User activation email


I have a login page where a user may create a new account. When the account is created, I store the:

    email address

I'd like to then immediately send an email to the user's email address with a link embedded. When the user clicks the link, their account will be 'activated'. I'm not quite sure how to do this, I figure my user table should look something like:

username  |  password  |  email  |  activated
   test        |  something | test@   | 0  for no, 1 for yes

Now when the user clicks that link in the email I send them, it updates their record in the database setting the activated field to a 1 for yes. Then they're allowed to login. But how do I create this 'link' in the email which triggers the row update for the user?

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Steve BinkCommented:
Say your validation page is called "emailvalidate.php".

//read the user info
$query = "SELECT * FROM usertable WHERE userid = <current user id>";
$result = mysql_query($query);
$row = mysql_fetch_assoc($result);

$emaillink = "<a href=\"emailvalidate.php?email=" . $row['emailaddress'];
$emailbody = "Click this link to validate:\n\n$emaillink";

Steve BinkCommented:
DOH...forgot to close the <a> tag and provide a link name, but should get the idea from there.
Generate a unique activation key and add it to the query string of the link you put in their email.  Link to a php file that will check this key with the database and activate their account.

Useful code for generating a unique key:

$key = md5(uniqid(rand(),1));

Add this key to the database with their user info (or create a seperate table for activations, if you don't want it cluttering up your primary user table).

Then build a url like:

$url = "" . $key;

In your php script:

if (!empty($_GET['activate']) && !empty($_GET['key'])) {
    // database query to check key and activate account

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
HTML5 and CSS3 Fundamentals

Build a website from the ground up by first learning the fundamentals of HTML5 and CSS3, the two popular programming languages used to present content online. HTML deals with fonts, colors, graphics, and hyperlinks, while CSS describes how HTML elements are to be displayed.

Do not allow users to activate their account in the way that routinet posted.  It is not secure and somebody can easily figure out how to create accounts with fake emails and just change the url to activate each one of them.  You have to use a method where the only possible way somebody can activate the account is for them to have received the activation email (which means random activation key of some kind that they could not possibly guess or anticipate).
minnirokAuthor Commented:
Ahh ok I got it, looks awesome. One question though Tomeeboy:

    $key = md5(uniqid(rand(),1));

md5(), uniqid(), and rand() are all built in PHP functions? Will that combination guarantee that the secret activation key is unique? I'm just asking because if two people got the same activation key, I guess it would mess things up yeah?

Yeah, those are built in functions that should generate a unique key every time.  uniqid() uses the current time in microseconds to generate its value, and running that through MD5 encrypting makes it even more secure.  When you UPDATE the user info to activate the account, you could also clear the activation key if you wanted.
Steve BinkCommented:
>>> Do not allow users to activate their account in the way that routinet posted.

I was posting regarding concept, not a strict methodology.  I would not recommend that exact method, either, for the same reasons.

For PHP functions, consult: (under section 6)
minnirokAuthor Commented:
So someone could still mess around with the method using the md5 generated key, if they sat there and tried typing in random strings fo numbers yeah? But the worst they could do would be to activate an account that has not been activated yet right?

Is there a safer way even yet to approach this?

That method is pretty safe... the key generated by it would be VERY unpredictable.  I wouldn't worry about making it any more secure.
In fact, it's the method gives as an example on the page for uniqid():
minnirokAuthor Commented:
roger that, thanks! I am going to post another question in a moment about my web layout if you don't mind taking a look I'd appreciate it.
Thanks, I'll keep an eye out for it ;)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.