User activation email

Hi,

I have a login page where a user may create a new account. When the account is created, I store the:

    username
    password
    email address

I'd like to then immediately send an email to the user's email address with a link embedded. When the user clicks the link, their account will be 'activated'. I'm not quite sure how to do this, I figure my user table should look something like:

username  |  password  |  email  |  activated
-----------------------------------------------------
   test        |  something | test@   | 0  for no, 1 for yes

Now when the user clicks that link in the email I send them, it updates their record in the database setting the activated field to a 1 for yes. Then they're allowed to login. But how do I create this 'link' in the email which triggers the row update for the user?

Thanks!
LVL 7
minnirokAsked:
Who is Participating?
 
TomeeboyCommented:
Generate a unique activation key and add it to the query string of the link you put in their email.  Link to a php file that will check this key with the database and activate their account.

Useful code for generating a unique key:

$key = md5(uniqid(rand(),1));

Add this key to the database with their user info (or create a seperate table for activations, if you don't want it cluttering up your primary user table).

Then build a url like:

$url = "http://www.yoursite.com/user.php?activate=1&key=" . $key;

In your php script:

if (!empty($_GET['activate']) && !empty($_GET['key'])) {
    // database query to check key and activate account
}
0
 
Steve BinkCommented:
Say your validation page is called "emailvalidate.php".

//read the user info
$query = "SELECT * FROM usertable WHERE userid = <current user id>";
$result = mysql_query($query);
$row = mysql_fetch_assoc($result);

$emaillink = "<a href=\"emailvalidate.php?email=" . $row['emailaddress'];
$emailbody = "Click this link to validate:\n\n$emaillink";

mail(...
0
 
Steve BinkCommented:
DOH...forgot to close the <a> tag and provide a link name, but should get the idea from there.
0
Cloud Class® Course: Python 3 Fundamentals

This course will teach participants about installing and configuring Python, syntax, importing, statements, types, strings, booleans, files, lists, tuples, comprehensions, functions, and classes.

 
TomeeboyCommented:
Do not allow users to activate their account in the way that routinet posted.  It is not secure and somebody can easily figure out how to create accounts with fake emails and just change the url to activate each one of them.  You have to use a method where the only possible way somebody can activate the account is for them to have received the activation email (which means random activation key of some kind that they could not possibly guess or anticipate).
0
 
minnirokAuthor Commented:
Ahh ok I got it, looks awesome. One question though Tomeeboy:

    $key = md5(uniqid(rand(),1));

md5(), uniqid(), and rand() are all built in PHP functions? Will that combination guarantee that the secret activation key is unique? I'm just asking because if two people got the same activation key, I guess it would mess things up yeah?

Thanks
0
 
TomeeboyCommented:
Yeah, those are built in functions that should generate a unique key every time.  uniqid() uses the current time in microseconds to generate its value, and running that through MD5 encrypting makes it even more secure.  When you UPDATE the user info to activate the account, you could also clear the activation key if you wanted.
0
 
Steve BinkCommented:
>>> Do not allow users to activate their account in the way that routinet posted.

I was posting regarding concept, not a strict methodology.  I would not recommend that exact method, either, for the same reasons.

For PHP functions, consult: http://www.php.net/manual/en/ (under section 6)
0
 
minnirokAuthor Commented:
So someone could still mess around with the method using the md5 generated key, if they sat there and tried typing in random strings fo numbers yeah? But the worst they could do would be to activate an account that has not been activated yet right?

Is there a safer way even yet to approach this?

Thanks
0
 
TomeeboyCommented:
That method is pretty safe... the key generated by it would be VERY unpredictable.  I wouldn't worry about making it any more secure.
0
 
TomeeboyCommented:
In fact, it's the method PHP.net gives as an example on the page for uniqid():
http://www.php.net/uniqid
0
 
minnirokAuthor Commented:
roger that, thanks! I am going to post another question in a moment about my web layout if you don't mind taking a look I'd appreciate it.
0
 
TomeeboyCommented:
Thanks, I'll keep an eye out for it ;)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.