Legion Online website. If you made this email address change, please disregard this notification. If you did not change your email address, please visit the account recovery page to ensure your account is secure.\n\nEmail addresses connected to this account: \n" . $originemail . "(primary)\n" . $newemail;
                $headers = "From: AccountSupport@ArchStudios.net" . "\r\n";
                if(mail($to, $subject, $body, $headers)){
                    header("Location:accountsettings");
                }else{
                    echo "Email request failed.";
                }
            }
        }
    }
}
$mysqli->close();
?>

Or if you can't find the error logs, add `ini_set('display_errors', 1);` to the top of the file (right below ` — Brilliand, Jul 30 '13 at 19:45
Note that the password you edited out is still in the edit history. — Brilliand, Jul 30 '13 at 19:51
You are using `$name` without declaring it before - `$hash = sha1(strtolower($name) . $password);` — Sean, Jul 30 '13 at 19:53
I strongly suggest you change the password everywhere you use it. — JJJ, Jul 30 '13 at 19:56
@user2635579 See http://meta.stackexchange.com/questions/102145/removing-someones-private-information-and-edit-history-to-protect-them - apparently you have to contact the site owners. Flagging the question will do that. You could also change the password on your end. — Brilliand, Jul 30 '13 at 20:26
@Brilliand don't worry, as soon as i saw this i changed my password on my email and on my servers. Important information to be protected. — user2635579, Jul 30 '13 at 20:32

score 0 · Accepted Answer · answered Jul 30 '13 at 19:44

0

you have only a single quote by variable $name:

$result=$mysqli->query("SELECT * FROM characters WHERE email='$newemail' && name!='$name");

copy this:

$result=$mysqli->query("SELECT * FROM characters WHERE email='$newemail' && name!='$name'");

answered Jul 30 '13 at 19:44

Black Sheep

6,604
7
30
51

score 0 · Answer 2 · answered Jul 30 '13 at 19:47

0

Don't forget to close single/double quotes.

Replace

$mysqli = new mysqli("localhost", "root", "password", "data);
$result  = $mysqli->query("SELECT * FROM characters WHERE email='$newemail' && name!='$name");

by

$mysqli = new mysqli("localhost", "root", "password", "data");
$result  = $mysqli->query("SELECT * FROM characters WHERE email='$newemail' && name!='$name'");

answered Jul 30 '13 at 19:47

glautrou

3,140
2
29
34

Thanks to the syntax highlighter – glautrou Jul 30 '13 at 19:48
Note that the missing quote after "data" was just a mistake while anonymizing the code, not the actual problem he was having. – Brilliand Jul 30 '13 at 20:28

What's wrong with my email verification code?

2 Answers2