maybe thats how to escape the activation of unknown users

activation.php

@@ -38,7 +38,10 @@ if(isset($_GET['send']) ) {
  $user = $statement->fetch(); 
  
  if($user === false) {
- $error = '<span class="badge badge-pill badge-warning"><b>no user found</b></span>';
+    $error = '<span class="badge badge-pill badge-warning"><b>no user found</b></span>';
+ }
+ if($user['username'] !== $_POST['username']){
+    $error = '<span class="badge badge-pill badge-warning"><b>no user found/invalid user</b></span>';
  }
  if($user['activated'] == "1"){
      $error = '<span class="badge badge-pill badge-warning"><b>user already activated!</b></span>';