how to send activation link to a registered user?

Question

I have already asked this before but I never seem getting how it works(I tried a lot but no success at all) could someone tell me how can I send a activation link to the users email address up on registration and don't allow the user until they activate their account by following the link in the email address? What should I do? I'm not getting it at all...please help me out..

What I have in a table users in database:

1   id          int(11)       AUTO_INCREMENT    
2   username    varchar(255)        
3   password    char(64)    
4   salt        char(16)    
5   email       varchar(255)

register.php

// First we execute our common code to connection to the database and start the session 
 require("common.php"); 

// This if statement checks to determine whether the registration form has been submitted 
// If it has, then the registration code is run, otherwise the form is displayed 
if(!empty($_POST))
{ 
// Ensure that the user has entered a non-empty username 
if(empty($_POST['username']))
{ 
    echo "Please enter a username."; 
}

// Ensure that the user has entered a non-empty password 
if(empty($_POST['password']))
{ 
    die("Please enter a password."); 
} 

// Make sure the user entered a valid E-Mail address 
// filter_var is a useful PHP function for validating form input, see:
if(!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) 
{ 
    die("Invalid E-Mail Address"); 
} 

$query = " 
    SELECT 
        1 
    FROM users 
    WHERE 
        username = :username 
"; 

$query_params = array( 
    ':username' => $_POST['username'] 
); 

try 
{ 
    // These two statements run the query against your database table. 
    $stmt = $db->prepare($query); 
    $result = $stmt->execute($query_params); 
} 
catch(PDOException $ex) 
{ 
    // Note: On a production website, you should not output $ex->getMessage(). 
    // It may provide an attacker with helpful information about your code.  
    die("Failed to run query: " . $ex->getMessage()); 
} 

$row = $stmt->fetch(); 


if($row) 
{ 
    die("This username is already in use"); 
} 

// Now we perform the same type of check for the email address, in order 
// to ensure that it is unique. 
$query = " 
    SELECT 
        1 
    FROM users 
    WHERE 
        email = :email 
"; 

$query_params = array( 
    ':email' => $_POST['email'] 
); 

try 
{ 
    $stmt = $db->prepare($query); 
    $result = $stmt->execute($query_params); 
} 
catch(PDOException $ex) 
{ 
    die("Failed to run query: " . $ex->getMessage()); 
} 

$row = $stmt->fetch(); 

if($row) 
{ 
    die("This email address is already registered"); 
} 

// An INSERT query is used to add new rows to a database table. 
// Again, we are using special tokens (technically called parameters) to 
// protect against SQL injection attacks. 
$query = " 
    INSERT INTO users ( 
        username, 
        password, 
        salt, 
        email 
    ) VALUES ( 
        :username, 
        :password, 
        :salt, 
        :email 
    ) 
"; 

$to = "email";
$subject = "Your Account Information!";
$body = <<<EMAIL
Hello {'email'}, here is your account information!

Username:{'username'}
Password:{'password'}

Please activate your account by clicking the following activation link:
http://www.mywebsite.com/activate.php?aid={$aid}

EMAIL;

$headers = 'From: noreply@yourdomain.com' . "\r\n" .
'Reply-To: noreply@yourdomain.com' . "\r\n" .
'X-Mailer: PHP/' . phpversion();

if(mail($to, $subject, $body, $headers)){
echo("<p>Your account information was successfully sent to your email - ('email')! <br><br>Please open your    email and click the activation link to activate your account.</p><br><p>If you do not see your account information in your inbox within 60 seconds please check your spam/junk folder.</p>");
} else {
   echo("<p> Unfortunately, your account information was <u>unsuccessfully</u> sent to  your email - ('email'). </p>");
}

$salt = dechex(mt_rand(0, 2147483647)) . dechex(mt_rand(0, 2147483647)); 

$password = hash('sha256', $_POST['password'] . $salt); 

for($round = 0; $round < 65536; $round++) 
{
    $password = hash('sha256', $password . $salt); 
}


$query_params = array( 
    ':username' => $_POST['username'], 
    ':password' => $password, 
    ':salt' => $salt, 
    ':email' => $_POST['email'] 
); 

try
{ 
    // Execute the query to create the user 
    $stmt = $db->prepare($query); 
    $result = $stmt->execute($query_params); 
}
catch(PDOException $ex)
{ 

