Double opt-in Email Verification

[Cronthenoob]

I've been googleing this for a good half hour.Anybody have any tutorials on creating a double opt-in email verification system?Or suggestions on another good way to verify an email address.

[aspnetguy]

what is a double opt-in email verification system?

[Cronthenoob]

When the user submits the form it sends an email to the email they supplied.The email contains a link that changes a field in the database that says that users account is verified, allowing the user to log in.Don't know if thats the real name for it, thats just what I found when i searched for it in google.

[aspnetguy]

okay that is just a basic email verification registration...not sure if that is what ot os called either but that is what I call it.So what you need is to have a field in your db (user account table) that is Activated (true/false) and another field that stores the activation codeWhen they register it is set to false and an email is send to them with an activation code (randomly generated). The link in the email should go to a form that allows them to input the activation code. If the code they enter matches the one in their account record then change the false to true

[Cronthenoob]

I don't want the user to have to type in anything, just click a link and get verified.I'm just trying to organize my thoughts here. . .I need to 1.)create a field in my database called verified_email and set the default to false2.)create a field in my database to store a random numberWhen a user clicks to submit the form I need to:1.)generate a random number.2.)Send the random number to the database for that username.3.)Generate an email with a link that contains the username and the randomly generated number.When a user clicks on the email link:1.)Goes to a page that takes the random number and username from the link, matches it to whats in the database, and changes verified_email from false to true.Ok thats what I think I need to get done.Time to go home for the day, guess I have the weekend to think it some more.

[reportingsjr]

Ok, easy enough!submit.php (form already submitted)

......$randomcode = rand(10000,100000);$query= "INSERT INTO `users` VALUES (....'{$randomcode}'.....)";.........$to = $_POST['email'];$email = "This is an email from you.com verifying that this is a real email account and to make sure you havent used a bot to register. To complete your registration please click the following link (AOL users may have to copy and paste this link into the address bar):<a href="http://you.com/verify.php?code={$randomcode}">http://you.com/verify.php?code={$randomcode}</a>"$email = wordwrap($email, 70);$headers  = 'MIME-Version: 1.0' . "\r\n";$headers .= 'Content-type: text/html; charset=iso-8859-1' . "\r\n";$headers .= "From: mer@you.com' . "\r\n......mail($to, 'you.com registration', $email, $headers);

Now on verify.php just do this:

$query = "SELECt * FROM `users` WHERE randomcode = '{$_GET['code']}'";$result = mysql_query($query);if(mysql_num_rows($result) > 0){$query = "UPDATE `users` SET verified_email = 'true' WHERE randomcode = '{$_GET['code']}'";echo "Successfully verified!";}

You fill in the blanks..

[Cronthenoob]

Thanks!I'll be working on it here pretty shortly, I'll let you know if I get it to work correctly.

[justsomeguy]

It's probably better to have a code that is more than a 5-digit number. It would only take a few seconds to send 100,000 requests to the server and validate everybody. Use this instead:$code = sha1(time());Also:

$query = "SELECt * FROM `users` WHERE randomcode = '{$_GET['code']}'";$result = mysql_query($query);if(mysql_num_rows($result) > 0){$query = "UPDATE `users` SET verified_email = 'true' WHERE randomcode = '{$_GET['code']}'";echo "Successfully verified!";}

Only YOU can prevent SQL injection!

$query = "SELECt * FROM `users` WHERE randomcode = '" . mysql_real_escape_string($_GET['code']) . "'";$result = mysql_query($query);if(mysql_num_rows($result) > 0){$query = "UPDATE `users` SET verified_email = 'true' WHERE randomcode = '" . mysql_real_escape_string($_GET['code']) . "'";echo "Successfully verified!";}

[Cronthenoob]

Only YOU can prevent SQL injection!

Great! Thanks!But what about forest fires?

[aspnetguy]

But what about forest fires?

Man I am always too late for the joke!

[Cronthenoob]

$code = sha1(time());

How characters does that put out?I count 40 when I do echo $code;Is that the right number?

[Cronthenoob]

I get an error whenever it tries to send the emailFailed to connect to mailserver at "localhost" port 25, verify your "SMTP" and "smtp_port" setting in php.ini or use ini_set()I know what its telling me to do, but I don't know how I'm supposed to verify my smtp_port?ini_set(smtp_port, port); ????

[justsomeguy]

The SHA-1 algorithm results in a 40-character (160-bit) hex number, so there are 1.4615 * 10^48 possibilities. It would take a modern computer several hundred or thousand years to try them all.You can use ini_get("smtp") and ini_get("smtp_port") to check settings. The message means that there is not a mail server set up in php.ini. If you are trying this on your home computer, there is probably not a mail server set up there at all. Managed servers online have this set up, so it will work online.

[Cronthenoob]

Thats a lot of possibilities!My hosting company has awesome customer support, and they gave me the following code to try. It works, exept the part where it sends the email . . . No errors, but I never recieve the emails.Heres the code, maybe I did something wrong with quotes or something?The part where I put the target email address is the $mail->AddAddress part.

			require("c:\php\includes\class.phpmailer.php");			$mail = new PHPMailer();			$mail->IsSMTP();						$mail->Host = "mail.myserver.net";			$mail->SMTPAuth = true;			$mail->Username = "myemail";			$mail->Password = "mypassword";						$mail->From = "my email";			$mail->FromName = "my name";			$mail->AddAddress($_POST['email']); 			echo $mail;			$mail->IsHTML(true);			$mail->Subject = "Test message sent using the PHPMailer component";			$mail->Body = "This is a test message.";			$mail->Send();

[justsomeguy]

The syntax looks fine, but since it's a custom class you may want to ask them for support troubleshooting it.

[Cronthenoob]

I tried about 5 different ways, all with the same subject and and message, and one of them went through . . . .I guess I should have changed the message. . . .It took about 10 minutes to send. Could be my works email server . . .LOL, I got another one just now, Funny.Now I've just got to wait and see if the email I sent with the link in it ever gets here . . . . .

[Cronthenoob]

Everything works! I'm not receiving the email with the link in it for some reason, but my host testing it for me, and He received the email and used the verify link succesfully. Thanks all for the help!