Have you ever created an account with a website, and were required to check your email and click through a verification link sent by the company in order to activate it? Doing so highly reduces the number of spam accounts. In this lesson, we'll learn how to do this very thing!
What Are We Going to Build?
We are going to build a nice PHP sign-up script where a user can create an account to gain access to a "members section" of a website. After the user creates his account, the account will then be locked until the user clicks a verification link that he will receive in his email inbox.
Step 1 - Sign-up Page
We first need a simple page where our visitors can sign up their accounts; so that's the first thing we will build. I would like to remind you that this is a PHP tutorial, and in my opinion, I think you need to know the basics of HTML before moving on with PHP. I'll add comments to the HTML & CSS to describe each line of code.
index.php - This is our sign up page with a basic form.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title>NETTUTS > Sign up</title> <link href="css/style.css" type="text/css" rel="stylesheet" /> </head> <body> <!-- start header div --> <div id="header"> <h3>NETTUTS > Sign up</h3> </div> <!-- end header div --> <!-- start wrap div --> <div id="wrap"> <!-- start php code --> <!-- stop php code --> <!-- title and description --> <h3>Signup Form</h3> <p>Please enter your name and email addres to create your account</p> <!-- start sign up form --> <form action="" method="post"> <label for="name">Name:</label> <input type="text" name="name" value="" /> <label for="email">Email:</label> <input type="text" name="email" value="" /> <input type="submit" class="submit_button" value="Sign up" /> </form> <!-- end sign up form --> </div> <!-- end wrap div --> </body> </html>
css/style.css - This is stylesheet for index.php and further pages.
/* Global Styles */
*{
padding: 0; /* Reset all padding to 0 */
margin: 0; /* Reset all margin to 0 */
}
body{
background: #F9F9F9; /* Set HTML background color */
font: 14px "Lucida Grande"; /* Set global font size & family */
color: #464646; /* Set global text color */
}
p{
margin: 10px 0px 10px 0px; /* Add some padding to the top and bottom of the <p> tags */
}
/* Header */
#header{
height: 45px; /* Set header height */
background: #464646; /* Set header background color */
}
#header h3{
color: #FFFFF3; /* Set header heading(top left title ) color */
padding: 10px; /* Set padding, to center it within the header */
font-weight: normal; /* Set font weight to normal, default it was set to bold */
}
/* Wrap */
#wrap{
background: #FFFFFF; /* Set content background to white */
width: 615px; /* Set the width of our content area */
margin: 0 auto; /* Center our content in our browser */
margin-top: 50px; /* Margin top to make some space between the header and the content */
padding: 10px; /* Padding to make some more space for our text */
border: 1px solid #DFDFDF; /* Small border for the finishing touch */
text-align: center; /* Center our content text */
}
#wrap h3{
font: italic 22px Georgia; /* Set font for our heading 2 that will be displayed in our wrap */
}
/* Form & Input field styles */
form{
margin-top: 10px; /* Make some more distance away from the description text */
}
form .submit_button{
background: #F9F9F9; /* Set button background */
border: 1px solid #DFDFDF; /* Small border around our submit button */
padding: 8px; /* Add some more space around our button text */
}
input{
font: normal 16px Georgia; /* Set font for our input fields */
border: 1px solid #DFDFDF; /* Small border around our input field */
padding: 8px; /* Add some more space around our text */
}
As you can see, I have added a comment to each line that describes what they do. Also, you might have noticed the following comment in the index.php file:
<!-- start php code --> <!-- stop php code -->
We are going to write our PHP between these 2 lines!
Step 2 - Input Validation
The first thing we are going to build is a piece of code that's going to validate the information. Here is a short list detailing what needs to be done.
- If the name field is not empty.
- If the name is not to short.
- If the email field is not empty.
- If the email address is valid xxx@xxx.xxx
So our first step is checking if the form is being submitted, and that the fields are not empty.
<!-- start PHP code -->
<?php
if(isset($_POST['name']) && !empty($_POST['name']) AND isset($_POST['email']) && !empty($_POST['email'])){
// Form Submited
}
?>
<!-- stop PHP Code -->
Time for a breakdown! We start of with an IF statement and we are first validating the name field:
if( ){ // If statement is true run code between brackets
}
isset($_POST['name']) // Is the name field being posted; it does not matter whether it's empty or filled.
&& // This is the same as the AND in our statement; it allows you to check multiple statements.
!empty($_POST['name']) // Verify if the field name is not empty
isset($_POST['email']) // Is the email field being posted; it does not matter if it's empty or filled.
&& // This is the same as the AND in our statement; it allows you to check multiple statements.
!empty($_POST['email']) // Verify if the field email is not empty
So if you would submit the form now with empty fields, nothing happens. If you fill in both fields then our script will run the code between the brackets. Now we are going to create a peace of code that will check if an email address is valid. If it's not, we will return a error. Also let's turn our post variables into local variables:
if(isset($_POST['name']) && !empty($_POST['name']) AND isset($_POST['email']) && !empty($_POST['email'])){
$name = mysql_escape_string($_POST['name']); // Turn our post into a local variable
$email = mysql_escape_string($_POST['email']); // Turn our post into a local variable
}
We can now reach our data via our local variables. As you can see, I also added a MySQL escape string to prevent MySQL injection when inserting the data into the MySQL database.
"The mysql_real_escape_string() function escapes special characters in a string for use in an SQL statement."
Regular Expressions
Next up is a small snippet that checks if the email address is valid.
$name = mysql_escape_string($_POST['name']);
$email = mysql_escape_string($_POST['email']);
if(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email)){
// Return Error - Invalid Email
}else{
// Return Success - Valid Email
}
Please note that I did not personally write this regular expression, it's a small snippet from php.net. Basically, it verifies if the email is written in the following format:
xxx@xxx.xxx
Now in the eregi, you can see that it checks if the email contains characters from the alphabet, if it has any numbers, or a phantom dash (_), and of course the basic requirements for an email (email)'@' and a (dot)'.' If none of these characters are found, the expression returns "false". Okay, so now we need to add some basic error messages.
if(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*(\.[a-z]{2,3})$", $email)){
// Return Error - Invalid Email
$msg = 'The email you have entered is invalid, please try again.';
}else{
// Return Success - Valid Email
$msg = 'Your account has been made, <br /> please verify it by clicking the activation link that has been send to your email.';
}
As you can see we have made a local variable "$msg", this allows us to show the error or the success message anywhere on the page. And we are going to display it between the instruction text and the form.
