We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

User activation email

minnirok
minnirok asked
on
Medium Priority
338 Views
Last Modified: 2012-06-27
Hi,

I have a login page where a user may create a new account. When the account is created, I store the:

    username
    password
    email address

I'd like to then immediately send an email to the user's email address with a link embedded. When the user clicks the link, their account will be 'activated'. I'm not quite sure how to do this, I figure my user table should look something like:

username  |  password  |  email  |  activated
-----------------------------------------------------
   test        |  something | test@   | 0  for no, 1 for yes

Now when the user clicks that link in the email I send them, it updates their record in the database setting the activated field to a 1 for yes. Then they're allowed to login. But how do I create this 'link' in the email which triggers the row update for the user?

Thanks!
Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2004

Commented:
Say your validation page is called "emailvalidate.php".

//read the user info
$query = "SELECT * FROM usertable WHERE userid = <current user id>";
$result = mysql_query($query);
$row = mysql_fetch_assoc($result);

$emaillink = "<a href=\"emailvalidate.php?email=" . $row['emailaddress'];
$emailbody = "Click this link to validate:\n\n$emaillink";

mail(...
CERTIFIED EXPERT
Top Expert 2004

Commented:
DOH...forgot to close the <a> tag and provide a link name, but should get the idea from there.
CERTIFIED EXPERT
Commented:
Generate a unique activation key and add it to the query string of the link you put in their email.  Link to a php file that will check this key with the database and activate their account.

Useful code for generating a unique key:

$key = md5(uniqid(rand(),1));

Add this key to the database with their user info (or create a seperate table for activations, if you don't want it cluttering up your primary user table).

Then build a url like:

$url = "http://www.yoursite.com/user.php?activate=1&key=" . $key;

In your php script:

if (!empty($_GET['activate']) && !empty($_GET['key'])) {
    // database query to check key and activate account
}

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
CERTIFIED EXPERT

Commented:
Do not allow users to activate their account in the way that routinet posted.  It is not secure and somebody can easily figure out how to create accounts with fake emails and just change the url to activate each one of them.  You have to use a method where the only possible way somebody can activate the account is for them to have received the activation email (which means random activation key of some kind that they could not possibly guess or anticipate).

Author

Commented:
Ahh ok I got it, looks awesome. One question though Tomeeboy:

    $key = md5(uniqid(rand(),1));

md5(), uniqid(), and rand() are all built in PHP functions? Will that combination guarantee that the secret activation key is unique? I'm just asking because if two people got the same activation key, I guess it would mess things up yeah?

Thanks
CERTIFIED EXPERT

Commented:
Yeah, those are built in functions that should generate a unique key every time.  uniqid() uses the current time in microseconds to generate its value, and running that through MD5 encrypting makes it even more secure.  When you UPDATE the user info to activate the account, you could also clear the activation key if you wanted.
CERTIFIED EXPERT
Top Expert 2004

Commented:
>>> Do not allow users to activate their account in the way that routinet posted.

I was posting regarding concept, not a strict methodology.  I would not recommend that exact method, either, for the same reasons.

For PHP functions, consult: http://www.php.net/manual/en/ (under section 6)

Author

Commented:
So someone could still mess around with the method using the md5 generated key, if they sat there and tried typing in random strings fo numbers yeah? But the worst they could do would be to activate an account that has not been activated yet right?

Is there a safer way even yet to approach this?

Thanks
CERTIFIED EXPERT

Commented:
That method is pretty safe... the key generated by it would be VERY unpredictable.  I wouldn't worry about making it any more secure.
CERTIFIED EXPERT

Commented:
In fact, it's the method PHP.net gives as an example on the page for uniqid():
http://www.php.net/uniqid

Author

Commented:
roger that, thanks! I am going to post another question in a moment about my web layout if you don't mind taking a look I'd appreciate it.
CERTIFIED EXPERT

Commented:
Thanks, I'll keep an eye out for it ;)
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.