Page 1 of 1
PHP and e-mail confirmation
Posted: Fri Oct 16, 2009 1:12 pm
by Jafil21
Hello everybody,
I'm looking to provide an electronic reservation system for clients of a night club in my area. What I'd like to do is, after normal form handling and problematic character escaping, wait until the user clicks on the confirmation link I send with an e-mail (I know of and have used the mail() function) before I INSERT his data in the database. Problem is, I have no idea how to do that. What is the connection between the URL that is commonly sent to any user registering in a forum and the activation of his account/registration? How would I code the statement
"Okay, I validated your data and sent you your confirmation e-mail, but until I receive a confirmation that you got the e-mail so that I'm sure that you're not some kind of spam bot registering again and again just to cripple my database, I'm not INSERTing your data in my database."
into PHP?
Thank you for your time.
Re: PHP and e-mail confirmation
Posted: Fri Oct 16, 2009 1:16 pm
by John Cartwright
You should generate a confirmation key (usually done by md5(their_username + secretsalt) ), insert their data into your db (but marked as unconfirmed). Then, when you receive a confirmation request, lookup against their confirmation key, and mark the user as confirmed.
P.S., don't use the mail() function. It is notoriously bad. Instead,
http://swiftmailer.org
Re: PHP and e-mail confirmation
Posted: Fri Oct 16, 2009 1:40 pm
by Mirge
John Cartwright wrote:You should generate a confirmation key (usually done by md5(their_username + secretsalt) ), insert their data into your db (but marked as unconfirmed). Then, when you receive a confirmation request, lookup against their confirmation key, and mark the user as confirmed.
P.S., don't use the mail() function. It is notoriously bad. Instead,
http://swiftmailer.org
Why is mail() function bad? I've been using it for a long time now... just wondering.
Re: PHP and e-mail confirmation
Posted: Fri Oct 16, 2009 1:47 pm
by John Cartwright
Mirge wrote:John Cartwright wrote:You should generate a confirmation key (usually done by md5(their_username + secretsalt) ), insert their data into your db (but marked as unconfirmed). Then, when you receive a confirmation request, lookup against their confirmation key, and mark the user as confirmed.
P.S., don't use the mail() function. It is notoriously bad. Instead,
http://swiftmailer.org
Why is mail() function bad? I've been using it for a long time now... just wondering.
The function itself may not be bad, but it is terrible having to learn the specs to properly apply the correct headers to the mail() function in all circumstances, especially when there are awesome libraries that do that for you. For a simple "hello world" example, I would say the mail() function is o-k, otherwise, I wouldn't touch it with a 10 foot pole.
Alot of spam filters will penalize you for sending malformed or incomplete set of headers, often resulting in your mail being marked as spam for the most part.
Re: PHP and e-mail confirmation
Posted: Fri Oct 16, 2009 1:54 pm
by Mirge
John Cartwright wrote:Mirge wrote:John Cartwright wrote:You should generate a confirmation key (usually done by md5(their_username + secretsalt) ), insert their data into your db (but marked as unconfirmed). Then, when you receive a confirmation request, lookup against their confirmation key, and mark the user as confirmed.
P.S., don't use the mail() function. It is notoriously bad. Instead,
http://swiftmailer.org
Why is mail() function bad? I've been using it for a long time now... just wondering.
The function itself may not be bad, but it is terrible having to learn the specs to properly apply the correct headers to the mail() function in all circumstances, especially when there are awesome libraries that do that for you. For a simple "hello world" example, I would say the mail() function is o-k, otherwise, I wouldn't touch it with a 10 foot pole.
Alot of spam filters will penalize you for sending malformed or incomplete set of headers, often resulting in your mail being marked as spam for the most part.
Ahh I see what you mean. Yeah, it can be daunting for sure. I thought you meant there were security issues with it or something that I needed to be aware of

.
Re: PHP and e-mail confirmation
Posted: Fri Oct 16, 2009 1:55 pm
by John Cartwright
Well I think there is a serious penalty on performance as well. As memory serves, mail() opens a new connection for each call.
Re: PHP and e-mail confirmation
Posted: Fri Oct 16, 2009 1:59 pm
by Mirge
Hmm, haven't had any issues with it yet.
Re: PHP and e-mail confirmation
Posted: Sun Oct 18, 2009 3:17 am
by Jafil21
John Cartwright wrote:You should generate a confirmation key (usually done by md5(their_username + secretsalt) ), insert their data into your db (but marked as unconfirmed). Then, when you receive a confirmation request, lookup against their confirmation key, and mark the user as confirmed.
