email verification email

wortmann

Hello,

I'm trying to implement a verification system where an email is send to confirm new members.
I've gotten the code and it seems to work from:

http://www.phpeasystep.com/phptu/24.html

however how can i check if emails are being send and how can i check if the links in the verification emails are working?
i do not wish to upload but want to stay local testing

localhost...

wortmann

i've got another little problem:
I;ve got this php code:

// values sent from form 
$name=$_POST['name'];
$email=$_POST['email'];
$country=$_POST['country'];



// Insert data into database 
$sql="INSERT INTO $tbl_name(confirm_code, name, email, password, country)VALUES('$confirm_code', '$name', '$email', '$password', '$country')";
 $result=mysql_query($sql);

// if suceesfully inserted data into database, send confirmation link to email 
if($result){

 // ---------------- SEND MAIL FORM ----------------

 $to=$email;														// send e-mail to ...
 $subject="Here is your confirmation-link from SEAMM Sports DB";  	// Your subject
 $header="from: SEAMM ";  										// From
 $message="Your Comfirmation link \r\n";							// Your message
 $message.="Click on this link to activate your account \r\n";
 $message.="confirmation.php?passkey=$confirm_code";
 $sentmail = mail($to,$subject,$message,$header);					// send email

}

 // if not found 
else {
 echo "Not found your email in our database";
 }
 // if your email succesfully sent
 if($sentmail){
 echo "Your Confirmation link Has Been Sent To Your Email Address.";
 }
 else {
 echo "Cannot send Confirmation link to your e-mail address";
 }

It all seems to work. I can see the data in teh table, however i do not get an email to verify and confirm.
Any suggestions why not?

johanafm

wortmann;11034057 wrote:
localhost...

You'd need a webserver running on localhost if you don't already have it. Prefereably running in the same environment as your production server.

wortmann;11034059 wrote:
I;ve got this php code:

please wrap it in [noparse]

[/noparse] tags. It makes for easier reading.

All data from external sources has to be considered as unsafe. Not all users will provide you with data which is sensible from your perspective, and some will use it to attack you.

wortmann;11034059 wrote:

$name=$_POST['name'];
$email=$_POST['email'];
$country=$_POST['country'];

Here you insert the above data without handling it properly, which makes you vulnerable to sql injection. Use prepared statements to safely use data in queries. More on that later

wortmann;11034059 wrote:

$sql="INSERT INTO $tbl_name(confirm_code, name, email, password, country)VALUES('$confirm_code', '$name', '$email', '$password', '$country')";

The mysql extension (all mysql_* functions) has been deprecated and will be removed. Do not use it.

wortmann;11034059 wrote:
$result=mysql_query($sql);

The remaining choices for PHP are ext/mysqli and PDO. In my opinion it's an easy choice because PDO offers support for named placeholders which mysqli does not. Thus, PDO allows you to do it this way

# Placeholders must start with : in the query
$sql="INSERT INTO $tbl_name(confirm_code, name, email, password, country)
VALUES(:confirm_code, :name, :email, :password, :country)";

# Assuming you have created an instance of pdo with $pdo = new PDO(...)
$stmt = $pdo->prepare($sql);
# The array keys may be written with or without leading : and correspond to the above :placeholders
$result = $stmt->execute(array(
        'confirm_code'  => $confirm_code,
        'name'          => $name,
        'email'         => $email,
        'password'      => $password,
        'country'       => $country
));

Using mysqli which lacks support for named placeholders, you'd have to

$sql="INSERT INTO $tbl_name(confirm_code, name, email, password, country)
VALUES(?, ?, ?, ?, ?)";

$stmt = $mysqli->prepare($sql);
# The first parameter should contain one character each corresponding to the data type inserted data (i = integer, s = string…)
$stmt->bind_param('sssss', $confirm_code, $name, $email, $password, $country);
$result = $stmt->execute();

As the number of parameters grow, the lack of named parameters makes it error prone and hard to debug.

On a side note, why do you insert the table name using a variable ($tbl_name)? I would at least guess that you always insert into the same table. If that is correct, put the table name directly in the string instead.

