minnirok
asked on
User activation email
Hi,
I have a login page where a user may create a new account. When the account is created, I store the:
username
password
email address
I'd like to then immediately send an email to the user's email address with a link embedded. When the user clicks the link, their account will be 'activated'. I'm not quite sure how to do this, I figure my user table should look something like:
username | password | email | activated
--------------------------
test | something | test@ | 0 for no, 1 for yes
Now when the user clicks that link in the email I send them, it updates their record in the database setting the activated field to a 1 for yes. Then they're allowed to login. But how do I create this 'link' in the email which triggers the row update for the user?
Thanks!
I have a login page where a user may create a new account. When the account is created, I store the:
username
password
email address
I'd like to then immediately send an email to the user's email address with a link embedded. When the user clicks the link, their account will be 'activated'. I'm not quite sure how to do this, I figure my user table should look something like:
username | password | email | activated
--------------------------
test | something | test@ | 0 for no, 1 for yes
Now when the user clicks that link in the email I send them, it updates their record in the database setting the activated field to a 1 for yes. Then they're allowed to login. But how do I create this 'link' in the email which triggers the row update for the user?
Thanks!
DOH...forgot to close the <a> tag and provide a link name, but should get the idea from there.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Do not allow users to activate their account in the way that routinet posted. It is not secure and somebody can easily figure out how to create accounts with fake emails and just change the url to activate each one of them. You have to use a method where the only possible way somebody can activate the account is for them to have received the activation email (which means random activation key of some kind that they could not possibly guess or anticipate).
ASKER
Ahh ok I got it, looks awesome. One question though Tomeeboy:
$key = md5(uniqid(rand(),1));
md5(), uniqid(), and rand() are all built in PHP functions? Will that combination guarantee that the secret activation key is unique? I'm just asking because if two people got the same activation key, I guess it would mess things up yeah?
Thanks
$key = md5(uniqid(rand(),1));
md5(), uniqid(), and rand() are all built in PHP functions? Will that combination guarantee that the secret activation key is unique? I'm just asking because if two people got the same activation key, I guess it would mess things up yeah?
Thanks
Yeah, those are built in functions that should generate a unique key every time. uniqid() uses the current time in microseconds to generate its value, and running that through MD5 encrypting makes it even more secure. When you UPDATE the user info to activate the account, you could also clear the activation key if you wanted.
>>> Do not allow users to activate their account in the way that routinet posted.
I was posting regarding concept, not a strict methodology. I would not recommend that exact method, either, for the same reasons.
For PHP functions, consult: http://www.php.net/manual/en/ (under section 6)
I was posting regarding concept, not a strict methodology. I would not recommend that exact method, either, for the same reasons.
For PHP functions, consult: http://www.php.net/manual/en/ (under section 6)
ASKER
So someone could still mess around with the method using the md5 generated key, if they sat there and tried typing in random strings fo numbers yeah? But the worst they could do would be to activate an account that has not been activated yet right?
Is there a safer way even yet to approach this?
Thanks
Is there a safer way even yet to approach this?
Thanks
That method is pretty safe... the key generated by it would be VERY unpredictable. I wouldn't worry about making it any more secure.
In fact, it's the method PHP.net gives as an example on the page for uniqid():
http://www.php.net/uniqid
http://www.php.net/uniqid
ASKER
roger that, thanks! I am going to post another question in a moment about my web layout if you don't mind taking a look I'd appreciate it.
Thanks, I'll keep an eye out for it ;)
//read the user info
$query = "SELECT * FROM usertable WHERE userid = <current user id>";
$result = mysql_query($query);
$row = mysql_fetch_assoc($result)
$emaillink = "<a href=\"emailvalidate.php?e
$emailbody = "Click this link to validate:\n\n$emaillink";
mail(...