[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

User activation email

Posted on 2006-03-27
12
Medium Priority
?
297 Views
Last Modified: 2012-06-27
Hi,

I have a login page where a user may create a new account. When the account is created, I store the:

    username
    password
    email address

I'd like to then immediately send an email to the user's email address with a link embedded. When the user clicks the link, their account will be 'activated'. I'm not quite sure how to do this, I figure my user table should look something like:

username  |  password  |  email  |  activated
-----------------------------------------------------
   test        |  something | test@   | 0  for no, 1 for yes

Now when the user clicks that link in the email I send them, it updates their record in the database setting the activated field to a 1 for yes. Then they're allowed to login. But how do I create this 'link' in the email which triggers the row update for the user?

Thanks!
0
Comment
Question by:minnirok
  • 6
  • 3
  • 3
12 Comments
 
LVL 51

Expert Comment

by:Steve Bink
ID: 16302944
Say your validation page is called "emailvalidate.php".

//read the user info
$query = "SELECT * FROM usertable WHERE userid = <current user id>";
$result = mysql_query($query);
$row = mysql_fetch_assoc($result);

$emaillink = "<a href=\"emailvalidate.php?email=" . $row['emailaddress'];
$emailbody = "Click this link to validate:\n\n$emaillink";

mail(...
0
 
LVL 51

Expert Comment

by:Steve Bink
ID: 16302949
DOH...forgot to close the <a> tag and provide a link name, but should get the idea from there.
0
 
LVL 15

Accepted Solution

by:
Tomeeboy earned 2000 total points
ID: 16302972
Generate a unique activation key and add it to the query string of the link you put in their email.  Link to a php file that will check this key with the database and activate their account.

Useful code for generating a unique key:

$key = md5(uniqid(rand(),1));

Add this key to the database with their user info (or create a seperate table for activations, if you don't want it cluttering up your primary user table).

Then build a url like:

$url = "http://www.yoursite.com/user.php?activate=1&key=" . $key;

In your php script:

if (!empty($_GET['activate']) && !empty($_GET['key'])) {
    // database query to check key and activate account
}
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 15

Expert Comment

by:Tomeeboy
ID: 16303012
Do not allow users to activate their account in the way that routinet posted.  It is not secure and somebody can easily figure out how to create accounts with fake emails and just change the url to activate each one of them.  You have to use a method where the only possible way somebody can activate the account is for them to have received the activation email (which means random activation key of some kind that they could not possibly guess or anticipate).
0
 
LVL 7

Author Comment

by:minnirok
ID: 16303154
Ahh ok I got it, looks awesome. One question though Tomeeboy:

    $key = md5(uniqid(rand(),1));

md5(), uniqid(), and rand() are all built in PHP functions? Will that combination guarantee that the secret activation key is unique? I'm just asking because if two people got the same activation key, I guess it would mess things up yeah?

Thanks
0
 
LVL 15

Expert Comment

by:Tomeeboy
ID: 16303339
Yeah, those are built in functions that should generate a unique key every time.  uniqid() uses the current time in microseconds to generate its value, and running that through MD5 encrypting makes it even more secure.  When you UPDATE the user info to activate the account, you could also clear the activation key if you wanted.
0
 
LVL 51

Expert Comment

by:Steve Bink
ID: 16303362
>>> Do not allow users to activate their account in the way that routinet posted.

I was posting regarding concept, not a strict methodology.  I would not recommend that exact method, either, for the same reasons.

For PHP functions, consult: http://www.php.net/manual/en/ (under section 6)
0
 
LVL 7

Author Comment

by:minnirok
ID: 16305065
So someone could still mess around with the method using the md5 generated key, if they sat there and tried typing in random strings fo numbers yeah? But the worst they could do would be to activate an account that has not been activated yet right?

Is there a safer way even yet to approach this?

Thanks
0
 
LVL 15

Expert Comment

by:Tomeeboy
ID: 16305127
That method is pretty safe... the key generated by it would be VERY unpredictable.  I wouldn't worry about making it any more secure.
0
 
LVL 15

Expert Comment

by:Tomeeboy
ID: 16305160
In fact, it's the method PHP.net gives as an example on the page for uniqid():
http://www.php.net/uniqid
0
 
LVL 7

Author Comment

by:minnirok
ID: 16305162
roger that, thanks! I am going to post another question in a moment about my web layout if you don't mind taking a look I'd appreciate it.
0
 
LVL 15

Expert Comment

by:Tomeeboy
ID: 16305258
Thanks, I'll keep an eye out for it ;)
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

3 proven steps to speed up Magento powered sites. The article focus is on optimizing time to first byte (TTFB), full page caching and configuring server for optimal performance.
Many old projects have bad code, but the budget doesn't exist to rewrite the codebase. You can update this code to be safer by introducing contemporary input validation, sanitation, and safer database queries.
The viewer will learn how to count occurrences of each item in an array.
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
Suggested Courses
Course of the Month20 days, 5 hours left to enroll

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question