473,326 Members | 2,173 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 473,326 software developers and data experts.

Sending authentication mails

Hi,

when users are register on our website, their username, encrpyted
password and so on are stored in the mySQL database.

Many phpbb sites though send an activation mail to the email address
specified by the user. The user then needs to select a link to get his
account activated.

I would like to implement this process, can anyone tell me how this is done?

Thanks,
Bert.
Jan 19 '06 #1
5 1620
Bert Bos wrote:
when users are register on our website, their username, encrpyted
password and so on are stored in the mySQL database.

Many phpbb sites though send an activation mail to the email address
specified by the user. The user then needs to select a link to get his
account activated.

I would like to implement this process, can anyone tell me how this is done?


After the registration data is saved to the database, send them a link
to a validate.php script

http://www.example.com/validate.php?code=78Jh5qM0

The code in the link could be random and saved to the database.
When, later, the user access the script, you search the database for the
code and update the record indicating that this particular user has
validated.

$sql = "update user_table set validated=1 where code='{$_GET['code']}'";

Make sure every (unvalidated) code is unique in the database.

Also try to prevent people from validating random accounts by locking
out a 'connection' that fails after three (or whatever) attempts.

Hope this helps.

--
If you're posting through Google read <http://cfaj.freeshell.org/google>
Jan 19 '06 #2
On 19 Jan 2006 20:17:02 GMT, Pedro Graca <he****@dodgeit.com> wrote:
$sql = "update user_table set validated=1 where code='{$_GET['code']}'";


I'm sure you know better than to do this :-) SQL injection ahoy - remember to
escape appropriately, or use a library that implements (or at least emulates)
placeholders.

This is actually quite a good demonstration of SQL injection risks; you could
call the script as:

validate.php?code='+or+'a'%3d'a

... and it'll set validated=1 without the right code, as you end up with the
SQL as:

update user_table set validated=1 where code='' or 'a'='a'

--
Andy Hassall :: an**@andyh.co.uk :: http://www.andyh.co.uk
http://www.andyhsoftware.co.uk/space :: disk and FTP usage analysis tool
Jan 19 '06 #3
Pedro Graca wrote:
Bert Bos wrote:
when users are register on our website, their username, encrpyted
password and so on are stored in the mySQL database.

Many phpbb sites though send an activation mail to the email address
specified by the user. The user then needs to select a link to get his
account activated.

I would like to implement this process, can anyone tell me how this is done?


After the registration data is saved to the database, send them a link
to a validate.php script

http://www.example.com/validate.php?code=78Jh5qM0

The code in the link could be random and saved to the database.
When, later, the user access the script, you search the database for the
code and update the record indicating that this particular user has
validated.

$sql = "update user_table set validated=1 where code='{$_GET['code']}'";

Make sure every (unvalidated) code is unique in the database.

Also try to prevent people from validating random accounts by locking
out a 'connection' that fails after three (or whatever) attempts.


For some reason, basing something like this with just a single
credential to the database makes me squirmish. I personally would
validate by asking for their email (whether it's in the URL or
what-have-you) and issue a query like this:

select user_id from user_table where user_email = '$escpaed_username'
and code = '$escaped_code'

If no results were returned, then either the code doesn't match with the
email, and therefore isn't really an account validation after all...

--
Justin Koivisto, ZCE - ju****@koivi.com
http://koivi.com
Jan 19 '06 #4
Andy Hassall wrote:
On 19 Jan 2006 20:17:02 GMT, Pedro Graca <he****@dodgeit.com> wrote:
$sql = "update user_table set validated=1 where code='{$_GET['code']}'";


I'm sure you know better than to do this :-) SQL injection ahoy - remember to
escape appropriately, or use a library that implements (or at least emulates)
placeholders.


Of course! I was just testing the audience :-)

Thank you for being on the lookout and calling attention to the errors
commited. It's appreciated.