<!-- title and description -->
<h3>Signup Form</h3>
<p>Please enter your name and email address to create your account</p>
<?php
if(isset($msg)){ // Check if $msg is not empty
echo '<div class="statusmsg">'.$msg.'</div>'; // Display our message and wrap it with a div with the class "statusmsg".
}
?>
<!-- start sign up form -->
Add this to style.css, to style our status message a bit.
#wrap .statusmsg{
font-size: 12px; /* Set message font size */
padding: 3px; /* Some padding to make some more space for our text */
background: #EDEDED; /* Add a background color to our status message */
border: 1px solid #DFDFDF; /* Add a border arround our status message */
}
Step 3 - Creating the Database & Establishing a Connection
Now we need to establish a database connection and create a table to insert the account data. So let's go to PHPMyAdmin and create a new database with the name registrations and create a user account that has access to that database in order to insert and update data.
Let's create our users table, with 5 fields:
So now we must enter details for these fields:
For those who don't want to input this data manually, you can instead run the following SQL code.
CREATE TABLE `users` ( `id` INT( 10 ) NOT NULL AUTO_INCREMENT PRIMARY KEY , `username` VARCHAR( 32 ) NOT NULL , `password` VARCHAR( 32 ) NOT NULL , `email` TEXT NOT NULL , `hash` VARCHAR( 32 ) NOT NULL , `active` INT( 1 ) NOT NULL DEFAULT '0' ) ENGINE = MYISAM ;
Our database is created, now we need to establish a connection using PHP. We'll write the following code at the start of our script just below the following line:
<!-- start PHP code --> <?php // Establish database connection
We'll use the following code to connect to the database server and select the registrations database. (basic MySQL connection)
mysql_connect("localhost", "username", "password") or die(mysql_error()); // Connect to database server(localhost) with username and password.
mysql_select_db("registrations") or die(mysql_error()); // Select registrations database.
Now that we've established a connection to our database, we can move on to the next step and insert the account details.
Step 4 - Insert Account
Now it's time to enter the submitted account details to our database and generate an activation hash. Write the following code below this line:
// Return Success - Valid Email $msg = 'Your account has been made, <br /> please verify it by clicking the activation link that has been send to your email.';
Activation Hash
In our database we made a field called hash, this hash is a 32 character string of text. We also send this code to the user's email address. They then can click the link (which contains the hash) and we will verify if it matches up with the one in the database. Let's create a local variable called $hash and generate a random md5 hash.
$hash = md5( rand(0,1000) ); // Generate random 32 character hash and assign it to a local variable. // Example output: f4552671f8909587cf485ea990207f3b
What did we do? Well we are using the PHP function "rand" to generate a random number between 0 and 1000. Next our MD5 function will turn this number into a 32 character string of text which we will use in our activation email. My choice is to use MD5, because it generates a hash of 32 characters which is secure and, in this case, impossible to crack.
Creating a Random Password
The next thing we need to is to create a random password for our member:
$password = rand(1000,5000); // Generate random number between 1000 and 5000 and assign it to a local variable. // Example output: 4568
Insert the following information into our database using a MySQL query
mysql_query("INSERT INTO users (username, password, email, hash) VALUES(
'". mysql_escape_string($name) ."',
'". mysql_escape_string(md5($password)) ."',
'". mysql_escape_string($email) ."',
'". mysql_escape_string($hash) ."') ") or die(mysql_error());
As you can see, we insert all data with a MySQL escape string around it to prevent any MySQL injection. You also might notice that the MD5 function changes the random password into a secure hash for protection. Example: if an "evil" person gains access to the database, he can't read the passwords.
For testing, fill in the form and check if the data is being inserted into our database.
Step 5 - Send the Verification Email
Right after we have inserted the information into our database, we need to send an email to the user with the verification link. So let's use the PHP "mail" function to do just that.
$to = $email; // Send email to our user $subject = 'Signup | Verification'; // Give the email a subject $message = ' Thanks for signing up! Your account has been created, you can login with the following credentials after you have activated your account by pressing the url below. ------------------------ Username: '.$name.' Password: '.$password.' ------------------------ Please click this link to activate your account: http://www.yourwebsite.com/verify.php?email='.$email.'&hash='.$hash.' '; // Our message above including the link $headers = 'From:noreply@yourwebsite.com' . "\r\n"; // Set from headers mail($to, $subject, $message, $headers); // Send our email
Now let's brake down the message:
Thanks for signing up! Your account has been created, you can login with the following credentials after you have activated your account by pressing the url below. ------------------------ Username: '.$name.' Password: '.$password.' ------------------------
In the code above we send a short description to our user which contains the username and password -- using the local variables we created when the data was posted.
Please click this link to activate your account: http://www.yourwebsite.com/verify.php?email='.$email.'&hash='.$hash.'
In this section of the code, we created a dynamic link. The result of this will look like this:
As you can see, it creates a solid url, which is impossible to guess. This is a very secure way to verify the email address of a user.
Step 6 - Account Activation
As you can see, our url links to verify.php so let's create that, using the same basic template we used for index.php. However, remove the form from the template.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>NETTUTS > Sign up</title>
<link href="css/style.css" type="text/css" rel="stylesheet" />
</head>
<body>
<!-- start header div -->
<div id="header">
<h3>NETTUTS > Sign up</h3>
</div>
<!-- end header div -->
<!-- start wrap div -->
<div id="wrap">
<!-- start PHP code -->
<?php
mysql_connect("localhost", "tutorial", "password") or die(mysql_error()); // Connect to database server(localhost) with username and password.
mysql_select_db("registrations") or die(mysql_error()); // Select registration database.
