PHP and e-mail confirmation
Moderator: General Moderators
PHP and e-mail confirmation
Hello everybody,
I'm looking to provide an electronic reservation system for clients of a night club in my area. What I'd like to do is, after normal form handling and problematic character escaping, wait until the user clicks on the confirmation link I send with an e-mail (I know of and have used the mail() function) before I INSERT his data in the database. Problem is, I have no idea how to do that. What is the connection between the URL that is commonly sent to any user registering in a forum and the activation of his account/registration? How would I code the statement
"Okay, I validated your data and sent you your confirmation e-mail, but until I receive a confirmation that you got the e-mail so that I'm sure that you're not some kind of spam bot registering again and again just to cripple my database, I'm not INSERTing your data in my database."
into PHP?
Thank you for your time.
I'm looking to provide an electronic reservation system for clients of a night club in my area. What I'd like to do is, after normal form handling and problematic character escaping, wait until the user clicks on the confirmation link I send with an e-mail (I know of and have used the mail() function) before I INSERT his data in the database. Problem is, I have no idea how to do that. What is the connection between the URL that is commonly sent to any user registering in a forum and the activation of his account/registration? How would I code the statement
"Okay, I validated your data and sent you your confirmation e-mail, but until I receive a confirmation that you got the e-mail so that I'm sure that you're not some kind of spam bot registering again and again just to cripple my database, I'm not INSERTing your data in my database."
into PHP?
Thank you for your time.
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
Re: PHP and e-mail confirmation
You should generate a confirmation key (usually done by md5(their_username + secretsalt) ), insert their data into your db (but marked as unconfirmed). Then, when you receive a confirmation request, lookup against their confirmation key, and mark the user as confirmed.
P.S., don't use the mail() function. It is notoriously bad. Instead, http://swiftmailer.org
P.S., don't use the mail() function. It is notoriously bad. Instead, http://swiftmailer.org
Re: PHP and e-mail confirmation
Why is mail() function bad? I've been using it for a long time now... just wondering.John Cartwright wrote:You should generate a confirmation key (usually done by md5(their_username + secretsalt) ), insert their data into your db (but marked as unconfirmed). Then, when you receive a confirmation request, lookup against their confirmation key, and mark the user as confirmed.
P.S., don't use the mail() function. It is notoriously bad. Instead, http://swiftmailer.org
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
Re: PHP and e-mail confirmation
The function itself may not be bad, but it is terrible having to learn the specs to properly apply the correct headers to the mail() function in all circumstances, especially when there are awesome libraries that do that for you. For a simple "hello world" example, I would say the mail() function is o-k, otherwise, I wouldn't touch it with a 10 foot pole.Mirge wrote:Why is mail() function bad? I've been using it for a long time now... just wondering.John Cartwright wrote:You should generate a confirmation key (usually done by md5(their_username + secretsalt) ), insert their data into your db (but marked as unconfirmed). Then, when you receive a confirmation request, lookup against their confirmation key, and mark the user as confirmed.
P.S., don't use the mail() function. It is notoriously bad. Instead, http://swiftmailer.org
Alot of spam filters will penalize you for sending malformed or incomplete set of headers, often resulting in your mail being marked as spam for the most part.
Re: PHP and e-mail confirmation
Ahh I see what you mean. Yeah, it can be daunting for sure. I thought you meant there were security issues with it or something that I needed to be aware ofJohn Cartwright wrote:The function itself may not be bad, but it is terrible having to learn the specs to properly apply the correct headers to the mail() function in all circumstances, especially when there are awesome libraries that do that for you. For a simple "hello world" example, I would say the mail() function is o-k, otherwise, I wouldn't touch it with a 10 foot pole.Mirge wrote:Why is mail() function bad? I've been using it for a long time now... just wondering.John Cartwright wrote:You should generate a confirmation key (usually done by md5(their_username + secretsalt) ), insert their data into your db (but marked as unconfirmed). Then, when you receive a confirmation request, lookup against their confirmation key, and mark the user as confirmed.
P.S., don't use the mail() function. It is notoriously bad. Instead, http://swiftmailer.org
Alot of spam filters will penalize you for sending malformed or incomplete set of headers, often resulting in your mail being marked as spam for the most part.
- John Cartwright
- Site Admin
- Posts: 11470
- Joined: Tue Dec 23, 2003 2:10 am
- Location: Toronto
- Contact:
Re: PHP and e-mail confirmation
Well I think there is a serious penalty on performance as well. As memory serves, mail() opens a new connection for each call.
Re: PHP and e-mail confirmation
Hmm, haven't had any issues with it yet.
