|
|
Posted by Justin Koivisto on 01/19/06 22:31
Pedro Graca wrote:
> Bert Bos wrote:
>> when users are register on our website, their username, encrpyted
>> password and so on are stored in the mySQL database.
>>
>> Many phpbb sites though send an activation mail to the email address
>> specified by the user. The user then needs to select a link to get his
>> account activated.
>>
>> I would like to implement this process, can anyone tell me how this is done?
>
> After the registration data is saved to the database, send them a link
> to a validate.php script
>
> http://www.example.com/validate.php?code=78Jh5qM0
>
> The code in the link could be random and saved to the database.
> When, later, the user access the script, you search the database for the
> code and update the record indicating that this particular user has
> validated.
>
> $sql = "update user_table set validated=1 where code='{$_GET['code']}'";
>
> Make sure every (unvalidated) code is unique in the database.
>
> Also try to prevent people from validating random accounts by locking
> out a 'connection' that fails after three (or whatever) attempts.
For some reason, basing something like this with just a single
credential to the database makes me squirmish. I personally would
validate by asking for their email (whether it's in the URL or
what-have-you) and issue a query like this:
select user_id from user_table where user_email = '$escpaed_username'
and code = '$escaped_code'
If no results were returned, then either the code doesn't match with the
email, and therefore isn't really an account validation after all...
--
Justin Koivisto, ZCE - justin@koivi.com
http://koivi.com
Navigation:
[Reply to this message]
|