?>
<!-- stop PHP Code -->
</div>
<!-- end wrap div -->
</body>
</html>
The first thing we need to do is check if we have our $_GET variables (email & hash)
if(isset($_GET['email']) && !empty($_GET['email']) AND isset($_GET['hash']) && !empty($_GET['hash'])){
// Verify data
}else{
// Invalid approach
}
To make things a bit easier, let's assign our local variables and add some MySQL injection prevention by, once again, using the MySQL escape string.
if(isset($_GET['email']) && !empty($_GET['email']) AND isset($_GET['hash']) && !empty($_GET['hash'])){
// Verify data
$email = mysql_escape_string($_GET['email']); // Set email variable
$hash = mysql_escape_string($_GET['hash']); // Set hash variable
}
Next is to check the data from the url against the data in our database using a MySQL query.
$search = mysql_query("SELECT email, hash, active FROM users WHERE email='".$email."' AND hash='".$hash."' AND active='0'") or die(mysql_error());
$match = mysql_num_rows($search);
In the code above, we used a MySQL select statement, and checked if the email and hash matched. But beside that, we checked if the status of the account is "inactive". Finally, we use mysql_num_rows to determine how many matches have been found. So let's try this out. Simply use a simple echo to return the results.
$search = mysql_query("SELECT email, hash, active FROM users WHERE email='".$email."' AND hash='".$hash."' AND active='0'") or die(mysql_error());
$match = mysql_num_rows($search);
echo $match; // Display how many matches have been found -> remove this when done with testing ;)
We have a MATCH! To change the result, simply change the email and you'll see that the number returned is 0. We can use our $match variable to either activate the account or return a error when no match has been found.
if($match > 0){
// We have a match, activate the account
}else{
// No match -> invalid url or account has already been activated.
}
In order to activate the account, we must update the active field to 1 using a MySQL query.
// We have a match, activate the account
mysql_query("UPDATE users SET active='1' WHERE email='".$email."' AND hash='".$hash."' AND active='0'") or die(mysql_error());
echo '<div class="statusmsg">Your account has been activated, you can now login</div>';
So we use the same search terms for the update as we used in our MySQL select query. We change active to 1 where the email, hash and field active = 0 match up. We also return a message telling the user that his account has been activated. You can add a message like we did here to the "no match" part. So the final code should look similar to:
mysql_connect("localhost", "tutorial", "password") or die(mysql_error()); // Connect to database server(localhost) with username and password.
mysql_select_db("registrations") or die(mysql_error()); // Select registration database.
if(isset($_GET['email']) && !empty($_GET['email']) AND isset($_GET['hash']) && !empty($_GET['hash'])){
// Verify data
$email = mysql_escape_string($_GET['email']); // Set email variable
$hash = mysql_escape_string($_GET['hash']); // Set hash variable
$search = mysql_query("SELECT email, hash, active FROM users WHERE email='".$email."' AND hash='".$hash."' AND active='0'") or die(mysql_error());
$match = mysql_num_rows($search);
if($match > 0){
// We have a match, activate the account
mysql_query("UPDATE users SET active='1' WHERE email='".$email."' AND hash='".$hash."' AND active='0'") or die(mysql_error());
echo '<div class="statusmsg">Your account has been activated, you can now login</div>';
}else{
// No match -> invalid url or account has already been activated.
echo '<div class="statusmsg">The url is either invalid or you already have activated your account.</div>';
}
}else{
// Invalid approach
echo '<div class="statusmsg">Invalid approach, please use the link that has been send to your email.</div>';
}
If you visit verify.php without any strings, the follow error will be shown:
Step 7 - Login
In this final step, I will show you how to create a basic login form and check if the account is activated. First create a new file called login.php with the basic template we used before, but this time I changed the form into a login form.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<title>NETTUTS > Sign up</title>
<link href="css/style.css" type="text/css" rel="stylesheet" />
</head>
<body>
<!-- start header div -->
<div id="header">
<h3>NETTUTS > Sign up</h3>
</div>
<!-- end header div -->
<!-- start wrap div -->
<div id="wrap">
<!-- start PHP code -->
<?php
mysql_connect("localhost", "tutorial", "password") or die(mysql_error()); // Connect to database server(localhost) with username and password.
mysql_select_db("registrations") or die(mysql_error()); // Select registration database.
?>
<!-- stop PHP Code -->
<!-- title and description -->
<h3>Login Form</h3>
<p>Please enter your name and password to login</p>
<?php
if(isset($msg)){ // Check if $msg is not empty
echo '<div class="statusmsg">'.$msg.'</div>'; // Display our message and add a div around it with the class statusmsg
} ?>
<!-- start sign up form -->
<form action="" method="post">
<label for="name">Name:</label>
<input type="text" name="name" value="" />
<label for="password">Password:</label>
<input type="password" name="password" value="" />
<input type="submit" class="submit_button" value="Sign up" />
</form>
<!-- end sign up form -->
</div>
<!-- end wrap div -->
</body>
</html>
The form is basic html, and almost the same as the signup form, no further explanation is needed. Now it's time to write the code for the login script, which we will write just below the MySQL connection code. We start with something we also did in the signup form.
if(isset($_POST['name']) && !empty($_POST['name']) AND isset($_POST['password']) && !empty($_POST['password'])){
// Both fields are being posted and there not empty
}
So we first check to see if the data is being posted, and we make sure that it's not empty. Next is to create some local variables for the post data:
if(isset($_POST['name']) && !empty($_POST['name']) AND isset($_POST['password']) && !empty($_POST['password'])){
$username = mysql_escape_string($_POST['name']); // Set variable for the username
$password = mysql_escape_string(md5($_POST['password'])); // Set variable for the password and convert it to an MD5 hash.
