Help Verifying Data

[sintax63]

Hello PHP Freaks -

 

I am trying to solve a problem and hope someone can help me. I have a web site for an organization I belong to. I want to allow other members to create accounts where they can store their contact info (name, phone, address, etc). They would create a user name and password and could log in and update their info whenever needed... this should not be a problem for me to do.

 

MY QUESTION: I don't want just anyone who stumbles onto the web site to be able to create an account - only active members. After much thought, I came up with this idea; each member is issued a six digit membership number which I figured I could use to verify where or not they are authorized to create an account. I could dump all the membership numbers for the active members into a database table(?) and when a new account is created, the php verifies to see if the membership number the user entered is valid and then proceeds to create the account (and possibly deletes that number from the pool).

 

Kind of like a CAPTCHA but with predefined variables... does that make sense?

 

In any case, I would appreciate any help that you could give.

[btherl]

That sounds quite reasonable.  It's a low level of security, but that may be suitable for your organization.  Of course anyone who knows someone else's membership number can use it, but whether or not that happens depends on the organization, the type of people involved and on what you can actually do if you are able to login as someone else.

 

Are you looking mainly for input on your idea, or for details about implementation?

[sintax63]

Hello again -

 

Well I was looking for help on implementing this but if you have a better (more secure) way of accomplishing this task, I am open for suggestions (and implementation). The only other idea I could come up with was to forgo the whole verification process and just put an account signup form behind an .htaccess password protected area. The downside is that I will have to be constantly providing other people with the username / password to access this area.

 

Thanks for helping!

[siwelis]

I would probably put a field in the specific members profile, so that upon first login, they have to enter data to match that field, within their already created profile. Just keep track and if someone doesn't sign up within a given period of time, remove that user and just have a link stating "Request Unique Key" or something like that. Hope that helps.

 

Another way is to make a table full of those unique Key's and have a second column be 0/1 and if a unique key has been used, change it to 1 so that it can no longer be used. Maybe even have a key creation date so that you can go through  or run a script to remove old keys after a set expiration. And of course, a person would have to verify their key against this database to continue to the signup page. Once again, hope that helps!

[Wildbug]

Two words:  Secret handshake!!!

 

Or maybe your organization doesn't have one....

 

Seriously, though, do you have a member e-mail list already in place?  If so, you could insert these into the database, create a "skeleton" account for them, and e-mail them an invitation along with a long password that you generate to first access the account.  If you already have the e-mail list, this method is fairly labor-unintensive.  That's pretty similar to what you were suggesting.  It can all be done in an automated matter, too, including the invitation e-mails.

[sintax63]

Another way is to make a table full of those unique Key's and have a second column be 0/1 and if a unique key has been used, change it to 1 so that it can no longer be used. Maybe even have a key creation date so that you can go through  or run a script to remove old keys after a set expiration. And of course, a person would have to verify their key against this database to continue to the signup page. Once again, hope that helps!

 

Yes, this is what I was going after. Is there any way I can get some assistance in going about setting this up? I have the database all set up and ready to go, along with the login / logout forms, etc... I just don't know how to go about the verification process to the unique keys.

 

Wildbug - actually, my organization does.