Best Method For User Authentication?

[justlukeyou]

Hi,

 

I have spent the last few months creating a membership script. It now appears to be coming together however there is one aspect which I am unsure on how to proceed which I am hoping someone will be able to advise on.

 

When someone adds their email address they receive an email confirmation. However I am unsure on how pass onto the DB that the account has been created. I am planning to add a link to the email which when clicked inserts the letter Y (Yes) into a column for 'Activated'. Alternatively I am considering trying to insert a matching number as a safer system however this sounds quite complex in comparison to inserting a simple Y.

 

When someone attempts to log in I will read if the Y is inserted and then log the user in. If the Y is not inserted I will ask them to re-submit their email address.

 

Does anyone have any views on the safe method of authenticating a user registration?

[MDCode]

There is no security risk in clicking a link in their email. The way you have it would work good but set it to an int or enum for better organization, if not registered put a 0, when the link is clicked set to 1

[justlukeyou]

Thanks, using 0 then 1 sounds more complete than just Y.

 

 

Is it possible to add the POST function to an email to the POST function inserts the 1 into the cell. Is it best to do it like that?

[MDCode]

If you mean if you can post some information into an email, then yes. When the link is clicked, get the code from the URL and match it towards which account has which link, and update said user.

[Andy-H]

When you create the user:

 

// add user to database
// "INSERT INTO users ( id, username, ..., activated ) VALUES ( NULL, ..., 0 )";
// generate an identifiable hash
// from some include file (without the comment (/* ... */))
/*
function getActivationId($username) {
return md5($username . 's0m3r4nd0m54lt');
}
*/
$link = 'http://'. $_SERVER['SERVER_NAME'] .'/activate.php?user='. $username .'&activation_id='. getActivationId($username);
// send link in email

 

// activate.php
if ( $_GET['activation_id'] == getActivationId($_GET['username']) ) {
// query "UPDATE users SET activated = 1 WHERE username = :username"
} else {
echo 'Incorrect activation ID';
}

Edited November 15, 2012 by Andy-H

[justlukeyou]

Many thanks, Ive had a go at this but Im finding it quite complicated. This part "getActivationId" creates an error as soon as it is read. Should it be the first item within the PHP brackets.

 

I also haven't used this before ":" within the "WHERE username = :username"

[jcbones]

That was an example, and he even posted the example function, although commented out. If that is a direct copy/paste you are doing, it will not work.

[justlukeyou]

Hi,

 

This is what I have so far. I cant get the link to work to begin which is odd.

 

Do links in emails work differently?

 

if(!$errors){
  $query = "INSERT INTO users (firstname, surname, email, password, date_registered) VALUES ('" . $firstname . "', '" . $surname . "', '" . mysql_real_escape_string($registerEmail) . "', MD5('" . mysql_real_escape_string($registerPassword) . "'), NOW())";

 $result = mysql_query($query) or die(mysql_error()); // remove the or die(mysql_error()) code after you resolve the error
 if($result){
	  $success['register'] = 'Thank you for registering. You will soon receive a confirmation email.  Please click the confirmation link.';




	  $message = '
<html>
<body>
<a href="www.test.com/test/activation.php?userid=Y">Click Here</a> to activate your account.

</body>
</html>
';


	  mail(mysql_real_escape_string($registerEmail), '.com Confirmation', $message, 'From: info@all.com' . "\r\n".'MIME-Version: 1.0' . "\r\n".'Content-type: text/html; charset=iso-8859-1' . "\r\n");

  }else{
	  $errors['register'] = 'There was a problem registering you. Please check your details and try again.';
 }
} 
		   }