}
We created the local variables and changed the password into a md5 hash to match it with the password hash we have stored in the database. Now, it's time to create the connection to our "users" table and verify if the entered data is correct.
if(isset($_POST['name']) && !empty($_POST['name']) AND isset($_POST['password']) && !empty($_POST['password'])){
$username = mysql_escape_string($_POST['name']);
$password = mysql_escape_string(md5($_POST['password']));
$search = mysql_query("SELECT username, password, active FROM users WHERE username='".$username."' AND password='".$password."' AND active='1'") or die(mysql_error());
$match = mysql_num_rows($search);
}
We wrote a MySQL query that will select the username, password and active information from our database, if the username and password match up. AND active='1' is !IMPORTANT!, this makes sure that you can only login if your account is activated. We use the MySQL num rows again to see how many matches are found.
if($match > 0){
$msg = 'Login Complete! Thanks';
// Set cookie / Start Session / Start Download etc...
}else{
$msg = 'Login Failed! Please make sure that you enter the correct details and that you have activated your account.';
}
In the code above we check if the login was a success or not.
The End
And that's the end of this tutorial! I hope you enjoyed it, and if you did please leave a comment below!
- Follow us on Twitter, or subscribe to the NETTUTS RSS Feed for more daily web development tuts and articles.
Related Posts
Check out some more great tutorials and articles that you might like
Plus Members
Source Files, Bonus Tutorials and
More for $9 a month for all TUTS+
sites in one subscription.
User Comments
( ADD YOURS )joell lapitan May 18th
another nice tuts for us.. thanks for this..
( )Brian Cray May 18th
Great practical article. This is a registration process every programmer should familiarize themselves with.
( )Muhammad Adnan May 18th
nice article for newbie programmer !
( )Felix May 18th
Great tutorial! You should be using mt_rand() instead of rand() though, as the doc says: “mt_rand() generates a better random value than rand()”. Plus it’s up to 4 times faster
( )Harnish May 18th
Good catch!
( )david May 18th
Also you should not limit it to 1000 as this results in only 1000 possible hashes.
Justin May 18th
You can fill in just a space at the registration, and it say’s that it’s OK cause you don’t check on that. It can be solved with a simple if statement that checks the length of the username and password and checks on spaces or not allowed items.
( )Philo May 18th
My apologies, I forgot about that.
( )My main focus was teaching how to build a email verification.
ChrisD May 18th
Still GREAT tutorial.
BrainFreeze October 7th
but i find it fabulous. a beginner i am in scripting. it was really neat and understandable in the process of the tutorial. thumbs up!
Ryan Stubbs May 18th
If you did wish to remove all whitespace, the trim function does this. Example:
echo trim(“nettuts”);
echo trim(” n e t t u t s”);
Would both simply return “nettuts”.
Hope that helps.
( )iobox May 19th
The trim just take off whitespace from the start and the end of a string
So you will actually get
echo trim(‘nettuts’); -> nettuts
echo trim(‘ n e t t u t s’); -> n e t t u t s
Zoran May 18th
Very nice! I will try this later!
( )Thanx!
crysfel May 18th
well….. this tutorial is good for beginners… but remember that in real world you shouldn’t mix your logic (PHP) and your presentation (HTML).
have funnnnn guys
( )Philo May 18th
I agree, normally I prefer to keep HTML and PHP separated.
Although, them main goal of this tutorial, is teaching how to verify a email address using a activation link.
( )Harnish May 18th
Would you write another tutorial as a follow up on this one which can show the php and html separation? Can you also write AJAX based tutorial for the same scenario?
elle driver May 19th
At the very least you could have kept almost all your php logic above the start of the html document. Set the variables expected by the php down in the html area and maybe also moved the html parts out to separate files to then be included?
Keith May 18th
Philo, great tutorial! I love your breakdown of each step. Can you write some advanced tuts please?
( )Philo May 18th
@Keith
I’m always looking for subjects to write about, what would you like to see?
—–
Thanks for all kind replies everyone.
( )ChrisD May 18th
People are always writing tut’s about membership systems etc. But never how to intergrate them into other pages.
I was thinking the other day would someone be able to write a tutorial for a member profile page.
E.g. A page that would grab the information of the selected member and display it. Maybe a bit about them selves or something…
Chris
reg4c May 18th
How about a tutorial on PHP sessions?
Chris May 18th
I’d like to see something about writing a basic CMS, that would be pretty cool. I’m currently doing that and some things are pretty tough to guess for a beginner.
Great tutrial anyways, keep up the good work!
michael May 18th
Yes, Session Handling would be awesome.
Spyder May 18th
Nice one but system is not checking existing email in database.
( )nvartolomei May 18th
Activation hash md5 of random number? The best way is random number + unix timestap.
( )Michael August 3rd
I agree. I would even think about tacking in the IP address of the visitor.
( )Jason May 18th
Nice,
Was looking for some information on activation emails not getting caught by SPAM filters?
And why is yahoo mail sooooo slow at showing my activation emails to my users?
Thank guys keep it up.
( )Neil May 18th
I had that issue too, I modified the content of the email to include the registered email address, X-Organization and X-Mailer email headers and it did the trick.
( )Nate May 18th
That’s just f*cking Yahoo. It happens to me regardless of where I’m sending test e-mails from. I’ve received e-mails 24 hours later and I’m like “wtf??”
( )Neil May 19th
No dude…its not just Yahoo…its anywhere that enforces a spam filter
Guillaume May 18th
I really like this tutorial. This is exactly what I was looking for.
( )Alidad May 18th
no demo to see that idea!
( )reg4c May 18th
Well done, I learned a lot.
But no full .ZIP download?
( )reg4c May 18th
OOops, skipped that part. Sorry, found it.
( )peewee1002 May 18th
Cool I might use this.
I would like to see someone make either a AJAX or PHP forum.
( )Rik Girbes May 18th
nice script Thanks!
( )Kris Allen U. May 18th
Nice job Philo. It would be nice to see more on how to separate logic and code, also more OOP in php.
( )Greg May 18th
Very useful
( )Evan May 18th
Great tutorial. Just what I needed to motivate myself to start delving deeper into php/mysql. Thanks!
