Ronald Ng Ronald Ng - 2 months ago 13x
SQL Question

PHP / Mail / MySQL: Email Confirmation for Register

I'm not familiar with PHP / MySQL and Emails. And I'm pretty sure this question has been asked somewhere already, but I cannot find it. So I apologise if this is troubling and thank you in advance!

Is it possible to do something that user has to click on a link in email first before the user is added into database???

And you know how, for some websites, they have a unique web address for each email validation (Shown in red on the picture)? How do they create a webpage that's unique in for every email ?

Picture credited:

enter image description here

Thank you a lot for the attention! If it's possible, I prefer not having straight scripts that I can copy and paste because I like to find out myself :P But please do give me some hints because I'm totally lost.

If there's anything that's not clear, please tell me, I'll try my best to clarify it!


Here is the basic process

  1. User fills out a form online with basic details including an email and password, and submits the form to register.php

  2. register.php adds user info to a temporary location, such as a pending_users table which has all the fields the user submitted along with an expiration and an activation_code fields. This code can be any random, impossible to guess value. eg: hash('sha1', mt_rand(10000,99999).md_rand(10000,99999)). Just don't do anything predictable such as hash the current time, or the username

  3. register.php sends an email to the user with a URL that will link to activate.php and that includes the activation code. eg: The email should also inform the user of the expiration (1 to 12hrs validity seems ok to me)

  4. When user clicks the link, she triggers a GET request to activate.php. In doing so, the user proves ownership of the email address

  5. activate.php gets the code from the request parameters, eg: $code=$_GET['code']. With that code, the script queries the pending_users table for the record matching that code.

  6. If the code is found, check that it hasn't expired before proceeding. Expiration prevents someone else much later who gets in the user's account from completing the registration.

  7. If the code is valid, capture the user details from the matching record and delete that record from pending_users table.

  8. Write a matching record in the regular users table. Until this is done, the user could not log in because login script only checks the users table, and ignores the pending_users table.

  9. Registration complete.

Additional Note: Remember to never store passwords in cleartext. When you receive it from the registration form (eg: $_POST['pwd'], do:

$pwd = $_POST['pwd'];

//first validate; it should meet minimum requirements

$pwd_hash = password_hash($pwd, PASSWORD_DEFAULT); // <- the hash gets stored

Later, to verify the password, do:

password_verify($cleartext_pwd, $pwd_hash);

It will return true if the password is correct; false otherwise.