email confirmation with link to confirm registration

fasterisbest

Hello,

I am hoping someone can point me in the right direction.

I am trying to set up a registration form. Currently, when submitted, the form writes the user's info to a database and sends out an email with thier registration details.

Here is the link to the form: http://gwbrooks.com/register.htm

I want the user to confirm thier registration details while also confirming that their email exists by clicking on a link that is sent in the confirmation email.

How do I generate that link? Is it called "hashing"?

Furthermore, once I figure out how to generate that link should I have my database set up with two tables? One for "unconfirmed" users and one for users that have "confirmed" through email. Should the link in the email write the users details to the "confirmed" table in the database?

Thanks in advance for all your help.

alimadzi

Hashing is one way to handle this. You could run md5() or sha1() on their email address to create the hash. Then put it in a link in the email like this:

http://gwbrooks.com/confirm.php?hash={$hash}

On the database side, don't use two tables. Just add a boolean column called 'confirmed' that defaults to 0 and is set to 1 once the confirm script runs for each address.

fasterisbest

So, here is my code that executes when the form is submitted: (I am new)

<?php

if (!$firstName || !$lastName || !$dob || !$email){
echo 'You did not fill out all the required information';
exit;
}

if ($password !== $cpassword) {
echo 'Passwords did not match. Please go back and try again.';
exit;
}

if (strlen($password)<6 || strlen($password) >16){
echo 'Your password must be between 6 and 16 characters.'
.'Please go back and try again.';
exit;
}

$db = mysql_connect('localhost', 'database', 'password');
mysql_select_db( 'gwbrooks_MRSC',$db) or die ("Eat a dick I cant connect!");

$check = mysql_query("SELECT * FROM tblRegistered WHERE email = '$email'") or die(mysql_error());

$check2 = mysql_num_rows($check);
if ($check2 == 1) {
echo ('The user already exists. Please go back and try again.');
exit;
}

$query = "INSERT INTO tblRegistered(firstName, lastName, dob, email, password) VALUES
('".$firstName."', '".$lastName."', '".$dob."', '".$email."', '".$password."')";

$result = mysql_query($query);

if ($result)
echo '<p>Thank you for registering with the Mississauga Recreation Sports Club.</p>
<p>A confirmation email has been sent to you.</p>';

$recmail = $email; // address you want the form mailed to
$sub = "MRSC Registration" ; //subject of email that is sent

$mess =
'First Name: '.$firstName.'
Last Name: '.$lastName.'
Date of Birth: '.$dob.'
Email: '.$email.'
Password: '.$password.'

This is an automatically generated email. Please do not respond to it. Thanks for registering with MRSC.
Please click on the link below to confirm your registration';

$headers = 'From: mrsc@mrsc.com' . "\r\n" .
'X-Mailer: PHP/' . phpversion();

mail($email,$sub,$mess,$headers);

Can you tell me where would I insert the code and what should it look like?

Do I create a new page with the sha() coding?

Is there somewhere I can look at an example?

Thanks in advance for your time.

alimadzi

I would add a new column to your users table to store the hash and insert it along with the other user info. Then use it to create a link to a confirm script like the one I suggested previously.

Then in the actual confirm script, grab the hash from the query string and search for it in the users table. If found, update the record to confirmed. If not found, display an "Address not found" error or something to that effect.

Let us know if you have specific questions about how to go about doing this.

fasterisbest

Thanks again for your time.

I think I am starting to understand.

However, is there some documentation or sample code at which i could have a look?

This hash function is still kind of throwing me for a loop.

alimadzi

Here you go...

http://us2.php.net/md5
http://us2.php.net/manual/en/function.sha1.php

fasterisbest

Ok,

So I have the registration script sending out an email and providing a link. Here is a portion of the code in the php script that executes when the user clicks submit:

$email_encrypt = urlencode($email);
$special_string = 'hooraw';
$hash = md5($email_encrypt.$special_string);

Here is the link that is sent to the email that was provided:

http://gwbrooks.com/confirm.php?hash='.$hash.'

The actual link will look something like this:

 [url]http://gwbrooks.com/confirm.php?hash=00413297cc003c03d0f1ffe1cc8445f8[/url]

The hash writes to the DB with the users information.

OK, i have a confirm.php page. I want the page to check for that hash in the table it was stored and if it is there I want to write "yes" in a field called confirmed. If it is not there I don't want to write anything to the DB table and I want the user to be informed that thier registration does not exist.

Here is my script for my confirm.php page:

<?php

include'myconn.php';

//finds hash value in hash field

$check = mysql_query("SELECT * FROM tblRegistered WHERE hash = '$hash'") or die(mysql_error());

$check2 = mysql_num_rows($check);
if ($check2 == 1)

echo 'Thank you for confirming your registration details.';

if ($check2 == 0){
echo 'User does not exist.';
exit;
}

//inserts yes into the confirmed field where the hash matches
$query = "INSERT INTO tblRegistered(confirmed) WHERE 'hash' = '$hash' VALUES
('yes')";

$result = mysql_query($query);

if ($result)
echo 'Thank you for registering with the Mississauga Recreation Sports Club.';
?>

The link leads to the confirm.php page but I'm not sure if it is actually finding the hash and it is definitely not writing "yes" in the confirmed field. Can you help with my code?

What am I doing wrong?

Am I going about this the right way?

The form is here if you want to try it:

http://gwbrooks.com/register.htm

Thanks in advance for your time and efforts.

alimadzi

Have you echoed out that query to see if the $hash variable is set? Do you have register_globals turned on (shudder)? It looks like you do (which is bad). If not, then you'll need to get $hash from the $_GET array.

rowanparker

And you should mysql_real_escape_string() before putting a string in a query.