( )Drummer8001 May 18th
This was exacting what I was working on for a site that I am building. Just skimmed over it. Will go back and look in detail later. Looks great though.
( )Michael Wales May 18th
Hooray! For non-salted password storage! The password for the user record you took a screenshot of is 1521.
Don’t make this mistake kids.
( )Philo May 18th
Thanks for your reply Michael.
I understand that a MD5 hash can be stronger when you salt it.
But please understand that this tutorial, is to teach people how to create a email verification system.
Ill try to keep your comment in mind!
( )Philo May 18th
I’m very happy with all responses, and I will try to keep them in mind for my next tutorial.
Please feel free to suggest a tutorial, either comment or just submit it to the suggestion list, that can be found here:
http://psdtuts.uservoice.com/pages/nettuts_tutorial_suggestions
Thanks again for all replies everyone!
( )wpheroes May 19th
Thanks Philo great tut!
( )Myfacefriends May 18th
this is truly awesome tuts very detailed explanation.,
( )Fledder May 18th
Respect for the author for putting so much time into this extensive tutorial, but…
“Thanks for your reply Michael.
I understand that a MD5 hash can be stronger when you salt it.
But please understand that this tutorial, is to teach people how to create a email verification system.”
Please don’t say this. People are going to use your tutorial for production usage, even if you do not intend it. Too much articles see security as an afterthought, that is how things go wrong. Security should be part of the article, you should set the right example. At the very least you should put up a big fat warning that users should not use your tutorial in real life, as it is insecure by design.
( )Shane May 18th
Generally very good. Thanks.
( )Martins May 18th
Is there any reason to check both isset($_POST['name']) and !empty(isset($_POST['name'])?
I would go a bit different way, first setting $name = trim($_POST['name']) and then checking if !empty($name). Same for e-mail.
And it should be noted that mysql_escape_string() is depracated in PHP 5.3 and mysql_real_escape_string() should be used.
All in all though – nice tut. Thanks!
( )Diego SA May 18th
Cool! Very interesting!
( )kevinsturf May 18th
this is very useful, i had always wondered how you would do this like how payment is received for verification if you bought something.
( )payam May 18th
very nice
( )thanks
lawrence77 May 18th
Phillo is xcodetuts.com is your site?
Anyway nice tut man, looks cool after some days
( )bruno May 18th
Very useful.
( )I need to implement a system like that in a site i am making.
Jonas May 18th
The regular expression part that checks for the TLD (“[a-z]{2,3}”) is wrong. There are several TLDs that have more than three characters, e.g. .info, .name, .coop, and .museum. The correct regular expression should be [a-z]{2,6}.
( )Brian Crescimanno May 18th
I realize that security is not the focus of this tutorial, but using un-salted MD5 to store passwords leaves the passwords pretty darn vulnerable. Especially when you are generating a four digit random number for the default password. I understand that it’s only meant as temporary. But a temporarily valid account is *still* a valid account.
While again, I understand that this is not a security article, I want to be sure that someone points out for people who use your examples that they are not really ready to be deployed into a real world environment as is (and before anyone says “That should be obvious” remember that the whole reason PHP got a bad rap in the first place was people following example code that was wide open to SQL Inection).
Great article–and it gives people a good starting point to implement such a system!
( )Palusko May 18th
I guess as a defense it can be said, that anyone who needs this kind of tutorials is still a beginner and very unlikely is working on some big scale e-commerce site where this kind of vulnerability would be a big issue. Honestly, my head is spinning just going through all this code as it is, if a real world security had been implemented into this tutorial, I think it would make learning from it actually more difficult and thus would not be as helpful. Don’t get me wrong, I certainly consider security issues extremely important, but at this case, it would be like trying to run before knowing how to crawl. I think for the target audience (which is me
, this is the way to go.
( )Brian Crescimanno May 19th
An interesting perspective; and one I agree with to a point. The problem is (as has been demonstrated in the past) inexperienced programmers not understanding that this code is not production ready and the methods used are highly insecure. I’m not suggesting that a full primer on security should have been included in the article; but at the very least some notice for the inexperienced programmer that they should not be copying and pasting this code into their projects because of extreme security concerns.
Consider this quote from the article: “My choice is to use MD5, because it generates a hash of 32 characters which is secure and, in this case, impossible to crack.”
Here, the author is leading an inexperienced reader to believe that security considerations HAVE been taken into account when they quite obviously have not been. Nothing about his implementation (or md5 in general) is anywhere close to impossible to crack.
This type of disservice was done to the PHP community for years in the form of so many “Teach yourself PHP…” tutorials and books that have led to this very wrong notion that PHP is an “insecure” language. I hope we can avoid it in the future!
Dan August 9th
Agreed, anyone using this tutorial is not going to be doing anything major anytime soon. So all you security freaks just relax, it’s a tutorial not a security this or a sql injection that. If you want all that in a tutorial go buy a book.
Jeff May 18th
I’m a regular reader of this site, and this has to be one of the most practical I have ever seen. I’m not new to web design but I am new to PHP and having worked with ASP it is SOOOO much clearer.
Great tutorial – my only question is this – How can I format the e-mail a llittle better?
Cheers
( )Philo May 18th
Hey Jeff,
You can use allot of different methods to send a email with PHP.
The one I used in the tutorial is the PHP mail function.
Besides clear text, you can send HTML & CSS styled emails by changing the so called “content-type”. You can find more about it here at php.net:
http://php.net/function.mail
Example #4 is the one you need, feel free to ask again if you can’t figure it out.
( )And thanks for your kind comment!
Shane May 18th
If you’ve tried ASP, you may want to look at ASP.NET; you may find that that is even cleaner
( )Rob May 19th
Yes thats totally correct!
In ASP.NET all you have to do is important a Power Point File into the compiled dll headers file.
Then cross link it with an excel spreadsheet and voila just by using the drag and drop mouse and having no clue what you are actually doing you just created an email verification system.
GO ASP!