This is a possible source of problems

wortmann;11034059 wrote:
 $header="from: SEAMM ";  										// From

Most MTAs will refuse to send emails lacking a valid email address. Some MTAs performs additional checks, such as making sure the email address belongs to the same domain and that it exists. "SEAMM" is not a valid email address. You can set an additional header "reply-to: ..." if you do not wish replies to go to the sender. Also, the line does not end with CRLF. Not sure if the mail functions handles the last (or only) header line lacking CRLF.

wortmann

Wow that's a whole lot of information. I'm amazed you went through this and give me a comprehensive explanation of what is wrong and how to handle it.

You must understand that I'm trying to develop a web based communication system for members to share information with their peers. Quite simple , not much to it.

However i do want it all safety proof. Make sure hackers wont get to abuse it and smoothly running.
Since i've done some programming back in the '80's!! i thought i'd give it a try again jus tto see if i can still do it and how much work is involved.

When i think i've got that bt of knowledge i'd love to work with a professional who might help me develop this piece of software.
After your reply i cant stop thinking that you're a developer with a lot of experience, what would you recommend me to do in my case?

johanafm

wortmann;11034077 wrote:
Quite simple , not much to it.

Yes... and no 😉

It's probably a decent sized project for learning, considering your previous programming experience. But it's not unlikely that you will also find out along the way that there is in reality "more to it" than you first expected. Which is all fine though. It's how we learn.

wortmann;11034077 wrote:
However i do want it all safety proof. Make sure hackers wont get to abuse it and smoothly running.

For some further information on security you have to be aware of several types of injection attacks.

The basics though, is that headers are separated by CRLF, and if you allow user input that goes into the header without handling it appropriately, they might inject extra headers with "\r\nextra-header: value", which could lead to spamming others. For an in depth look at the email header format, check out the links to RFCs in the php [man]mail[/man] doc page.

Apart from email header injection and sql injection attacks, you might also want to read about XSS, cross site scripting. It's another type of injection attack, where one user uploads text which is then displayed to another user. If the text is not properly handled, it may lead to bad things. The basics is that if you allow not html at all, you can use htmlspecialchars() on all such data when sending it to a browser and all occurences of < > would be replaced by < and > which prevents it to be interpreted as for example <script>...</script>.

Url injection uses manipulation of the query string. Thus you may (most likely) still need to perform additional checks on incoming data than just using the above techniques.

wortmann;11034077 wrote:
When i think i've got that bt of knowledge i'd love to work with a professional who might help me develop this piece of software.
After your reply i cant stop thinking that you're a developer with a lot of experience, what would you recommend me to do in my case?

Reading is always good, but rarely takes you all the way. There is nothing like hands on experience. To me, the best way to get it is either finding or coming up with "decent sized projects". What determines this is obviously your current skill level, what you wish to learn and how much patience you have. We are all different, but a common recommendation is to no not go too far beyond your current skill level. Simply for the reason that taking on too much at the time usually ends up with nothing being done / learnt. Or the long term accumulation of frustration 😉

Another invaluable thing is indeed to get input from others. Sometimes you will find out that you are/were doing something wrong by reading. But for me it's probably been more common with other people letting me know this. Forums such as this one, stack overflow etc are a good way to get this feedback. I can also recommend not just asking questions and posting code to get feedback though, but also answering questions of others. I've often spent several hours doing research in order to be able to answer someone else's question, simply because I wanted to learn what they were asking… But in these cases, please be careful and do your research first. There's always the risk of this turning into a blind leading a blind. The good thing is there's likely someone else to point this out. Which ones again gives you that invaluable feedback.

Coming up with reasonable projects on your own to improve your skills is not always the easist thing to do. But it's possible other people have done the job for you, in terms of well defined exercises. There's a list of places with exercies at stack overflow | where-can-i-find-programming-puzzles-and-challenges.

Finally I'd recommend doing yourself a huge favor and start using 3 tools

Version Control System (CVS) - my recommendation would be Git (even though I still run into PEBKAC issues once per week)
Xdebug
IDE with integrated support for Xdebug

There was recently a discussion of IDEs in phpbuilder | windows user tools. It's possible you'd get more suggestions if the questions were broadened beyond windows in case you're using some other OS.

sneakyimp

bless you johanafm for providing such lengthy and thoughtful responses.

wortmann, johanafm has given lots of good advice here and it's probably a lot to digest. you might consider tackling one piece at a time. E.g., "I want to send an email to someone" and break this bigger task down into smaller bits. It's easier to get good clean answers if you are tackling a limited task in each post.