Jump to content

Email a user an activation link


astralaaron
 Share

Recommended Posts

W3Schools actually has a nice tutorial on sending emails with php (http://w3schools.com/php/php_mail.asp). Basically just send an email to a person when they sign up. You can do the actual link simply enough by using a $GET statement. example would be like p=32532646361. Then just make sure that p is equal to the right number and if it is change a column in a database for the user from 0 to 1 allowing them access.You can make this more complicated and problably a lot more secure/efficient but thats an easy and logical way to do it.

Link to comment
Share on other sites

Take a look at the tutorial Truly tipped about.In your user-table you need one extra field: activation as INTThen on registration you send a mail to the users email-address containing a link like this:

http://yoursite.com/?page=useractivation&user=[username or id]&num=[random int]

the user id can you get by using mysql_insert_id() or you just use the username (it's basically a mather of taste...)the random integer can you get using rand(), make sure you store the same number in the db.When the user goes to that URL you check the id or username and the number to make sure it's the same as you have stored in the db.Then you have two options (the security makes no big diff. in this case as you don't login the user by automatic):

  1. Activate the account and let the user login (easiest, less secure)
  2. Let the user enter their password and then activate the account and let the user login (abit more difficult, more secure)

When you activate the user just update the table and set the activation field to 0 (0 == No need for activation or activation done).You would ofcourse need to check the activation field when the user tries to login, if the user hasn't activate his account you can't let them login.Then there's some extensions you could do:

  • Remove accounts that hasn't been activated within 30 days after the creation (if you don't already have it, you need a field in the table to store the creation date [and maybe one for lastlogin...])
  • Force users to re-activate their accounts if it was more than a month they last logged in
  • Force a re-activation when the user request a new password
  • etc

Good Luck and Don't Panic! ;?)

Link to comment
Share on other sites

Doesn't MySQL also allow fields to have boolean values? I think using that instead of integer would reduce memory consumption a lot.

Link to comment
Share on other sites

It does, but then you don't have real good "activation script".The idea with using an integer is that you match the stored integer with the one provided with the URL to make sure that it's the right user.One option would perhpas be to use boolean in the table instead of an integer and ask for password o activation...Then you could ask how big the difference using a boolean instead of an integer is when it comes to memory consuption (in this case) (I don't know..)

Link to comment
Share on other sites

I dont think there is a difference in boolean and integer unless you are using numbers > 9. Then the only difference is that the boolean is 4 or more bytes less. (thats using regular Ascii text, 4 bytes per character) So its all a matter of space for the activation id. Also, do you really need the user name? Why not just the id, its not like anyone but you knows the id of users.

Link to comment
Share on other sites

I also think the use of id is better than username, but I included both ways, so astralaaron, or who ever else finds this thread usefull, can choose the one they preffer...

Link to comment
Share on other sites

A boolean takes 1 bit. You can choose how many bits you want the integer field to be, but usually at least 16. I prefer to generate a hash, from md5 or sha1 or something, store the hash in the database with the user, and send a link with only the hash on it:activate.php?code=<hash>Then the page will first check the hash to make sure its not empty and then escape it, and update rows in the database where the hash equals whatever it is. You can also remove the hash from the database, so it won't take any space at all. You don't even need a username and password. If you're worried about security, use a longer hash. But the chances of someone activating their account without clicking on the link if you have a sha1 hash are very small, due to the fact that there are 1.4615e+48 possible values for sha1. You can also just do a check on the activate page when the last attempt to activate was to avoid brute force attacks.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...