Thomas Milburn May 18th
Its a good tutorial but not a great one for a number of reasons. Firstly your email verification regular expression is flawed. It doesn’t cover all possibilities for email addresses as defined by rfc 2822 see http://haacked.com/archive/2007/08/21/i-knew-how-to-validate-an-email-address-until-i.aspx You might m=not think this important but I have had a couple of customers with obscure email addresses sign up to my web application. If I hadn’t used the correct regular expression they would have been rejected.
Secondly, security: a four digit number encrypted with MD5 is not secure. To be honest with you there is no point encrypting such a short length password without using a salt. Since any attacker knows passwords are 4 digits a brute force attack could take a matter of minutes. Brute force can also be used on the generated hash. Although it is MD5 encrypted, there are only 1000 different possibilities of the hash, not great.
There is no need to escape name and email address twice in index.php, once is quite enough. The script should check that a given username doesn’t exist before inserting a new one.
Otherwise, its a great technique that you have demonstrated and the tutorial is well explained
( )Dj May 18th
@mssr. Milburn… You make some great points. How about posting a file with “enhancements/corrections” that you suggest included – for those of us a bit less initiated to this stuff than you seem to be?
( )david May 18th
You are right this is really a badly written tutorial.
Perhaps allowing the user to set the password only after verifying would be a better option and then storing it properly with a single or double salt.
( )Abhijit May 18th
The tutorial is good enough for beginners. However you can’t use this in real world applications. Also the writer uses lots of deprecated PHP stuff – the mysql extension itself has become obsolete now and one should be using the mysqli extension. Also functions like mysql_escape are marked as deprecated on the PHP.net site itself. PHP is a very easy and forgiving language and because of this people can go on with bad practice.
( )sam May 18th
when I see php like this it makes me glad I use asp.net..
( )Shane May 18th
( )Rob May 19th
When I see people using ASP.net.. I laugh!
Just because Microsoft doesn’t provide a
“I’m gay and need a visual editor” IDE for PHP doesn’t mean ASP is better.
( )Shane May 19th
Great comment Rob. Great comment.
Neil May 19th
Yea, I agree, Net Tuts need more .net articles!
( )Rob May 20th
No it doesn’t .NET is the greatest easiest platform EVAR!
Code practically writes it self in .net no tuts needed. After you spend the boat load of money to get a legal environment up and running all you have to do is click the mouse.
Just click, drag, drop and presto you recreated and exact replica of Facebook and you can start making millions.
SHAZAM!
Ben May 18th
Incredible tut! Thank you so much. Very helpful
( )david May 18th
From php.net “preg_match(), which uses a Perl-compatible regular expression syntax, is often a faster alternative to ereg()”
Also storing the hash is a total waste of memory. Just hash the supplied email with a known value and use that.
$hash = mdr($email + YOUR_SECRET);
$link =’?’ . $email . ‘&’ $hash;
This is much easier and does not waste database space.
( )Luiz Janela May 19th
Using the email can be a problem, ’cause some users can use the same email.
If it has a validation that uses uniques email, it’d work very nice.
( )Philo May 18th
Thanks for your improvements, I will update the article with your comments!
( )david May 18th
A couple more improvements instead of:
* {
// stuff
}
you should use a proper css reset.
Also you should look at other hash functions. md5 is really showing its age. not that this is high security stuff but there are much better options out there.
Using empty to determine if a name is valid is also wrong. There are lots of non empty values which are not names. A better design aproach would be to determine first if the page is posted check $_POST for that. Then to itterate though each posted value and determine its validity using a well tested regular expression.
You do alot of stuff like this:
$_GET['email']) && !empty($_GET['email']) AND isset($_GET['hash']) && !empty($_GET['hash']
You might try using super global wrapper functions like these: http://code.google.com/p/ramaboo/source/browse/trunk/Boo-2.0.0/functions/superglobal.php
that way you can just do
$var = _get(‘email);
It saves a lot of code!
( )John May 19th
David, if you don’t mind, can you elaborate on your last point? If I understand this correctly, this is a clean way to make sure a value of any kind is present in a Super Global. However, I would still need to continue on with sanitizing those values, correct? If so, are there any Super Globals that do not require sanitizing? Like can $_SERVER be trusted? If not, how would one sanitize $_SERVER? …would it be best practice to create a regular expression to test for? Is this overkill?
Thank you for your feedback.
PS – Philo – I really enjoyed the article. Thank you
Dan August 9th
@David do you think you’ve made your point yet? Jesus mate its just a tiny tutorial not the PHP Bible go to the beach man or get a haircut. Or better yet write a tutorial with all your super improvements in it, and see if you can make it as clear and as short as this one.
Merxhan May 18th
One of the best tutorials I have read on NET.Tutsplus.
I like your way of coding, you comment almost everything. Good principle, and your code looks clean and understanding.
A million thanks
( )Kevin Kirsche May 18th
Very useful tutorial! Thanks
( )Carl - Web Courses Bangkok Instructor May 18th
I like the use of the mysql_escape_string() method. Its important for programmers to protect their code at all times. Also this code is tight in that it checks for more than just one thing at all times and hashing users passwords is also important for their security.
Thanks and great tutorial!
…however, wonder if there any hackers who would say how they could break into a simple registration and login system, so we can learn how to be even more secure?
hehe
( )Travis May 18th
Is it really wise to pass the email through the url. Email addresses are more transitional than URL addresses since you can pass special characters such as -_’: and more. However most of these get converted to hex when parsed to an url so wouldn’t that screw up the script and have the script looking through the for no%21you@hotmail.com. In that case the email will never be activated.
( )Kris May 18th
That’s so awesome…thank you for taking the time to go through this. I look forward to implementing this functionality. Thanks!
( )B A B U May 18th
Nice tutorial. Tanx
( )Horus May 19th
Great, but in PHP5 there’s more simple to validate email :
if (filter_var($sEmail, FILTER_VALIDATE_EMAIL)) {
( )echo “OK”;
}
else {
echo “NOT OK”;
}
iobox May 19th
Nice tuts but you should use mysql_real_escape_string() and not mysql_escape_string() as it’s deprecated.
