Confirming Account Activation From Email?

justlukeyou · December 1, 2012, 10:56pm

Hi,

I have a piece of code for a registration script which appears to be working fine. It inserts the name, email address and password into the database. It also forwards an email to the submitted email. However I now need to insert a character into the database from the email address to authorise the email. (quite standard)

However I am completely stuck on how to use the link on the email to activate the account. Should I do it on the page that sends the email or the link that is sent on the email?

<?php
        $_SESSION['userLoggedIn'] = 0;
        $_SESSION['userEmail'] = '';
        $_SESSION['userID'] = '';

        // Reset errors and success messages
        $errors = array();
        $success = array();


        // Register attempt
        if(isset($_POST['registerSubmit']) && $_POST['registerSubmit'] == 'true'){
        $firstname = mysql_real_escape_string(trim($_POST['firstname']));
        $surname = mysql_real_escape_string(trim($_POST['surname']));
                $registerEmail = trim($_POST['email']);
                $registerPassword = trim($_POST['password']);
                $registerConfirmPassword        = trim($_POST['confirmPassword']);

        if(!isset($firstname) || empty($firstname)) {
                $errors['firstname'] = "Please enter your First Name.";
        }

if(!isset($surname) || empty($surname)) {
                $errors['surname'] = "Please enter your Surname.";
        }
$email = "$registerEmail";
if(!filter_var($email, FILTER_VALIDATE_EMAIL))
  {
                $errors['falseEmail'] = "Please enter your email address in a valid format.  Example: bobsmith@companyname.com";
  }


                if(strlen($registerPassword) < 6 || strlen($registerPassword) > 12)
                        $errors['registerPassword'] = 'Your password must be between 6-12 characters.';

                if($password != $confirmPassword && !$error) {
                $error = "The passwords you entered did not match.";
        }


                if($registerPassword != $registerConfirmPassword)
                        $errors['registerConfirmPassword'] = 'Your passwords did not match.';

                if(strlen($registerConfirmPassword) < 6 || strlen($registerConfirmPassword) > 12)
                        $errors['registerConfirmPassword'] = 'Please confirm your password.';



if(!$errors){
$registerPassword = md5($registerPassword);
$query = "INSERT INTO users (firstname, surname, email, password, date_registered) VALUES ('" . $firstname . "', '" . $surname . "', '" . mysql_real_escape_string($registerEmail) . "', '". $registerPassword ."', NOW())";


         $result = mysql_query($query); // remove the or die(mysql_error()) code after you resolve the error
         if($result){
                  $success['register'] = '


        Thank you for registering with Website.com.</p>
        You will soon receive a confirmation email.  Please click the confirmation link.';



$query = mysql_query("SELECT * FROM users WHERE email = '". $registerEmail ."' OR email = '". $email ."'");
$emailduplicate = null;
if (mysql_num_rows($query) > 0)
{
$emailduplicate = 'Email Address is Already in Use.  Please <a href="http://www.website.com/test/activation.php?userid=Y">Retrieve Your Password</a>.';
}


                  $message = '
<html>
<body>
<p>Welcome to Website.com</p>
<a href="http://www.website.com/test/activation.php?activation=Y">Click Here</a> to activate your account.

</body>
</html>
';


                  mail(mysql_real_escape_string($registerEmail), 'Website.com Confirmation', $message, 'From: info@website.com' . "\\r\
".'MIME-Version: 1.0' . "\\r\
".'Content-type: text/html; charset=iso-8859-1' . "\\r\
");

          }
   }
   }


        ?>

ronalds · December 2, 2012, 4:57am

My approach would be to generate a random hash string upon registering account and marking the account as pending activation. Also a good idea to store those activation hashes in separate table. Then use the hash string in activation link, which is emailed to user. When user clicks activation link, validate and delete the hash and mark corresponding account as activated.

justlukeyou · December 2, 2012, 2:56pm

Thanks, but I dont know how to communicate with the database when someone click on the link. I dont how to insert the hash into the database.

Should I use insert code on the page that send the email or on the activation.php page which the link points to.

www.website.com/activation.php?=randomhash

ronalds · December 2, 2012, 3:09pm

The hash has to be saved into database before sending it to user. You insert the hash into database same way you insert users in your code.
To handle link in activation.php, use the $_GET[‘activation_hash’] to access the hash variable, if the link in the email is website.com/activation.php?activation_hash=123

justlukeyou · December 2, 2012, 3:54pm

So on the page that sends the link does this send the hash to the database and with the email to the user.

When someone clicks on the link does the activation.php send (and match) the activation hash to the database?

So I am doing two inserts or just one?