How do you make a hyperlink user-readable?

[doubledee]

My PHP is generating an Activation Link in the body of an e-mail.

 

It is not readable or pretty.

 

How can I keep the link pointing to the same place, but make the link friendly.

 

Sorta like how a lot of forums let you do.

 

Thanks,

 

 

Debbie

 

 

[the182guy]

You'll need to send a HTML email instead of plain text. Use a normal <a> tag for the link with the desired anchor text like so:

 

<a href="http://activation.com/example.php?383893383893993839">Click here to activate</a>

[doubledee]

You'll need to send a HTML email instead of plain text. Use a normal <a> tag for the link with the desired anchor text like so:

 

<a href="http://activation.com/example.php?383893383893993839">Click here to activate</a>

 

Will I have any usability issues if I have to make it an "HMTL email"?

 

For instance, what would happen if someone has their e-mail set up to only receive and display e-mails as Text-Only?

 

Or if someone was on a mobile device?

 

I don't need a fancy HTML e-mail, but like your example, I would prefer "Click here to activate your account" versus some long, ugly link that might make people suspicious?!

 

Thanks,

 

 

Debbie

 

 

[the182guy]

If you have users declared as 'Text Only' then you may have to send those users the ugly link. What do you define as 'Text Only' though? Most people select 'Text Only' when registering, to avoid images and banners in the emails, they probably won't care about a single <a> tag in there.

 

Yes you could have usability problems if a user's email client does not recognise HTML for any reason (or is disabled). Any modern mobile device will happily show HTML emails.

 

Unfortunately this is no other way of putting a link in an email where the text is different from the destination.

 

What does your activation link look like? You might find that you can reduce the complexity and length by improving the activation system.

[doubledee]

If you have users declared as 'Text Only' then you may have to send those users the ugly link. What do you define as 'Text Only' though? Most people select 'Text Only' when registering, to avoid images and banners in the emails, they probably won't care about a single <a> tag in there.

 

I am using my Gmail account during development, I am seeing this...

 

Thank you for creating a new account.

 

To activate your account, please click on the link below:

 

<a href="h t t p://TheRestOfMyURLHere ">Activate my Account</a>

 

which means that in my Gmail account, Google is displaying the e-mail as text-only because I'm not seeing a "pretty" URL like the HTML above should yield.

 

 

 

Yes you could have usability problems if a user's email client does not recognise HTML for any reason (or is disabled). Any modern mobile device will happily show HTML emails.

 

That would be my Gmail apparently?!

 

 

Unfortunately this is no other way of putting a link in an email where the text is different from the destination.

 

What does your activation link look like? You might find that you can reduce the complexity and length by improving the activation system.

 

What do you mean?

 

 

 

Debbie

 

 

[the182guy]

I'm guessing you haven't set the content type header to say it's a HTML email which will be why GMail is showing you the HTML rather than rendering it. GMail can handle HTML no problem, unless you have specifically disabled this in your GMail settings.

 

    $headers = "Content-type: text/html\r\n"; 

 

What I mean about the link is, if your link is overcomplicated then see what you can do to reduce the length/complexity. Generally it should only need the unique activation ID.

[doubledee]

I'm guessing you haven't set the content type header to say it's a HTML email which will be why GMail is showing you the HTML rather than rendering it. GMail can handle HTML no problem, unless you have specifically disabled this in your GMail settings.

 

How do I change my Gmail so it is "Text-only" or "HTML" or whatever?

 

(I looked all over and can't find how to set it like I can in other e-mail apps.)

 

 

    $headers = "Content-type: text/html\r\n"; 

 

I don't understand this code?!

 

Where do I put that?

 

Do I just use it as-is?

 

Does that mean I need to use Output Buffering now?! 

 

 

What I mean about the link is, if your link is overcomplicated then see what you can do to reduce the length/complexity. Generally it should only need the unique activation ID.

 

Well, I'm following code from a book.

 

The activation link uses the visitors Email and a system generated Activation Code to "activate" an account.

 

A typical URL might look like...

 

http://www.MyWebsite.com/activate.php?x=debbies_email%40yahoo.com&y=f5c4b37e819a2f4b49d73b4c41dda48b

 

How do you generate an Activation Link?

 

(Once a visitor registers, I send them an e-mail which has a link like above in the body of the e-mail.  When they click on the link, it takes them to my "activate.php" page which checks if the E-mail and Activation Code are set and look reasonable and then if it finds a record that matches in the database, it Nulls out the Activation Code which denotes the person is now a Member.

 

When the visitor clicks on the e-mail link, their Email and the Activation Code are technically being sent over the Internet in plain-text...)