P.S., don't use the mail() function. It is notoriously bad. Instead,
http://swiftmailer.org
Thanks for the answer, yet I must say that I have a couple of questions:
1)What would you mean by "secretsalt"?
2)How do I "catch" a confirmation request by a client? Like I said in my original post, I don't understand the nature of the URL that is sent alongside the confirmation e-mail. Should that URL be pointing to my PHP script? And, if so, how do I "catch" the confirmation request? I do know how to check environment variables to catch a form submission request, but catching an e-mail confirmation request is what I'm still thick on.
Re: PHP and e-mail confirmation
Posted: Sun Oct 18, 2009 3:24 am
by Mirge
Jafil21 wrote:John Cartwright wrote:You should generate a confirmation key (usually done by md5(their_username + secretsalt) ), insert their data into your db (but marked as unconfirmed). Then, when you receive a confirmation request, lookup against their confirmation key, and mark the user as confirmed.
P.S., don't use the mail() function. It is notoriously bad. Instead,
http://swiftmailer.org
Thanks for the answer, yet I must say that I have a couple of questions:
1)What would you mean by "secretsalt"?
2)How do I "catch" a confirmation request by a client? Like I said in my original post, I don't understand the nature of the URL that is sent alongside the confirmation e-mail. Should that URL be pointing to my PHP script? And, if so, how do I "catch" the confirmation request? I do know how to check environment variables to catch a form submission request, but catching an e-mail confirmation request is what I'm still thick on.
Example scenario...
You have a website that requires registration for whatever. Registration is free. The only thing required is a user fills out a form that includes their first name, last name and email address.
In order to verify this person's email address, we want to assign them a unique code that will then be sent to their email address for them to be able to verify that they have access to this email address.
So, for each visitor, the minimum amount of data we need to store for each user (preferably in MySQL) would be:
---
id (primary key)
firstName
LastName
email
confirmationCode (the unique code that's generated for each user)
emailConfirmed (true/false, false by default)
---
To generate a confirmation code, we'll use: $confirmationCode = uniqid(''); ... and store all of the data into MySQL.
Then we'd create a second script, say... verify_email.php.
After a user registers, an email is sent to the user that includes a link:
Code: Select all
http://www.yoursite.com/verify_email.php?code=$confirmationCode
........ if you wanted, you could also include the email address.
Then in verify_email.php, you would pull the $_GET['code'] value and compare in your database to see if it's a match... if you have a match, you have that person's first name, last name and email address they registered with... and since they clicked the link, you know that they have access to that email account... and can mark that person's emailConfirmed to true.
Hope this helps.
P.S. The function uniqid() is a real PHP function. See
http://www.php.net/uniqid/ for more information.
Re: PHP and e-mail confirmation
Posted: Sun Oct 18, 2009 3:37 am
by Puk284
Hi if i'm right in understanding what you mean here is a good tutorial that explains what you are trying to do:
http://www.phpeasystep.com/phptu/24.html
Hope it helps
Re: PHP and e-mail confirmation
Posted: Sun Oct 18, 2009 3:41 am
by Mirge
That also attempts to somewhat explain the process.
Code: Select all
<?
include('config.php');
// Passkey that got from link
$passkey=$_GET['passkey'];
$tbl_name1="temp_members_db";
// Retrieve data from table where row that match this passkey
$sql1="SELECT * FROM $tbl_name1 WHERE confirm_code ='$passkey'";
$result1=mysql_query($sql1);
That's a snippet from the link you mentioned... to the OP: Please take appropriate measures to sanitize user input before using it in MySQL... at minimum, use mysql_real_escape_string(). Note that in the code pulled from the guide above, the code is left vulnerable to SQL injection.
Re: PHP and e-mail confirmation
Posted: Sun Oct 18, 2009 3:53 am
by Jafil21
Yes, I've been studying SQL Injection for a while now and am looking forward to finding some procedural PHP code to explain the musql_prepare() function, as I've been learning procedural PHP up until now.
Thank you all for your efforts.
//One last question, if possible: I assume that the $_GET['code'] variable is some sort of global php variable that holds the values of the URL right after the ".php" part, correct? In the above example, with the URL
Code: Select all
http://www.yoursite.com/verify_email.ph ... mationCode
Would $_GET['code'] hold the contents of $confirmationCode?
Re: PHP and e-mail confirmation
Posted: Sun Oct 18, 2009 9:50 am
by Eric!
Jafil21 wrote:Code: Select all
http://www.yoursite.com/verify_email.php?code=$confirmationCode
Would $_GET['code'] hold the contents of $confirmationCode?
Yup, more or less whatever is on the other side of "code=" will be assigned to $_GET['code'] up until the next deliminator (& symbol).