( )Ahmed May 19th
thank you very, i love your site, it’s the best
( )mahmoud kamal May 19th
good this is a simple sctript but your code is very nice
web developer , php developer
mr. mahmoud kamal
( )k42b3 May 19th
hey great article for beginners but plz use a salt and pw length > 6 signs … k that was already said in the comments before but maybe you should use the php filter function instead of regex
filter_var($email, FILTER_VALIDATE_EMAIL)
regards
( )arnold'C May 19th
thanks,I hope you create more simple and yet very important tuts for php noobs
( )arnoldC May 19th
this is somehow a very important tut for php,thanks
( )Jamal May 19th
Thanks, good tutorial. I was searching for this all over google. This one is simple and easy to follow.
( )Tanzmusik May 19th
Imho the eMail should not be pulished in the activation url, a hash is unique enough when you save something like sha2(time().$username)
Also the email-verification regex maybe block several email adresses like
( ).info, .museum, .name easy to fix, but you shouldn’t block those domains
Rob May 19th
Great Tut But…
There is a slight error with your hash. It will be possible that some people have the same hash. This is thing that I have worked on myself and I came up with this:
1) Insert the person in the DB and get back their person_id…
2) Make a hash from that… make a cool hash though, don’t Just MD5( person_id ) do something fun:
MD5( person_id . ‘_::_The_big_lebowski–’ );
Pick your own favorite movie!
That will prevent the evil people from guessing your hash generations.
Once you got that then update the person. Its a two step process but in the end safer.
( )Luiz Janela May 19th
The same thing i noticed. I thought ’bout using the md5 of the e-mail, so the e-mail must be unique.
In the case of using ‘_::_The_big_lebowski–’ , doesn’t make a big difference for me, but is a lil stupid =)
( )Rob May 20th
1) Lebowski is never stupid take it back!
2) If you just MD5 the id I suspect evil persons try sequential MD5 attempts.
So I add the “awesome” Lebowski stuff to hopefully throw them off the trail. I mean who would accidentally guess that?
Martyn Web May 19th
If I was a little more comfortable with my php and mysql skills I would defiantly give this ago but until I have to do this then Im probably not gonna try this out. Handy for the future though.
( )gk May 19th
If you have to write hundreds lines of code for such a basic functionality you should rethink your framework and language.
( )RoR + authlogic does the same with a few lines of code – and really secure. You shouldn’t have to deal with such basic stuff, it’s boring
Rob May 25th
Hey Ruby FanBoy!
Go suck eggs, Ruby would require just as much coding and prep as it would in any other language. Not to mention you probably have to tell users to browse to http://www.yourstupidserver.com:58889/yourstupidapp.
Nice URL moron!
Learn to re-use code correctly and stop relying on a gay framework!
Leave the ROR spermgasms for some other site.
( )Simon May 19th
Nice work, but why not use FILTER_SANITIZE_EMAIL and FILTER_VALIDATE_EMAIL ?
( )Whatever, nice tut
Philo May 19th
An update will be applied to the post soon, which includes:
Password generation now Salted with secret word.
( )Changed rand() into mt_rand()
Changed part of email validation
Changed mysql_escape_string into mysql_real_escape_string
Brian Crescimanno May 19th
I would also add a note that this code is not fit for production due to lax security and it serves only as a demonstration of how such a system would be created. In that regard, it’s a great tutorial–but I honestly worry about inexperienced developers not realizing that doing a copy-paste job on this will leave the system very vulnerable.
( )Luke May 19th
It is tutorials like these that make me happy to be a Plus member and support the Tutsplus sites.
( )Matt May 19th
Woudln’t it be better to create a non_active_users and an active_users table in the database? This way you wouldn’t have to constantly check if a user is active or not, just by looking in the active_users table you’d know they’d been through the activation process. You’d also be able to have “profile fields” (like hometown, dob etc.) in the active_users table and not in the non_active_users table because they’d always be blank in the non_active_users table
( )Simon May 19th
It’s good to see that you are going to update the tut with some advice given in the comments.
( )You’re really doing a great job Philo
Thanks again !
Philo May 19th
Thanks Simon, appreciate your comment.
( )I’m doing my best to keep everyone happy!
And besides teaching others, I learn from the users comments, and will try not to make the same mistake twice.
Simon May 20th
You’re welcome !
Can’t wait to see your portfolio back online
tom May 19th
i would like to a few articles just on common security problems
( )Alexis May 19th
Great Tutorial, Thanks
( )Alex McCabe May 19th
you would not believe how helpful this will be. pity i do not have the time right now to go through it. have an exam soon. argh. as soon as its done, i will work my way through. thank you very much =D
( )xawiers May 19th
Poor performance in this example – table has no indexes
( )John May 20th
GREAT.. Yet another regex that doesn’t support + filtering. Please don’t tell people how to write their own email validation scripts when your code doesn’t even comply with email standards. It just means there will now be even more incorrect implementations out there.
( )Anthony Cook May 20th
Thank you, this is an awesome tut!
One suggestion is that you add some code to stop multiple users signing up with the same username, it could get messy.
( )Anthony Cook May 20th
Also the same go’s for using the same email address
( )Thomas Verschoof May 20th
I was looking for such a script. Never thought that it could be so easy (was thinking to much in chaos theory). But I do agree with Anthony Cook to which I want to say: “Beginners don’t know such a thing so it is good that you mention it! But for al the more advanced scripters around here it is obvious that Philo just shows us how he would create a simple mail activation function on which you can build a bigger application for users to login”. Thank you Philo for sharing this with us. Keep on going! You Rock!
P.S. Maybe a hint for a new tutorial: password reset when using md5! (I think starters would like to see such a tutorial on nettuts!)
( )Woody Payne May 20th
Superb tutorial, thank you! Really found this helpful, I wasn’t 100% sure how to string all of this together and it helped me finish it off. Keep up the good work!
( )Sasa May 20th
“if(isset($_POST['name']) && !empty($_POST['name'])….”
( )This is stupid! Just “!empty” will be enough. You must write less code if you worry about speed and quality
Paadt May 21st
Nice tutorial!
