From 039d1b1f2abec050aa6618626faad128f57c458a Mon Sep 17 00:00:00 2001
From: Thies Mueller <git@td00.de>
Date: Tue, 12 Jan 2021 17:33:41 +0100
Subject: [PATCH] commented activation.php

---
 activation.php | 57 +++++++++++++++++++++++++-------------------------
 1 file changed, 29 insertions(+), 28 deletions(-)

diff --git a/activation.php b/activation.php
index 3ee8403..9e061fe 100644
--- a/activation.php
+++ b/activation.php
@@ -7,11 +7,11 @@
 </head> 
 <body>
 <?php 
-session_start();
-include 'db.inc.php';
+session_start(); //session & stuff, you know it
+include 'db.inc.php'; //and a db connection, you know it...
  
-function random_string() {
- if(function_exists('random_bytes')) {
+function random_string() { //first we need a function, lets call it "random_string, shall we?
+ if(function_exists('random_bytes')) { //then check if other functions exist to create random chars
  $bytes = random_bytes(16);
  $str = bin2hex($bytes); 
  } else if(function_exists('openssl_random_pseudo_bytes')) {
@@ -20,43 +20,43 @@ function random_string() {
  } else if(function_exists('mcrypt_create_iv')) {
  $bytes = mcrypt_create_iv(16, MCRYPT_DEV_URANDOM);
  $str = bin2hex($bytes); 
- } else {
+ } else { //failing to this string:
 //this should be a unique string. if we use this in prod we should change this.
  $str = md5(uniqid('thisisnotreallyrandombutthisstringheresomakethislongandmaybewith12345numberskthxbye', true));
  } 
- return $str;
+ return $str; //returning the string generated with one or another method
 }
  
-$sessionuser = $_SESSION['username'];
-$showForm = true;
+$sessionuser = $_SESSION['username']; //get the usernamne from the session
+$showForm = true; //print the "form" (in this case just a button)
  
-if(isset($_GET['send']) ) {
- if(!isset($sessionuser) || empty($sessionuser)) {
+if(isset($_GET['send']) ) { //you know the drill. if theres a "?=send=1" this little script comes to action
+ if(!isset($sessionuser) || empty($sessionuser)) { //checks if you've got a valid session if not, it prints it out.
  $error = '<span class="badge badge-pill badge-danger"><b>No Valid User in Session. Please Login Again!</b></span>';
- } else {
- $statement = $pdo->prepare("SELECT * FROM users WHERE username = :username");
+ } else { //if theres a valid session do this:
+ $statement = $pdo->prepare("SELECT * FROM users WHERE username = :username"); //sql statement username = $sessionuser
  $result = $statement->execute(array('username' => $sessionuser));
  $user = $statement->fetch(); 
  
- if($user === false) {
+ if($user === false) { //in some cases users have a valid session, but the account was deleted in the background, this has that case covered: 
     $error = '<span class="badge badge-pill badge-warning"><b>no user found</b></span>';
  }
- if($user['username'] == ""){
+ if($user['username'] == ""){ //if you've managed to create a user without username, print an error.
     $error = '<span class="badge badge-pill badge-warning"><b>no user found</b></span>';
  }
- if($user['activated'] == "1"){
+ if($user['activated'] == "1"){ //if your account is already activated:
      $error = '<span class="badge badge-pill badge-warning"><b>user already activated!</b></span>';
  } else {
- //check if theres a code already
- $activationcode = random_string();
- $statement = $pdo->prepare("UPDATE users SET activationcode = :activationcode, activationcode_time = NOW() WHERE id = :userid");
- $result = $statement->execute(array('activationcode' => sha1($activationcode), 'userid' => $user['id']));
- 
- $mailrcpt = $user['email'];
- $mailsubject = "Activate the Account of ".$user['username'];
- $from = "From: Account Activation Service <activatemyaccount@".$_SERVER['HTTP_HOST'].">"; //place a real address if we use this in production
- $url_activationcode = 'https://'.$_SERVER['HTTP_HOST'].'/activate.php?userid='.$user['id'].'&code='.$activationcode; //this shouldnt be my domain in prod..
- $text = 'Hallo '.$user['username'].',
+ $activationcode = random_string(); //store a random string in this variable
+ $statement = $pdo->prepare("UPDATE users SET activationcode = :activationcode, activationcode_time = NOW() WHERE id = :userid"); //prepare the statement
+ $result = $statement->execute(array('activationcode' => sha1($activationcode), 'userid' => $user['id'])); //activationcode in db is sha1 of real activationcode
+ //now lets compose a mail:
+ $mailrcpt = $user['email'];  //mail goes to user that should be validated.
+ $mailsubject = "Activate the Account of ".$user['username']; //the subject
+ $from = "From: Account Activation Service <activatemyaccount@".$_SERVER['HTTP_HOST'].">"; //send mail from "activatemyaccount@%urlyourusingtoaccessthisscript%"
+ $url_activationcode = 'https://'.$_SERVER['HTTP_HOST'].'/activate.php?userid='.$user['id'].'&code='.$activationcode; //url for activation is https://%urlyourusingtoaccessthisscript%/activate.php?userid=$userid&code=$activationcode
+ //thats the content of the mail:
+ $text = 'Hallo '.$user['username'].', 
 please use the following URL to activate your account in the next 24h:
 '.$url_activationcode.'
  
@@ -64,15 +64,16 @@ If this mail comes unsolicited, please just ignore the mail.
  
 cheers
 loginpagefoo script';
- mail($mailrcpt, $mailsubject, $text, $from);
+ mail($mailrcpt, $mailsubject, $text, $from); //sending the mail with the build-in mail function.
  
  echo 'Link send. Going back to <a href="profile.php">profile</a> page. <meta http-equiv="refresh" content="0; URL=profile.php">'; 
+ //afterwards going back to profile, and dont render the form again.
  $showForm = false;
  }
  }
 }
  
-if($showForm):
+if($showForm): //you guessed it: html & the form:
 ?>
  
 <h1>Activate user</h1>
@@ -88,5 +89,5 @@ if(isset($error) && !empty($error)) {
 </form>
  
 <?php
-endif; 
+endif; //thats all
 ?>
\ No newline at end of file