introducing activation

activate.php

@@ -0,0 +1,56 @@
+<!DOCTYPE html> 
+<html> 
+<head>
+<link rel="stylesheet" href="ressources/css/bootstrap.min.css" crossorigin="anonymous">
+   
+  <title>Activate</title>    
+</head> 
+<body>
+<?php
+$pdo = new PDO('mysql:host=localhost;dbname=usertable', 'usertable', 'password');
+ 
+if(!isset($_GET['userid']) || !isset($_GET['code'])) {
+ die('<div class="alert alert-warning" role="alert">No code delivered. nothing to do here.</div>');
+}
+ 
+$userid = $_GET['userid'];
+$code = $_GET['code'];
+ 
+
+$statement = $pdo->prepare("SELECT * FROM users WHERE id = :userid");
+$result = $statement->execute(array('userid' => $userid));
+$user = $statement->fetch();
+ 
+//check if theres a code for the user delivered
+if($user === null || $user['actuvationcode'] === null) {
+ die('<div class="alert alert-danger" role="alert">
+ No User matching your request.</div>');
+}
+ 
+if($user['activationcode_time'] === null || strtotime($user['activationcode_time']) < (time()-24*3600) ) {
+ die('<div class="alert alert-danger" role="alert">
+ Ooops. This code isnt valid anymore.</div>');
+}
+ 
+ 
+
+if(sha1($code) != $user['activationcode']) {
+ die('<div class="alert alert-danger" role="alert">
+ Not the valid activationcode!</div>');
+}
+ 
+if(isset($_GET['send'])) {
+  $statement = $pdo->prepare("UPDATE users SET activated = 1, activationcode = NULL, activationcode_time = NULL WHERE id = :userid");
+ $result = $statement->execute(array('userid'=> $userid ));
+ 
+ if($result) {
+ die('Activated. Going to <a href="login.php">login</a> now.<meta http-equiv="refresh" content="1; URL=login.php">');
+ }
+}
+?>
+  <script src="ressources/js/bootstrap.min.js"></script>
+<h1>Activate your user</h1>
+<form action="?send=1&amp;userid=<?php echo htmlentities($userid); ?>&amp;code=<?php echo htmlentities($code); ?>" method="post">
+<div class="form-group">
+ <button type="submit" class="btn btn-success">Activate</button>
+</form>

activation.php

@@ -0,0 +1,82 @@
+<!DOCTYPE html> 
+<html> 
+<head>
+<link rel="stylesheet" href="ressources/css/bootstrap.min.css" crossorigin="anonymous">
+   
+  <title>Reset Password</title>    
+</head> 
+<body>
+<?php
+$pdo = new PDO('mysql:host=localhost;dbname=usertable', 'usertable', 'password');
+ 
+if(!isset($_GET['userid']) || !isset($_GET['code'])) {
+ die('<div class="alert alert-warning" role="alert">No code delivered. nothing to do here.</div>');
+}
+ 
+$userid = $_GET['userid'];
+$code = $_GET['code'];
+ 
+
+$statement = $pdo->prepare("SELECT * FROM users WHERE id = :userid");
+$result = $statement->execute(array('userid' => $userid));
+$user = $statement->fetch();
+ 
+//check if theres a code for the user delivered
+if($user === null || $user['passwordcode'] === null) {
+ die('<div class="alert alert-danger" role="alert">
+ No User matching your request.</div>');
+}
+ 
+if($user['passwordcode_time'] === null || strtotime($user['passwordcode_time']) < (time()-24*3600) ) {
+ die('<div class="alert alert-danger" role="alert">
+ Ooops. This code isnt valid anymore.</div>');
+}
+ 
+ 
+
+if(sha1($code) != $user['passwordcode']) {
+ die('<div class="alert alert-danger" role="alert">
+ Thats not your code. Naughty user!</div>');
+}
+ 
+
+ 
+if(isset($_GET['send'])) {
+ $password = $_POST['password'];
+ $password_confirm = $_POST['password_confirm'];
+  //regexes for passvalidation:
+    $REuppercase = preg_match('@[A-Z]@', $password);
+    $RElowercase = preg_match('@[a-z]@', $password);
+    $REnumber    = preg_match('@[0-9]@', $password);
+    $REspecialChars = preg_match('@[^\w]@', $password);
+ if($password != $password_confirm) {
+ echo "password or confirmed password wrong";
+ }
+ if(!$REuppercase || !$RElowercase || !$REnumber || !$REspecialChars || strlen($password) < 8) {
+    echo '<color="red">Password needs to be more complex.</color><br />';
+    echo '<i>Please implement at least 8 chars, upper & downer caser, one number & one special char.</i><br />';
+    $error = true;
+}  else { 
+ $passwordhash = password_hash($password, PASSWORD_DEFAULT);
+ $statement = $pdo->prepare("UPDATE users SET password = :passwordhash, passwordcode = NULL, passwordcode_time = NULL WHERE id = :userid");
+ $result = $statement->execute(array('passwordhash' => $passwordhash, 'userid'=> $userid ));
+ 
+ if($result) {
+ die('Changed password. Going to <a href="login.php">login</a> now.<meta http-equiv="refresh" content="1; URL=login.php">');
+ }
+ }
+}
+?>
+  <script src="ressources/js/bootstrap.min.js"></script>
+<h1>Set new password</h1>
+<form action="?send=1&amp;userid=<?php echo htmlentities($userid); ?>&amp;code=<?php echo htmlentities($code); ?>" method="post">
+<div class="form-group">
+<label for="password">New Password</label>
+<input type="password" id="password" class="form-control" name="password"><br><br>
+ </div>
+ <div class=form-group>
+ <label for="password_confirm">Confirm new Password</label>
+<input type="password" id="password" class="form-control" name="password_confirm"><br><br>
+ </div>
+ <button type="submit" class="btn btn-primary">Submit new password</button>
+</form>

login.php

@@ -17,6 +17,7 @@ if(isset($_GET['login'])) {
         $_SESSION['username'] = $user['username'];
         $_SESSION['givenName'] = $user['givenName'];
         $_SESSION['lastName'] = $user['lastName'];
+        $_SESSION['activated'] = $user['activated'];
         die('<div class="alert alert-success" role="alert"> successfull. go to: <a href="secure.php">secure page</a></div> <meta http-equiv="refresh" content="0; URL=secure.php">');
     } else {
         $errorMessage = '<div class="alert alert-danger" role="alert">somethings wrong (maybe wrong password or wrong user)</div><br>';

profile.php

@@ -17,6 +17,7 @@ $username = $_SESSION['username'];
 $useremail = $_SESSION['email'];
 $usergn = $_SESSION['givenName'];
 $userln = $_SESSION['lastName'];
+$activated = $_SESSION['activated'];
  
 echo '<div class="alert alert-info" role="alert">Profile of '.$username.'</div>';
 echo "<br/>";