Trying to sourc email verification scripts.

cauchyResidue

Hello all, I hope you are doing well.

I'm working on a website that sends an email to a user after he or she registers to the site. But the script I'm using sends only a greeting and the user's login credentials. I'm looking for a script that will verifiy a user's email address by including a link in the email that the user will have to click to complete the registration.

Do any of you know of any scripts (free or for a cost) that I can download to do this for me?

Here are the specs I'm looking for:

-> MySQL database and PHP scripting.
-> database fields: name [254], email [254], verified [t/f], ipaddress [15], timestamp
-> A file called signup.php will accept two incoming variables as follows:
signup.php?request:newuser-NAMEHERE&email-EMAILHERE
-> These variables will be saved to a database using the specification listed above.
-> If the email address is already registered, the email should say so, and the return page should
have ONLY the text 'already exists'.
-> The script will issue a confirmation email with encoded name/email for the user to
click on and confirm their email address.
-> When the user clicks and is returned to the site, a confirmation code should be generated for them
-> The confirmation code will be disclosed to the selected coder only.
-> The users IP address is to be saved along with a timestamp.
-> When the user is verified, their data record is to be marked as such.
-> Data integrity checks are to be performed on incoming name/email data to ensure validity.
-> When the confirmation code is issued after the user clicks on the verification link:
-> This will be displayed in an HTML page to the user
-> Instructions on how to copy/paste should be gently listed after the code.

Any help is appreciated greatly.

Thanks,

etully

It's pretty easy to write this yourself.

First, ask them to register. When they fill in their information, it gets sent to a page that checks to see if their email address already exists. (If so, warn them and don't go any further). If not, the script writes a database entry and sends an email to the new user. When you write that database entry, you have a field called something like "active" or verified which you set to "no" and you have a field called something like "registration_code" which you set to a random string of characters. When you send the email, you can send their username and password and whatever instructions you want but you also include a link that points to signup.php and includes the registration code. When the user clicks that link, signup.php checks the database to see if that registration code exists and if so, updates that record so that "active" equals "yes".

cauchyResidue

Thanks etully,

Hmm... very interesting. The problem is that I'm not a coder by trade. I downloaded a script and I'm modifying it to suit my needs. But I've been working with the code (MySQL/PHP) long enough to kinda figure things out.

I understand everything in your algorithm except how to include the link that points to signup.php with the registration code on the email that is automatically sent out.

Any ideas on this part? If not, I'll try googling for answers.

Regards,

Houdini

When you send the email, you can send their username and password and whatever instructions you want but you also include a link that points to signup.php and includes the registration code. When the user clicks that link, signup.php checks the database to see if that registration code exists and if so, updates that record so that "active" equals "yes".

the link sent in the e-mail could be anything like http://yoursite.com/yourprocess.php?user=soandso&pass=pass&auth=123
then you just look for the response in the yourprocess.php for the key value pair of user soandso with a pass of pass and auth 123 and complete the process

etully

First, make up a random string. I do it like this:
$seed = "qwertyuioplkjhgfdsazxcvbnmQWERTYUIOPLKJUHGFDSAZXCVBNM1234567890";
$i=0; $reg_code=""; while ($i<15) { $reg_code .= substr($seed,rand(0,strlen($seed)),1); $i++; }

Then insert all their data into a database including the reg_code.
Then send an email to the customer with the reg_code embedded in a URL like this:

mail($customer_email, "Thank you for registering $name"," ", "From:cauchy@residue.coml\nReply-To:cauchy@residue.com\n\n

Thank you for registering. Your account won't be active until you visit this URL.
http://www.yourdomain.com/signup.php?reg_code=$reg_code

");

Last, You need to write signup.php. Take $reg_code and update the database with this SQL:
update user_table set active="yes" where reg_code = '$reg_code'

That will do it.

By the way, since you're not a coder by trade, I'll warn you that I made one big blunder in the code above. You should never trust user data as I just did. I assumed that he's just going to click the link. The truth is that he could copy the link to his clipboard, modify it, and then paste it into his web browser. He could replace the reg_code with some destructive SQL statement. Then, when I execute my SQL statement, I'm passing his string directly to MySQL. For example, he could change the URL to something like this:

http://www.yourdomain.com/signup.php?reg_code=Q5oFOjfXjTxXBDe;delete from user_table

It's called a SQL injection. The URL passes me the reg_code and I trust it so I end up sending this command to MySQL:

update user_table set active="yes" where reg_code = 'Q5oFOjfXjTxXBDe; delete from user_table'

So what you do is decide what characters are allowed in the reg_code. (In my example, I chose numbers and letters). So you simply remove anything that's not a number or a letter like this:

$reg_code = ereg_replace("[^{A-Za-z0-9]","",$reg_code);}

To be even safer, you could check to see if reg_code is shorter or longer than 15 characters. If so, then abort without passing anything to MySQL.