Sending authentication mails

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View

when users are register on our website, their username, encrpyted  
password and so on are stored in the mySQL database.

Many phpbb sites though send an activation mail to the email address  
specified by the user. The user then needs to select a link to get his  
account activated.

I would like to implement this process, can anyone tell me how this is done?


Re: Sending authentication mails

Bert Bos wrote:
Quoted text here. Click to load it

After the registration data is saved to the database, send them a link
to a validate.php script

The code in the link could be random and saved to the database.
When, later, the user access the script, you search the database for the
code and update the record indicating that this particular user has

    $sql = "update user_table set validated=1 where code=''";

Make sure every (unvalidated) code is unique in the database.

Also try to prevent people from validating random accounts by locking
out a 'connection' that fails after three (or whatever) attempts.

Hope this helps.

If you're posting through Google read <

Re: Sending authentication mails

Pedro Graca wrote:
Quoted text here. Click to load it

For some reason, basing something like this with just a single
credential to the database makes me squirmish. I personally would
validate by asking for their email (whether it's in the URL or
what-have-you) and issue a query like this:

select user_id from user_table where user_email = '$escpaed_username'
and code = '$escaped_code'

If no results were returned, then either the code doesn't match with the
email, and therefore isn't really an account validation after all...

Justin Koivisto, ZCE -

Re: Sending authentication mails

Justin Koivisto wrote:
Quoted text here. Click to load it

In real life I'd have a different table with the validation codes. This
table would also have a datetime for the limit of the validation code
(eg one week after sending the email) and the specific record would be
deleted when no longer needed.

I'd probably also make the 'validated' column a 'status' column, linking
to a status table (Pending, Validated, OnVacation, Deleted, ...)

Well ... there are always lots of ways to complicate what begins as a
simple task :)

If you're posting through Google read <

Re: Sending authentication mails

Quoted text here. Click to load it

 I'm sure you know better than to do this :-) SQL injection ahoy - remember to
escape appropriately, or use a library that implements (or at least emulates)

 This is actually quite a good demonstration of SQL injection risks; you could
call the script as:


 ... and it'll set validated=1 without the right code, as you end up with the
SQL as:

    update user_table set validated=1 where code='' or 'a'='a'

Andy Hassall :: :: :: disk and FTP usage analysis tool

Re: Sending authentication mails

Andy Hassall wrote:
Quoted text here. Click to load it

Of course! I was just testing the audience :-)

Thank you for being on the lookout and calling attention to the errors
commited. It's appreciated.

If you're posting through Google read <

Site Timeline