email confirmation on a form

big-dog

Is there a script or some simple code I could add to a form to confirm a valid email address before the form data is added to database? Like these forums when you register you have to check your email then click the link to process your registration
I have a form a person fills out then hits submit it then uses a process.php to add the data to the database and displays a thank you page. I would like to add a step before the data is added like described above.

scrupul0us

depending on OS and PHP version you can implement some DNS checks (in various ways) to see:

1) if the domain is real checkdnsrr
2) if the domain accepts mail getmxrr
3) if the email address exists on the mail server

number three is a bit of overkill if the first two pass

big-dog

can you provide more detail? I dont know coding well enough to do this I dont think

BuzzPHP

This is about as simple as you can make it, and I have seen some sites that use this kinda system to validate emails or websites.

<form method=post>
<?php
if ($_POST["submit"])
{
  mail($_POST["email"], "Confirm Email", "
  Please click on the following link to confirm your email.
  " . $_SERVER["HTTP_REFERER"] . "?email=" . $_POST["email"]);
  echo "A email has been sent to your account. Please validate your email.";
}
elseif ($_GET["email"])
{
  echo "Thankyou for registering your email " . $_GET["email"];
}
else
{
  echo "Email: <input type=text name=email>";
  echo "<input type=submit name=submit value=Submit>";
}
?>
</form>

The downside to this system is, once your confirm one email, you can confirm other emails just by editing the URL that is sent to your email account.

To improve the system, I would add the email to a database along with a random number. You then send a URL like this to the account: (Note, the md5 is just for extra protection for the email holder)

$_SERVER["HTTP_REFERER"] . "?code=$random&email=" . md5($email)

When you receive a code from people clicking on these links, you lookup the database and compare the recorded md5 email with the md5 coded email sent.

For a person to circumvent this system, a hacker would need to guess a pair of pin number (random number) and username (a md5 email). very difficult if not impossible.

scrupul0us

the issue with not validating the email prior to insertion is that you have to handle clean up for unvalidated accounts and bad emails... you also have to deal with sending out email to invalid accounts (which is wasted processing if you ask me)

if you do basic dns validation ahead of time it will greatly reduce the amount of clean up needed

i have implemented quite a few myself and i find that if you validate the domain and validate that it accepts mail you are pretty safe... that being said, for the popular mail domains (aol, google, yahoo, etc) I also see if the mail domain accepts mail for the user since you tend to see a load of garbage addresses on those

dagon

the manual says don't use getmxrr() for this purpose