Change Email Function Problem

[chaseman]

I wrote a bunch of code just to realize that there's a huge security hole in my script.

 

Here's a how I've built it:

 

1. first you enter the new email address into the input box and click submit

2. an email gets sent to you where you have to click on an activation link to confirm the change, and of course the email gets send to the inbox to make sure it's a valid email

the activation link looks as follows:

 

http://localhost/changeemail_confirm.php?id=$dbuser_id&email=$user_email

 

The dbuser_id gets taken from the session variable, and the user email is the new entered user email.

 

3. After clicking the link you get directed to an activation page, I thought about letting the user enter his password and letting it match with the password in the database as added security, so he can't just change the user_id in the link so that the email of another user gets changed.

 

the query on the activation page looks like this:

 

"UPDATE user SET email = '$user_email' WHERE nickname = '$dbuser_name' AND WHERE user_id = '$id'";

 

The $id is being taking from the activation link per GET, and the $dbuser_name is being taking from the session variable.

 

And now this is the problem where I'm stuck, even though I've added a bunch of security, and even the necessary to enter a password there's still a major security hole, which is the user can easily change the email in the activation link to something else, something that is not a valid email.

 

E.g.

this

 

http://localhost/changeemail_confirm.php?id=35&email=mail@phpmail.local 

 

can become to this, when the user manually edits the url and pastes it into his browser:

 

http://localhost/changeemail_confirm.php?id=35&email=MAIL@ANYTHING.com

 

How can I prevent this, is there any way I could tell the script the CONFIRMED and VALID email, with a more secure way?

 

 

BTW this script works as it is, it's just that the user can manually change the email to something else what makes this script worthless for now.

[Jessica]

I have on my user table a field called "key". I use it for any random string I want to assign a user for something like this. When they request a password reset, they get a 20 character "key" in the DB, and in the email. When they click the email, I confirm the username (in your case, email) AND key match the record in the DB. if the key does not match, they can't change it. Hope that helps.

[chaseman]

I have on my user table a field called "key". I use it for any random string I want to assign a user for something like this. When they request a password reset, they get a 20 character "key" in the DB, and in the email. When they click the email, I confirm the username (in your case, email) AND key match the record in the DB. if the key does not match, they can't change it. Hope that helps.

 

Thanks for the tip, I know about the key method you were talking about, it's been done with the random() function. But couldn't the user still change the email to something else, even if the random key is matching?

 

It works like this:

 

1. the user gets the email

2. since user got the email we can be sure the email is valid

3. now the user takes the activation link by manual copy,  and changes the email address in the link to something else

4. and pastes it into the address bar of his browser

5. the activation script still checks for the ID and for the USERNAME and if you want for the RANDOM KEY as well.

6. AFTER everything has been valid it simply takes the email off the URL and inserts it into the database.

 

The problem is there's no chance of validating the email, no chance of re-checking if it's still the same email address.

 

Maybe the email should not be taken off the URL, maybe I rather should find a way to save the email somewhere maybe in a variable or similar until confirmation and only after confirmation the email gets inserted in the database out of the place it is being saved e.g. a variable.

 

Is there a way I could accomplish this?

 

[Jessica]

You're trying to change the current email to a new email?

 

If you want to do what you described at the end, make a field for new_email along with the key field. That would solve the problem.

[chaseman]

You're trying to change the current email to a new email?

 

If you want to do what you described at the end, make a field for new_email along with the key field. That would solve the problem.

So before the confirmation email gets send out, save the entered email in new_email, then:

 

1. confirm email.

2. take email out of new_email

3. insert it into regular email field and empty new_email

 

When the user wants to change the email again, the same procedure starts from new.

 

Nice, I think that solves the problem, and when I do the random number method then there's no need for a password entry.

 

Thank you for the help, I'll try it out in a minute.

 

 

So much code for a simple function LOL, life as a programmer.

[Jessica]

I would still do the password too, just to make sure.

[chaseman]

I would still do the password too, just to make sure.

Thanks for the tip. I'm still working on the script and I'm having problems with the query.

 

This works straight in PHPMyAdmin:

 

UPDATE user SET email_new = 'support@phpmail.local' WHERE nickname = 'chasechase' AND user_id = '35'

 

 

But this does not work:

 

UPDATE user SET email_new = 'support@phpmail.local' AND random = '99999' WHERE nickname = 'chasechase' AND user_id = '35'

 

 

Do you know the SQL query to set BOTH, the new email AND the random code?

 

 

I desperately have to learn proper SQL commands yet, I'll put reading an SQL book on my list as next.

 

 

p.s. the nickname and user_id are being taken from the session variables, I hope that is secure enough.

[Jessica]

Do a comma instead of the AND.

[chaseman]

Thank you a lot for your help, it's finally working now - very rewarding feeling, that's what I love about this =)

[Jessica]

Mark it solved, bottom left corner.

[chaseman]

I already did when I posted my last post, I always do =)