 

 

 

Debbie

 

 

[voip03]

$headers = "Content-type: text/html\r\n";

 

I don't understand this code?!

 

Where do I put that?

 

Do I just use it as-is?

 

Does that mean I need to use Output Buffering now?! 

if you can't understand this code how your sending  activation email

[doubledee]

$headers = "Content-type: text/html\r\n";

 

I don't understand this code?!

 

Where do I put that?

 

Do I just use it as-is?

 

Does that mean I need to use Output Buffering now?! 

if you can't understand this code how your sending  activation email

 

I don't know what you mean... 

 

My code looks like this...

// Create e-mail body text.
$body = "Thank you for creating a new account.\n\nTo activate your account, please click on the link below:\n\n";
$body .= '<a href="' . WEB_ROOT . 'activate.php?x=' . urlencode($email) . '&y=' . $activationCode . '">Activate my Account</a>';

// Create e-mail.
mail($trimmed['email'], 'Member Account needs activation', $body, 'From: admin@MyWebsite.com <admin@MyWebsite.com>');

 

 

Debbie

 

 

[gizmola]

The proper email compliant way of sending an html version of an email is to use mime encoding and send the html part as an attachment.  It's a complicated process, and it's hard to do well without a thorough understanding of how multipart mime attachments work.

 

For a simple link I would not suggest that. 

 

Just about every email client out there will find links and "linkify them" based on the inclusion of the http:// in the string.

 

My advice is to just use a normal text email --- this is the safest and most standard way of doing it, and works with every mail client.  Due to the many issues possible with html emails, many clients turn off features of html or disable them entirely, as old school as that sounds, but that is just the state of things these days given the proliferation of spam, tracking pixels, and all the html borne malware and viruses that target unsophisticated people.

 

Just provide your link without any markup:  http://www.yoursite.com/activeate.php ...etc.

 

Do NOT add the anchor tag markup around it.

 

 

 

You have to realize that how the email is handled in final presentation is 100% out of your control. 

 

 

 

 

[doubledee]

Do NOT add the anchor tag markup around it.

 

You have to realize that how the email is handled in final presentation is 100% out of your control.

 

Fair enough.

 

But what about my second question above...

 

Well, I'm following code from a book.

 

The activation link uses the visitors Email and a system generated Activation Code to "activate" an account.

 

A typical URL might look like...

 

Code: [select]

 

h t t p://w w w.MyWebsite.com/activate.php?x=debbies_email%40yahoo.com&y=f5c4b37e819a2f4b49d73b4c41dda48b

 

 

How do you generate an Activation Link?

 

(Once a visitor registers, I send them an e-mail which has a link like above in the body of the e-mail.  When they click on the link, it takes them to my "activate.php" page which checks if the E-mail and Activation Code are set and look reasonable and then if it finds a record that matches in the database, it Nulls out the Activation Code which denotes the person is now a Member.

 

When the visitor clicks on the e-mail link, their Email and the Activation Code are technically being sent over the Internet in plain-text...)

 

 

 

Debbie

 

P.S.  Part of this question is concerned with security.

 

 

 

[gizmola]

The answer to that is to use https: if you don't want that plaintext going over the internet. 

 

In the realm of security concerns an activation isn't a major one, as long as you handle it correctly.  Here's my advice FWIW:

 

-Rather than null or blanking an activation column, I think it's better to have a status column in the table, where you do something like:

0 - Banned

1 - Pending

2 - Active

 

Someone who just registered would be at status 1.  A status 1 user can only do one thing -  activate.  This is useful because you can allow a limited login that simply takes them to the activation page.

 

- I don't see why you need to pass the email as a parameter, when you can simply pass the activation code.  That could should uniquely identify someone since you're storing it in their user row.

- Time limit the activation.  Have a datetime or timestamp column you put in the user row when registration occurs.  Use that to time limit an activation to some reasonable amount of time (24-48 hours).

- If someone activates, change their status.  When someone is already active there is no need to ever honor a reactivation, so your script can safely ignore a replay.

 

 

 

 

[doubledee]

The answer to that is to use https: if you don't want that plaintext going over the internet. 

 

In the realm of security concerns an activation isn't a major one, as long as you handle it correctly.  Here's my advice FWIW:

 

-Rather than null or blanking an activation column, I think it's better to have a status column in the table, where you do something like:

0 - Banned

1 - Pending

2 - Active

 

Someone who just registered would be at status 1.  A status 1 user can only do one thing -  activate.  This is useful because you can allow a limited login that simply takes them to the activation page.