--
If you're posting through Google read <http://cfaj.freeshell.org/google>
Jan 20 '06 #5
Justin Koivisto wrote:
Pedro Graca wrote:
After the registration data is saved to the database, send them a link
to a validate.php script

http://www.example.com/validate.php?code=78Jh5qM0

The code in the link could be random and saved to the database.
When, later, the user access the script, you search the database for the
code and update the record indicating that this particular user has
validated.

$sql = "update user_table set validated=1 where code='{$_GET['code']}'";


For some reason, basing something like this with just a single
credential to the database makes me squirmish. I personally would
validate by asking for their email (whether it's in the URL or
what-have-you) and issue a query like this:

select user_id from user_table where user_email = '$escpaed_username'
and code = '$escaped_code'

If no results were returned, then either the code doesn't match with the
email, and therefore isn't really an account validation after all...


In real life I'd have a different table with the validation codes. This
table would also have a datetime for the limit of the validation code
(eg one week after sending the email) and the specific record would be
deleted when no longer needed.

I'd probably also make the 'validated' column a 'status' column, linking
to a status table (Pending, Validated, OnVacation, Deleted, ...)

Well ... there are always lots of ways to complicate what begins as a
simple task :)

--
If you're posting through Google read <http://cfaj.freeshell.org/google>
Jan 20 '06 #6

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

1
by: Jayakumar | last post by:
HI, I am using System.web.mail class in my application to send mails. I am using SMTP server for the same. I can send mail to the intranet addresses, But when i send mails to Hotmail or other...
7
by: Lau | last post by:
I need to send 1000 emails from an asp.net website. Normally I would use System.Web.Mail.MailMessage() to send thru an SMTP server. But the large amount of emails results in a timeout. My server...
1
by: Eric Sheu | last post by:
Greetings, I have been searching the web like mad for a solution to my SMTP problem. I am using Windows Server 2003 and ASP.NET 2.0 w/ C# to send out e-mails from a web site I have created to...
4
by: aroraamit81 | last post by:
Hi, I am using CDO component to send emails through my ASP page as I am having IIS on windows XP.......... Now the mails goes and gets into mailroot\Queue folder but does not reaches to the...
4
by: Zeeway | last post by:
hi,every one! I have a question about sending emails.My codes works well over some smtp servers,but doesn't over the others. My codes is listed belowed: try { MailMessage mailObj = new...
8
by: Michel Posseth [MCP] | last post by:
Hi does someone has experience with this ?? i have made a lot of apps in the past that were capable of sending e-mails the server i then talked to was a Linux SMTP server and it worked great ...
3
by: mfleet1973 | last post by:
Hello Again. I have a program that sends e-mails as follows: Try Dim mail As New MailMessage mail.To = "me@comp.com" mail.From = "me@comp.com mail.Subject = "Test" mail.Body = "Testing123"
2
by: srinivaspnv21 | last post by:
hi every one, plz help me out, i have to send mails from my asp.net page.... I have tried a code where mails are going only to gmail users the code is ... namespace: using System.Web.Mail;...
2
by: Dave | last post by:
Hi, I hope someone can help, I'm trying to get mail out from a form to a php page using the mail() function. Nothing happens. The server is W2003 and the mail application is Kerio Mailserver, not...
2
by: pratsadhu | last post by:
Hi, I have an application which sends out an email on a particular event fire. Few days back my Mail server was changed and from then i have been unable to send mails through application. The...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: Vimpel783 | last post by:
Hello! Guys, I found this code on the Internet, but I need to modify it a little. It works well, the problem is this: Data is sent from only one cell, in this case B5, but it is necessary that data...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: Shællîpôpï 09 | last post by:
If u are using a keypad phone, how do u turn on JavaScript, to access features like WhatsApp, Facebook, Instagram....
0
by: af34tf | last post by:
Hi Guys, I have a domain whose name is BytesLimited.com, and I want to sell it. Does anyone know about platforms that allow me to list my domain in auction for free. Thank you
0
by: Faith0G | last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
0
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 3 Apr 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome former...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.