|
Posted by Pedro Graca on 01/20/06 03:17
Justin Koivisto wrote:
> Pedro Graca wrote:
>> After the registration data is saved to the database, send them a link
>> to a validate.php script
>>
>> http://www.example.com/validate.php?code=78Jh5qM0
>>
>> The code in the link could be random and saved to the database.
>> When, later, the user access the script, you search the database for the
>> code and update the record indicating that this particular user has
>> validated.
>>
>> $sql = "update user_table set validated=1 where code='{$_GET['code']}'";
>
> For some reason, basing something like this with just a single
> credential to the database makes me squirmish. I personally would
> validate by asking for their email (whether it's in the URL or
> what-have-you) and issue a query like this:
>
> select user_id from user_table where user_email = '$escpaed_username'
> and code = '$escaped_code'
>
> If no results were returned, then either the code doesn't match with the
> email, and therefore isn't really an account validation after all...
In real life I'd have a different table with the validation codes. This
table would also have a datetime for the limit of the validation code
(eg one week after sending the email) and the specific record would be
deleted when no longer needed.
I'd probably also make the 'validated' column a 'status' column, linking
to a status table (Pending, Validated, OnVacation, Deleted, ...)
Well ... there are always lots of ways to complicate what begins as a
simple task :)
--
If you're posting through Google read <http://cfaj.freeshell.org/google>
[Back to original message]
|