-1

I'm making a website where you can create an account. As part of the sign up process, I want to send an activation email to the users email address. I was thinking that this email would include a link that the users clicks on which will activate the account, the problem is I'm not sure how I would go about creating the link and how it would work. How would I dynamically generate this link and how would it activate the account?

Thanks

EthanLewis
  • 85
  • 1
  • 9
  • You are using a Database, arent you? You could add a field to the user-data and generate the link out of that value. Then use a script to validate someone used that link with the value, propably stored in GET-values. autosending a mail shouldnt be that hard. What are you using to send mails? Something like swiftmail? Then use the script to change the validation-value to sth. like ACTIVIVATED or so. http://stackoverflow.com/questions/2293684/what-is-the-best-way-to-create-a-random-hash-string – Pingbeat Jan 16 '17 at 08:06
  • Yeah I am. I'm just sending the mail using a php script, I just needed to get the logic for it in my head. What your saying makes a lot of sense, I think I'll try using that logic. – EthanLewis Jan 16 '17 at 08:11

1 Answers1

2

When you are preparing to send the email, after creating the account, you will have to add into your database a record to validate that account, which should include the ID for that account and an activation string (I would generate a 10 to 15 character random hex or alphanumeric string). This record should also have a boolean true or false whether it's been activated or a numeric (or Binary) 1 or 0. Set this to false before sending the email. Send this activation string and account ID in a link in the email.

For any links that you create, you're going to want a single page for them to go to, i.e. activateaccount.php From inside that file, you can receive a $_GET parameter, maybe $_GET['activation'] and $_GET['account_id']. From this page, you will validate that the activation and account_id are both valid and that they match each other. If not, then the script should NOT attempt to fix the mismatch by writing to the database, as this could allow undesired attacks. If they are both valid and match, then the account may be activated.

Also as Pingbeat suggested, have a go at Swiftmailer. I have used it before in many projects and can confirm that it is extremely versatile, fast, very well documented and incredibly easy to use.

I hope this suggestion helps.

Michael Thompson
  • 541
  • 4
  • 21
  • Exactly what I thought of how someone could do that. except of how doing the actual activation, but there are many ways.. +1 for this Idea. :) – Pingbeat Jan 16 '17 at 08:13
  • For sure, many different ways. I am sure that higher end projects such as PHPBB would have a much more complex way of doing things, and likely much more secure. The email address could also be inserted as a further $_GET parameter then validated against too, for example, but in the real world, the chances of someone figuring out the activation number for any account (if randomly generated) is incredibly slim, so validating the email address too would not be necessary. – Michael Thompson Jan 16 '17 at 08:18
  • You are right. in case you want to use the email, why ever. you could use md5 to achieve you do not send it in clear text over GET – Pingbeat Jan 16 '17 at 08:22