Mail sent to user and verify in MySQL but... SPOOFING

[Mr_J]

Hi all,

I have a mail form.

It works and all but what I want to do is:

You complete the form, a verification mail is sent to the user mail which include a link to verify the mail(user)

so far so good.

How can I go about  to either make a button/link that will only then pulls the processor.php which sends the mail to me?

i.o.w, after you verified the mail, followed the link, submit to webmaster/receiver

I have 1 file, called form.php for the form details etc.

Then another, verify.php which sends the mail to the user for verification.

The link provided have an unique activation key (compared in MySQL DB)

 

File 1: FORM.PHP

<html>
<body>
  <form action="verify.php" method="post" name="register">
    Username: <input type="text" name="username" />
   
    Email: <input type="text" name="email" />
    <input type="hidden" name="form_submitted" value="1" />
  <input type="submit" />
  </form>
</body>

</html>

File 2: VERIFY.PHP

<?php
mysql_connect("localhost", username, "PASSWSORD") or die(mysql_error());

mysql_select_db("db_NAME") or die(mysql_error());

if ($_POST['form_submitted'] == '1') {


$activationKey =  mt_rand() . mt_rand() . mt_rand() . mt_rand() . mt_rand();
$username = mysql_real_escape_string($_POST[username]);


$email = mysql_real_escape_string($_POST[email]);

$sql="INSERT INTO users (username,  email, activationkey, status) VALUES ('$username', '$email', '$activationKey', 'verify')";

if (!mysql_query($sql))

  {

  die('Error: ' . mysql_error());

  }

echo "An email has been sent to $_POST[email] with an activation key.
Please check your mail and click on the link provided. We apologise for any inconvenience.";

##Send activation Email

$to      = $_POST[email];

$subject = " Contact Us SPAM FREE";

$message = "Welcome to our website!\r\r You, or someone using your email address, has completed the mailForm on http://www.domain.com
You can complete by clicking the following link:\rhttp://www.simplyhealth.co.za/db/verify.php?$activationKey\r\rIf this is an error, ignore this email.\r\r Greetings";

$headers = 'From: [email protected]' . "\r\n" .

    'Reply-To: [email protected]' . "\r\n" .

    'X-Mailer: PHP/' . phpversion();

mail($to, $subject, $message, $headers);

} else {

##User isn't registering, check verify code and change activation code to null, status to activated on success

$queryString = $_SERVER['QUERY_STRING'];

$query = "SELECT * FROM users"; 

$result = mysql_query($query) or die(mysql_error());

  while($row = mysql_fetch_array($result)){

    if ($queryString == $row["activationkey"]){

       echo "Thank you" . $row["username"] . " Please click the button at the bottom of page to continue.";

       $sql="UPDATE users SET activationkey = '', status='activated' WHERE (id = $row[id])";

       if (!mysql_query($sql))

  {

        die('Error: ' . mysql_error());

  }

    }

  }

}
?>
<html>
<head></head>
<body>
<form method="post">
<input type="button" value="Send" onclick="processor.php">
</form>

The last bit display on the same page where I ask to check the mail to verify...

 

Maybe it will be better to redirect the user after 10 sec or so to another page which will include the processor??

Any help please....