Need to verify email address via activation link

[simcoweb]

I'm creating a similar classifieds system to CraigsList.org. When posting an ad, unlike other classifieds systems, they do not require you to register. Instead they verify/validate your email address by sending an 'activation' or 'verification' link to the email address you've entered into the ad posting form. Upon receipt of the email the person clicks on the link and it returns them to the site with a 'success' page and final step in posting the ad.

 

I've read up on some activation tutorials but most apply to registering new members for a site and not just specific to validating the email address as real. I don't need usernames, passwords, etc. Just the email verified.

 

The obvious and most popular method is to use a timestamp, attach it to a url and email it to the person with the url having a link back to the validation script and attaching the timestamp to it, pluck it with a $_GET and compare it to the user_id or similar field.

 

Any help or guidance on the right way to do this would be marvelous. I'm not 100% on how to get the timestamp set and if it needs to have any specific encryption or other manipulation to avoid malicious hacks.

 

A 2nd part to this is, during the steps of creating the ad there's a 'pause' in the process for this validation. What i'm assuming is the best approach here is the following:

 

1. person completes the form and submits

2. the validation email is sent to person AND the ad is inserted into the database while a page displays the message about the email sent and what they need to do

3. the person validates the email by clicking on the link which then changes the ad 'status' to 'on' ( or, a 1 instead of default 0)

4. the person clicks the final OK button to submit the ad and update status (this step could be eliminated and done in step 3 perhaps)

 

Anyone have a better plan or experience with this they can share?

[ikmyer]

seems like you have the general ideas down... start writing some code and post back if you run into trouble... or offer up some $ maybe to a freelancer...

 

Will the user have to click the link for every post they make ??  I would suggest having them create accounts so they would only have to confirm their account 1 time.  I have a site that does something like this and I just used a simple little function that creates 30 random letters/number and use that for the code in the link that gets sent.

[Archadian]

Thats the general idea. When they click the link just use 1 php script to check the id of that particular user in the database, when it matches that user then update the the status to 1 or on. use the md5() to encrypt the username then store the user name and the md5() of whatever you choose then use the $_GET function to compare whats in the URL to what is in the database. Hopefully this isn't too confusing.

 

this would be the code when they register to input their info and their unique 32 bit encrypted info that you set inside md5() to later use in the URL that is sent to their email address

 

$user = "example"; // Get their user name from the register form or whatever you use

$name = md5($user); // generates 32 letters and numbers encrypting the info

 

the URL that is sent to their email address

 

$url = "http://www.yoursite.com/activate.php?action=$name";

 

mail('$emailaddress', 'Subject', 'Your email would go here then the $url so they can click it to activate');

 

if(isset($_GET['action'])) {

$activate = $_GET['action']; // getting the 32 bit encryption from the URL and setting it to a variable

$sql = mysql_query("SELECT status FROM users WHERE user_id = '$activate'");
$row = mysql_fetch_array($sql);

mysql_query("UPDATE user SET status = '1' WHERE user_id = '$activate'"); // or status = 'on' 

}
else {

echo "Your account has not been activated. Please click the link that was sent to your email address."

}

[simcoweb]

As I mentioned, there won't be any 'username' in this process since there's no registration and no future login required. Essentially it justs validates the existence of their email address as a 'live' email to avoid some spam bomber. Also, in another function, it checks against that email address to make sure only one ad has been submitted using it. This keeps spammers from mass insertion unless, of course, they wish to validate each and every email address they want to use.

 

Perhaps we could adapt your example to work with just the timestamp as the identifying factor?

 

 

[ikmyer]

from the code above...

 

$time = time();           // random code...
$link= md5($time);  // generates 32 letters and numbers encrypting the info

$url = "http://www.yoursite.com/activate.php?action=$link";

 

[simcoweb]

Thanks for the post and suggestion. Instead of a timestamp I think i'm going to just use a random code like this:

 

// Random confirmation code

$confirm_code=md5(uniqid(rand()));

 

Which would then be appended to the confirmation link in the email and snagged like this:

 

http://www.yourweb.com/confirm.php?passkey=$confirm_code

 

$_GET['passkey'];

 

with a query that would check that against results and set the status to '1' or whatever.

 

Is there any reason why I should use the timestamp over the random code?

 

 

 

 

[superuser2]

No, not at all. In fact, a completely random code would be much, much better because there's no chance someone will figure out your algorithm. Especially doing nothing but md5ing the username would be horrible, if someone figured it out, you'd have a problem. I would say you have a perfectly solid idea, just start coding.