问题
I already have an advanced user login/register system on my website (colemansystems.psm2.co.uk). However, I would like to have a email sent to new users for verification of their email address. If they have not clicked the link they will not be able to access their account. I am semi-experienced with PHP and MySQL, so please explain in depth.
Edit: The code I\'m using for the verify.php file (the link the user click on with a GET (for example, verify.php?d=51773199320))
$secret = $_GET[\'d\'];
$result = mysql_query(\"SELECT valid FROM users WHERE secret=$secret\");
while ($row = mysql_fetch_array($result))
{
$valid = $row[\'valid\'];
}
if ($valid == \"\") {
echo\"There seems to be a problem with the verification code.<br><br><br><br><br>\";
}
elseif ($valid == \"1\")
{
echo\"Your account is already verified.<br><br><br><br><br>\";
}
else
{
mysql_query(\"UPDATE users SET valid = \'1\' WHERE secret=$secret\");
echo \"Thank you, your account is now verified and you are free to use the exclusive features!<br><br><br><br><br><br>\";
}
Is this secure?
回答1:
The easiest way is not to register unverified users at all.
Ask them for an email address and send email with a link that contains this address sealed with a hash. Upon receiving this link you can start the registration process.
Something like this
$secret = "35onoi2=-7#%g03kl";
$email = urlencode($_POST['email']);
$hash = MD5($_POST['email'].$secret);
$link = "http://example.com/register.php?email=$email&hash=$hash";
And in your register.php add 2 hidden fields to the registration form - email and hash, storing their received values from GET.
Finally, process registration and check,
if (md5($_POST['email'].$secret) == $_POST['hash']) {
//Continue registration.
}
回答2:
Easiest for whom - user, coder, computer? What are you optimizing - the quantity of keypresses, the size of the code, the user experience?
The easiest to code is probably unsafe. You should check the email address for correctness before sending a letter to it.
回答3:
after registration create a hashed string and save it to the temporary user table send that hashed string to the user email address using this code
if(isset($_POST['register']))
{
$email_id=$_POST['email'];
$pass=$_POST['password'];
$code=substr(md5(mt_rand()),0,15);
mysql_connect('localhost','root','');
mysql_select_db('sample');
$insert=mysql_query("insert into verify values('','$email','$pass','$code')");
$db_id=mysql_insert_id();
$message = "Your Activation Code is ".$code."";
$to=$email;
$subject="Activation Code For Talkerscode.com";
$from = 'your email';
$body='Your Activation Code is '.$code.' Please Click On This link <a href="verification.php">Verify.php?id='.$db_id.'&code='.$code.'</a>to activate your account.';
$headers = "From:".$from;
mail($to,$subject,$body,$headers);
echo "An Activation Code Is Sent To You Check You Emails";
}
and after that create a verify page and then
if(isset($_GET['id']) && isset($_GET['code']))
{
$id=$_GET['id'];
$code=$_GET['id'];
mysql_connect('localhost','root','');
mysql_select_db('sample');
$select=mysql_query("select email,password from verify where id='$id' and code='$code'");
if(mysql_num_rows($select)==1)
{
while($row=mysql_fetch_array($select))
{
$email=$row['email'];
$password=$row['password'];
}
$insert_user=mysql_query("insert into verified_user values('','$email','$password')");
$delete=mysql_query("delete from verify where id='$id' and code='$code'");
}
}
if you have any problem here is a complete tutorial http://talkerscode.com/webtricks/account-verification-system-through-email-using-php.php
来源:https://stackoverflow.com/questions/3794959/easiest-way-for-php-email-verification-link