General notice:
I think it would be good for tutplus to have a bit higher standard with the tutorials. What I mean is use best practices in the examples…
Like mysqli instead of mysql etc. Even though it has nothing to do with the actual purpose of the totorial, it is nice to integrate best practices.
( )Phiilips May 22nd
Nice tutor, phil….
( )Tom May 22nd
Great tutorial! However instead of creating a field for the hash you could preform the user insert query and then catch the users unique id using mysql_insert_id() you could then hash this and send it in the verification email alone without the users email address and then when the user has clicked on the link you could and comes to the verification page then… UPDATE… WHERE MD5(id)=’$hash’
Just a suggestion… Still… great tut!
( )Gabriel Amorim May 22nd
Cool, loved it
Keep the work up !
( )Daniel Groves May 23rd
Excellent, that will definatly come in useful!
( )Abu May 23rd
Thansk so much Philo…
Very Nice….
Excellent..!!!
I Waiting for the next post from you Mr.Philo.
( )Jim Gaudet May 25th
Perfect as usual. Thanks. I have done this already and it was nice to see that I did it correct..
( )Balu May 27th
Nice tutorial
( )Filip Stefansson May 27th
Thanks alot! Really helpful.
( )Roberto May 28th
Nice tutorial. Thanks!
( )Philips Tel May 28th
Good job..thx
( )Ethan May 29th
I would like having this using XML instead of MySQL
( )leo May 29th
great tutorial!!!
PLAease can someone help me ??????
I am trying to find the ebst way to create an e-magazine like:
http://www.bakdergisi.com/index.php?sayfa=index&language=en
or like http:www.newwebpick.com emagazine.
pls if you take you time to look and download the emagazine and help me with that i can give you an award if that is the right word in english for your time to help me. can send via paypal.
thank you.
( )James Robertson May 30th
Reallly nice tutorial, thanks.
( )Al June 6th
You have no idea how long I was looking about how to do ALL of this in a good and easy to follow tutorial!
I think from this I will be joining the subscription soon
Thanks for your help
( )computernoob June 8th
$message is not formatted. How come the e-mail still outputs it formatted? I mean you have no \n or tags to format the line-breaks, yet the e-mail looks perfect.
I tried echo’ing that and it didn’t work.
( )Pulsedirectory June 12th
Thanks for the tutorial, i also read every last comment so was picking up on what people are saying regarding security too.
Im learning at the moment so the awareness of security brought to peoples attention by people commenting here is useful.
As some others mentioned its meant as a guide, not to copy the tut without adding your own security.
Thanks for your time putting the tutorial together.
( )Hooman Asgari June 17th
great tut, I still wonder, why no one writes a decent tutorial like this one on creating a search form with php mysql.
( )Jeff, do somthing if possible
Tebogo Moloi June 25th
Great tut!
I need a bit of help with the following, the verification mail can’t be sent I get a error that says “Verify SMTP or smtp_port” and I just can’t figure it out.
P.S I’m new to PHP so don’t be hash is your reply.
I’m using xamp if that helps.
( )prafuldass June 28th
Great tutorial! thank you.
( )mehedi June 30th
This is something new comers always need.
However thnks for all you did.
( )dp July 15th
awesome tut…really helped
( )Frank picawho July 18th
HI I am trying to use the same method of verifying an email to verify whether a software has been registered before. Eg I want to get User Name, Email, Password and Machinename back to the calling program after user email verification.
( )Arunmozhi. A July 20th
Very Nice Tutorial, Very much helpful for beginner and approach and text are simple and easy to understand. Write more tutorials like this for other basic needed concepts like paging, session, etc.
( )xiao php August 3rd
Wow.. I haven’t seen this tutorial before, but my method is quite similar to you, and I am a new php programmer, I am so happy ^<,^
( )Brian August 12th
Nice one, have read through the great pile of feed back here, did you ever get round to re-publishing the tutorial?
You are supportive of some and none responsive in other.
I am not a code tec or other but would like to have something that is safe and works well.
heading up to 70 I have found the internet late in life and enjoy so much but need ready to commercial scripts and I almost thought your jobbie was class, till I read the feed back.
Chat some when you are available.
bki
( )@gniczz August 19th
Nice Tutorial…
( )Adrian September 3rd
For the people that say that a hash made just out of a random number: Why not just make a hash using a random sequential number plus any piece of the user’s information, such as the email address?
Such as md5(rand().$email)
Maybe even add a “secret” string at the end like a couple of people mentioned. That way you’d get a much more secure hash.
( )Hakai September 9th
love this tut! and i guess it was great to have found this tut late.. i learned waaaaaaaaayyy more just from the comments alone..
i’ve been wanting to play with email verification but didn’t know where to start.. and this tut is exactly what i needed.. i’ll just have to integrate everything i’ve learned here.. harharhar..
thanx alot Philo! cheers!
( )HiddeN September 18th
Thanks
, This tutorial helped me a lot !!
it help me to understand how php/mysql works *_^
Regards,
HiddeN
( )website design india September 21st
Excellent tutorial this not only helped the beginners but as per me the advanced segment people as well..
Well done mate
( )Joe October 12th
Nice Tut!
( )Karl October 15th
Why not consonate mt_rand four times to give a secure 16 digit key?
( )Михаил Кузьмин October 31st
Занятно, хотя не мешало бы чуть поподробнее написать, а то есть немножко непонятных моментов
( )Blubb November 2nd
Very nice tut.
you forgot to put some ‘ ‘ to following line:
$to = ‘$comp_eu_email’;
I kep getting the error: no addresses send to header
( )knighthooood November 20th
Nice work great article , clean explanations.
( )punoii December 7th
thank you so much. A lot of detail in this tutorial
( )Vitalic December 28th
Nice tutorial….thx men for helping us!
( )Vitalic December 28th
One more thing. Really for beginers like me. Set mail server for verification.
I spend some time search how to set this.
http://www.phpeasystep.com/phptu/23.html
I hope this will help someone.
( )