在 PHP 中通过电子邮件验证用户

Question

I'm actually creating a web application using PHP and seek help verifying a user. As with certain websites, when you register, an e-mail is sent to you with a confirmation link. How do I implement that in PHP? All I know is that I have to use the PHP mail() function to send the e-mail. Please help. Necessary. Thanks. :)

Answer 1

Patricks answer is correct altough i want to point out that there are other possibilities!

You don't necessarily have to create and store a unique token in your database. This is data overhead that is only needed once.

You could also take advantage of one-way hashing.

For example send the user the code md5('my-secret-application-token'.$user_email_adress) .

You can validate that just the same way but dont need to store a secret code.

Answer 2

This is a very broad question, so we can only give a broad answer, but the general technique to do so is

1. insert the user's email address into your database but mark it as unverified
2. create a unique registration key and insert it into a different table just for these keys
3. send an email to the user's email address with a link to your site that passes this registration key as an argument (eg http://site.com/confirm.php?key=1234 )
4. when that url is visited, mark the email as verified and remove the temporarily created registration key

Answer 3

just like with CSRF protection you generate an unique token.

$token =  md5(uniqid(rand(), TRUE));

You store that value in your session for that email and when the user clicks link in email(you pass token via the query-string ) you compare the two values.

To make it more secure you could just as with CSRF add a time-limit.