I'm not familiar with PHP / MySQL and Emails. And I'm pretty sure this question has been asked somewhere already, but I cannot find it. So I apologise if this is troubling and thank you in advance!
Is it possible to do something that user has to click on a link in email first before the user is added into database???
And you know how, for some websites, they have a unique web address for each email validation (Shown in red on the picture)? How do they create a webpage that's unique in for every email ?
Picture credited: https://kayako.atlassian.net/wiki/download/attachments/5734920/subs-validation.png?version=1&modificationDate=1291956283000&api=v2
Thank you a lot for the attention! If it's possible, I prefer not having straight scripts that I can copy and paste because I like to find out myself :P But please do give me some hints because I'm totally lost.
If there's anything that's not clear, please tell me, I'll try my best to clarify it!
Here is the basic process
User fills out a form online with basic details including an email and password, and submits the form to
register.php adds user info to a temporary location, such as a
pending_users table which has all the fields the user submitted along with an
expiration and an
activation_code fields. This code can be any random, impossible to guess value. eg:
hash('sha1', mt_rand(10000,99999).md_rand(10000,99999)). Just don't do anything predictable such as hash the current time, or the username
register.php sends an email to the user with a URL that will link to
activate.php and that includes the activation code. eg:
example.com/activate.php?code=a2ef24... The email should also inform the user of the expiration (1 to 12hrs validity seems ok to me)
When user clicks the link, she triggers a
GET request to
activate.php. In doing so, the user proves ownership of the email address
activate.php gets the code from the request parameters, eg:
$code=$_GET['code']. With that code, the script queries the
pending_users table for the record matching that code.
If the code is found, check that it hasn't expired before proceeding. Expiration prevents someone else much later who gets in the user's account from completing the registration.
If the code is valid, capture the user details from the matching record and delete that record from
Write a matching record in the regular
users table. Until this is done, the user could not log in because login script only checks the
users table, and ignores the
Additional Note: Remember to never store passwords in cleartext. When you receive it from the registration form (eg:
$pwd = $_POST['pwd']; //first validate; it should meet minimum requirements $pwd_hash = password_hash($pwd, PASSWORD_DEFAULT); // <- the hash gets stored
Later, to verify the password, do:
It will return
true if the password is correct;