Re: PHP and e-mail confirmation
Thanks for the answer, yet I must say that I have a couple of questions:John Cartwright wrote:You should generate a confirmation key (usually done by md5(their_username + secretsalt) ), insert their data into your db (but marked as unconfirmed). Then, when you receive a confirmation request, lookup against their confirmation key, and mark the user as confirmed.
P.S., don't use the mail() function. It is notoriously bad. Instead, http://swiftmailer.org
1)What would you mean by "secretsalt"?
2)How do I "catch" a confirmation request by a client? Like I said in my original post, I don't understand the nature of the URL that is sent alongside the confirmation e-mail. Should that URL be pointing to my PHP script? And, if so, how do I "catch" the confirmation request? I do know how to check environment variables to catch a form submission request, but catching an e-mail confirmation request is what I'm still thick on.
Re: PHP and e-mail confirmation
Example scenario...Jafil21 wrote:Thanks for the answer, yet I must say that I have a couple of questions:John Cartwright wrote:You should generate a confirmation key (usually done by md5(their_username + secretsalt) ), insert their data into your db (but marked as unconfirmed). Then, when you receive a confirmation request, lookup against their confirmation key, and mark the user as confirmed.
P.S., don't use the mail() function. It is notoriously bad. Instead, http://swiftmailer.org
1)What would you mean by "secretsalt"?
2)How do I "catch" a confirmation request by a client? Like I said in my original post, I don't understand the nature of the URL that is sent alongside the confirmation e-mail. Should that URL be pointing to my PHP script? And, if so, how do I "catch" the confirmation request? I do know how to check environment variables to catch a form submission request, but catching an e-mail confirmation request is what I'm still thick on.
You have a website that requires registration for whatever. Registration is free. The only thing required is a user fills out a form that includes their first name, last name and email address.
In order to verify this person's email address, we want to assign them a unique code that will then be sent to their email address for them to be able to verify that they have access to this email address.
So, for each visitor, the minimum amount of data we need to store for each user (preferably in MySQL) would be:
---
id (primary key)
firstName
LastName
confirmationCode (the unique code that's generated for each user)
emailConfirmed (true/false, false by default)
---
To generate a confirmation code, we'll use: $confirmationCode = uniqid(''); ... and store all of the data into MySQL.
Then we'd create a second script, say... verify_email.php.
After a user registers, an email is sent to the user that includes a link:
Code: Select all
http://www.yoursite.com/verify_email.php?code=$confirmationCodeThen in verify_email.php, you would pull the $_GET['code'] value and compare in your database to see if it's a match... if you have a match, you have that person's first name, last name and email address they registered with... and since they clicked the link, you know that they have access to that email account... and can mark that person's emailConfirmed to true.
Hope this helps.
P.S. The function uniqid() is a real PHP function. See http://www.php.net/uniqid/ for more information.
Re: PHP and e-mail confirmation
Hi if i'm right in understanding what you mean here is a good tutorial that explains what you are trying to do:
http://www.phpeasystep.com/phptu/24.html
Hope it helps
http://www.phpeasystep.com/phptu/24.html
Hope it helps
Re: PHP and e-mail confirmation
That also attempts to somewhat explain the process.Puk284 wrote:Hi if i'm right in understanding what you mean here is a good tutorial that explains what you are trying to do:
http://www.phpeasystep.com/phptu/24.html
Hope it helps
Code: Select all
<?
include('config.php');
// Passkey that got from link
$passkey=$_GET['passkey'];
$tbl_name1="temp_members_db";
// Retrieve data from table where row that match this passkey
$sql1="SELECT * FROM $tbl_name1 WHERE confirm_code ='$passkey'";
$result1=mysql_query($sql1);
Re: PHP and e-mail confirmation
Yes, I've been studying SQL Injection for a while now and am looking forward to finding some procedural PHP code to explain the musql_prepare() function, as I've been learning procedural PHP up until now.
Thank you all for your efforts.
//One last question, if possible: I assume that the $_GET['code'] variable is some sort of global php variable that holds the values of the URL right after the ".php" part, correct? In the above example, with the URL
Would $_GET['code'] hold the contents of $confirmationCode?
Thank you all for your efforts.
//One last question, if possible: I assume that the $_GET['code'] variable is some sort of global php variable that holds the values of the URL right after the ".php" part, correct? In the above example, with the URL
Code: Select all
http://www.yoursite.com/verify_email.ph ... mationCodeRe: PHP and e-mail confirmation
Yup, more or less whatever is on the other side of "code=" will be assigned to $_GET['code'] up until the next deliminator (& symbol).Jafil21 wrote:Would $_GET['code'] hold the contents of $confirmationCode?Code: Select all
http://www.yoursite.com/verify_email.php?code=$confirmationCode