I'm actually creating a web application using PHP and seek help verifying a user.
As with certain websites, when you register, an e-mail is sent to you with a confirmation link. How do I implement that in PHP?
All I know is that I have to use the PHP mail() function to send the e-mail.
Please help. Necessary. Thanks. :)
just like with CSRF protection you generate an unique token.
$token = md5(uniqid(rand(), TRUE));
You store that value in your session for that email and when the user clicks link in email(you pass token via the query-string) you compare the two values.
To make it more secure you could just as with CSRF add a time-limit.
Patricks answer is correct altough i want to point out that there are other possibilities!
You don't necessarily have to create and store a unique token in your database. This is data overhead that is only needed once.
You could also take advantage of one-way hashing.
For example send the user the code md5('my-secret-application-token'.$user_email_adress).
You can validate that just the same way but dont need to store a secret code.
This is a very broad question, so we can only give a broad answer, but the general technique to do so is
- insert the user's email address into your database but mark it as unverified
- create a unique registration key and insert it into a different table just for these keys
- send an email to the user's email address with a link to your site that passes this registration key as an argument (eg http://site.com/confirm.php?key=1234)
- when that url is visited, mark the email as verified and remove the temporarily created registration key
来源:https://stackoverflow.com/questions/4912603/verify-a-user-via-e-mail-in-php