 

- I don't see why you need to pass the email as a parameter, when you can simply pass the activation code.  That could should uniquely identify someone since you're storing it in their user row.

 

Well, here is the code I'm using...

 

// Check Email Availability.
if (mysqli_stmt_num_rows($stmt)==0){
// Email available.

// Create Activation Code.
$activationCode = md5(uniqid(rand(), true));

// Create a new Member Account.

// Build query.
$q = "INSERT INTO member(email, pass, first_name, activation_code, created_on)
		VALUES(?, ?, ?, ?, NOW())";

 

Will that code ensure that the Activation Code is *always* unique?  (Maybe that is why the author uses Email + Activation Code?)

 

 

- Time limit the activation.  Have a datetime or timestamp column you put in the user row when registration occurs.  Use that to time limit an activation to some reasonable amount of time (24-48 hours).

- If someone activates, change their status.  When someone is already active there is no need to ever honor a reactivation, so your script can safely ignore a replay.

 

Good ideas.

 

 

Debbie

 

[gizmola]

Yes the $activationCode will be unique, because it's based on http://www.php.net/uniqid.  The md5() is just a little extra obfuscation in this case, but it makes the prospect of someone guessing a working signup to be miniscule.  However what you could do to make it even more unique would be this:

 

$activationCode = md5($email . uniqid(rand(), true));

 

I think that is what the original author was in essence trying to accomplish, but it's better to just add the email connection into the authorization id by adding it as additional input to the md5() hash.

 

 

 

For the purposes of making the database lookup fast, you should have an index on that column of the member table as well. 

 

I'm not sure why the original author included email, but it's very unusual, and in terms of security, it makes this less secure, because you are disclosing the original user's signup email in the link, and there's no benefit to that.  I'm sure you've done plenty of activations for accounts you use, and if you look at them, I think you'll find that the inclusion of an email parameter is highly unusual.

 

 

[doubledee]

Yes the $activationCode will be unique, because it's based on http://www.php.net/uniqid.  The md5() is just a little extra obfuscation in this case, but it makes the prospect of someone guessing a working signup to be miniscule.  However what you could do to make it even more unique would be this:

 

$activationCode = md5($email . uniqid(rand(), true));

 

I think that is what the original author was in essence trying to accomplish, but it's better to just add the email connection into the authorization id by adding it as additional input to the md5() hash.

 

 

For the purposes of making the database lookup fast, you should have an index on that column of the member table as well. 

 

I'm not sure why the original author included email, but it's very unusual, and in terms of security, it makes this less secure, because you are disclosing the original user's signup email in the link, and there's no benefit to that.  I'm sure you've done plenty of activations for accounts you use, and if you look at them, I think you'll find that the inclusion of an email parameter is highly unusual.

 

But you are still saying that it is okay to include the e-mail in the MD5 hash for uniqueness, right?

 

Yes, this author does a good job of explaining some things, but he also takes some really strange approaches to things - thus why I do lots of sense-checks here!!

 

Thanks,

 

 

Debbie

 

 

[gizmola]

There really isn't much of a problem with the md5() of the uniqid, other than the possiiblity that someone, who knew what you were doing, could try and generate an activation code that might match some random person.  With the email added as extra input to the md5() that just eliminates the possibility of that happening.  I think the original author probably combined them because you could guess an email address of a pending user, or generate an auth code, but generating the auth code for the exact user is next to nil.  Adding the email as input to the md5 essentially does the same thing.  This is why when people generate md5 or sha1 hashes for passwords the recommendation is to add a "salt" in, which is extra input to the hash function.

[doubledee]

There really isn't much of a problem with the md5() of the uniqid, other than the possiiblity that someone, who knew what you were doing, could try and generate an activation code that might match some random person.  With the email added as extra input to the md5() that just eliminates the possibility of that happening.  I think the original author probably combined them because you could guess an email address of a pending user, or generate an auth code, but generating the auth code for the exact user is next to nil.  Adding the email as input to the md5 essentially does the same thing.  This is why when people generate md5 or sha1 hashes for passwords the recommendation is to add a "salt" in, which is extra input to the hash function.

 

Okay, thanks for the comments.

 

Very informative!!

 

 

Debbie

 

 

[gizmola]

In cases like this I often do a little test script:

 

for ($x=1; $x   $input = rand();
  $uniq = uniqid($input, true);
  echo "$x. [$input] ($uniq):". md5($uniq) . "
\n";
}

 

Run it a few times and I'm sure you'll see that even the md5() of uniqid by itself iself based on rand() there is really very little reason to be concerned about a duplicate code.  Adding the email addy is icing on the cake, but I'd still do it myself personally.