Email a user an activation link

[astralaaron]

I noticed alot of websites will email you an "activation" link when you register on their forums.Just wondering what is involved in doing that? - I can do without it but that would be pretty cool :-)

[Truly]

W3Schools actually has a nice tutorial on sending emails with php (http://w3schools.com/php/php_mail.asp). Basically just send an email to a person when they sign up. You can do the actual link simply enough by using a $GET statement. example would be like p=32532646361. Then just make sure that p is equal to the right number and if it is change a column in a database for the user from 0 to 1 allowing them access.You can make this more complicated and problably a lot more secure/efficient but thats an easy and logical way to do it.

[Mr_CHISOL]

Take a look at the tutorial Truly tipped about.In your user-table you need one extra field: activation as INTThen on registration you send a mail to the users email-address containing a link like this:

http://yoursite.com/?page=useractivation&user=[username or id]&num=[random int]

the user id can you get by using mysql_insert_id() or you just use the username (it's basically a mather of taste...)the random integer can you get using rand(), make sure you store the same number in the db.When the user goes to that URL you check the id or username and the number to make sure it's the same as you have stored in the db.Then you have two options (the security makes no big diff. in this case as you don't login the user by automatic):

1. Activate the account and let the user login (easiest, less secure)
2. Let the user enter their password and then activate the account and let the user login (abit more difficult, more secure)

When you activate the user just update the table and set the activation field to 0 (0 == No need for activation or activation done).You would ofcourse need to check the activation field when the user tries to login, if the user hasn't activate his account you can't let them login.Then there's some extensions you could do:

• Remove accounts that hasn't been activated within 30 days after the creation (if you don't already have it, you need a field in the table to store the creation date [and maybe one for lastlogin...])
• Force users to re-activate their accounts if it was more than a month they last logged in
• Force a re-activation when the user request a new password
• etc

Good Luck and Don't Panic! ;?)

[boen_robot]

Doesn't MySQL also allow fields to have boolean values? I think using that instead of integer would reduce memory consumption a lot.

[astralaaron]

Thank you guys for this information! I will mess with this soon.

[Mr_CHISOL]

It does, but then you don't have real good "activation script".The idea with using an integer is that you match the stored integer with the one provided with the URL to make sure that it's the right user.One option would perhpas be to use boolean in the table instead of an integer and ask for password o activation...Then you could ask how big the difference using a boolean instead of an integer is when it comes to memory consuption (in this case) (I don't know..)

[reportingsjr]

I dont think there is a difference in boolean and integer unless you are using numbers > 9. Then the only difference is that the boolean is 4 or more bytes less. (thats using regular Ascii text, 4 bytes per character) So its all a matter of space for the activation id. Also, do you really need the user name? Why not just the id, its not like anyone but you knows the id of users.

[Mr_CHISOL]

I also think the use of id is better than username, but I included both ways, so astralaaron, or who ever else finds this thread usefull, can choose the one they preffer...

[astralaaron]

I also think the use of id is better than username, but I included both ways, so astralaaron, or who ever else finds this thread usefull, can choose the one they preffer...

thank you again!!

[justsomeguy]

A boolean takes 1 bit. You can choose how many bits you want the integer field to be, but usually at least 16. I prefer to generate a hash, from md5 or sha1 or something, store the hash in the database with the user, and send a link with only the hash on it:activate.php?code=<hash>Then the page will first check the hash to make sure its not empty and then escape it, and update rows in the database where the hash equals whatever it is. You can also remove the hash from the database, so it won't take any space at all. You don't even need a username and password. If you're worried about security, use a longer hash. But the chances of someone activating their account without clicking on the link if you have a sha1 hash are very small, due to the fact that there are 1.4615e+48 possible values for sha1. You can also just do a check on the activate page when the last attempt to activate was to avoid brute force attacks.

[Anders Moen]

If you haven't completed and made this work yet, there is a tutorial on useractivation at PHPeasystep: http://phpeasystep.com/phptu/24.htmlThis is a awesome site for learning PHP and MySQL. It's really great, but so are W3Schools too

[pulpfiction]

Here's another method which combines password and timestamp in the link sent to user...http://www.tutorialized.com/tutorial/Email...on-in-PHP/10898

[astralaaron]

Thank you everyone, I like the tutorials at phpeasystep man they explain things step by step :-)

[Anders Moen]

Yep, that's true