}
header("Location: login.php"); 
die("Redirecting to login.php"); 
}
?> 
<h1>Register</h1> 
<form action="" method="post"> 
Username:<br /> 
<input type="text" name="username"  required value="" /> 
<br /><br /> 
E-Mail:<br /> 
<input type="text" name="email" required value="" /> 
<br /><br /> 
Password:<br /> 
<input type="password" required  name="password" value="" /> 
<br /><br /> 
<input type="submit"  value="Register" /> 
</form>

login.php

<?php 

// First we execute our common code to connection to the database and start the session 
require("common.php"); 

$submitted_username = '';
if(!empty($_POST)) 
{ 
$query = " 
    SELECT 
        id, 
        username, 
        password, 
        salt, 
        email 
    FROM users 
    WHERE 
        username = :username 
"; 

// The parameter values 
$query_params = array( 
    ':username' => $_POST['username'] 
); 

try 
{ 
    // Execute the query against the database 
    $stmt = $db->prepare($query); 
    $result = $stmt->execute($query_params); 
} 
catch(PDOException $ex) 
{ 
    die("Failed to run query: " . $ex->getMessage()); 
} 

$login_ok = false; 

$row = $stmt->fetch(); 
if($row) 
{ 

    $check_password = hash('sha256', $_POST['password'] . $row['salt']); 
    for($round = 0; $round < 65536; $round++) 
    { 
        $check_password = hash('sha256', $check_password . $row['salt']); 
    } 

    if($check_password === $row['password']) 
    { 
        $login_ok = true; 
    } 
} 

if($login_ok) 
{ 

    unset($row['salt']); 
    unset($row['password']); 

    $_SESSION['user'] = $row; 

    // Redirect the user to the private members-only page. 
    header("Location: private.php"); 
    die("Redirecting to: private.php"); 
} 
else 
{ 
    // Tell the user they failed 
    print("The Username/Password is invalid."); 

    $submitted_username = htmlentities($_POST['username'], ENT_QUOTES, 'UTF-8'); 
} 
} 

    ?> 
    <h1>Login</h1> 
    <form action="login.php" method="post"> 
Username:<br /> 
<input type="text" name="username" required value="<?php echo $submitted_username; ?>" /> 
<br /><br /> 
Password:<br /> 
<input type="password" name="password" value="" required /> 
<br /><br /> 
<input type="submit" value="Login" /> 
</form> 
<a href="register.php">Register</a>

Answer 1

For one you're not emailing the user anything in this script. What you should do is create a registration table and store the values there along with a token and a datetime. Some URL based identifier. A simple md5 of the email and timestamp concat would work fine.

$token = md5($_POST['email'].time());

Then email the user a link - something like: http://www.yoursite.com/register/confirm?token=yourmd5token

This script would fetch the stored user info from that token, make sure the datetime was within an hour or so, then push the data into the user table only on confirmation so you don't fill up a table unnecessarily.

Based on the code you provided, you're not a true beginner in PHP. So you should have no problems google searching examples of the things mentioned. This is too involved to write it all out for you since typically SO is used for quick help and basic QA. Yours is more of a full project thing.

Answer 2

Here is a conceptual overview of one way to do email verification. This question is still too high level to add in any real code to the answer. Also, please consider this may not be the best way to do verification, just a simple way.

Add 2 columns to the database:

• is_verified
• verification_token

In login.php:

1. When creating the user set is_verified=0 and create a random verification_token.
2. After creating the user, build a link to verify.php with the token as a query string parameter.
3. Send an email to the email address with the link to verify
4. Redirect the user to a page called verificationWaiting.php which alerts them to check their email and click the link.

Create a page called verify.php that:

1. Checks the database for a the token in the query string and sets the is_verified flag to true if the user with the toke is found.
2. Redirects the user to the login page

Modify login.php to make sure the user has is_verified set as an authentication condition.

This is just a broad overview of one way to do it. There are many additional features you could add. Hope this helps get you started.

Answer 3

You have some options, you can add a new column named something like "active" and default that to 0 until the user has clicked on a generated link (say, yoursite.com/activate.php?key=)

have the key = something like the users email address.

Once the user has clicked the link and entered the password they have on file from previously registering, you can set the active column to 1.

The second option is to generate a random password, and require the user to get the password from his/her email. Thus requiring a valid email address.