User account validation with code in an email link

Question

I am trying to make a little system where a user signs up to my site and they get one of those emails that has a link in which they click to activate their account.

So far I am thinking of doing it the following way:

1. User signs up and presses submit.
2. A long random string is created and put into the database against this new "inactive" account.
3. An email is sent to the address the user gave, containing a link to say "www.mysite.com/userclass/validationmethod/user@email.com/3423frqfafkop2341o43". The last bit being the validation code.
4. The user clicks the link.
5. The email and code match up to the account just created. The account is marked as validated/active.
6. The validation code that is stored in the database is deleted or marked as used??

What are your thoughts on this? Is this the best way to do it? As a little extra question, do I need to urlencode that email address?

---

I have gone with the following which seems to work well. Just have to add the database functions and it's sorted:

public function verifyAccount($vCode, $email) {
        $email = urldecode($email);
        if($userId = $this->model->userIdByEmail($email))
        {
            $actualCode = $this->model->getUsersVerificationCodes('code', 'userId', $userId);
            if($actualCode != $vCode)
            {
                $output = 'Invalid code or email.';
            } else {
                $output = 'Success!';
            }
        } else {
            $output = 'Invalid code or email.';
        }

        echo $output;
}

Answer 1

Looks fine to me i would also do this. But i wouldn't use the e-mail in the link. Use instead something like this: mysite.com/confirm_email/749c71f6a29220a3ec168df

EDIT: I think you don't need to urlencode the email but when you do it it might be easier to handle the adress.

I think another possible option would be:

mysite.com?email=urlencoded_email&confirm=u34h23ui4h234 depending on how you are handling url parameters.

Answer 2

I'd say there is no point in putting the email address in the link. If a person wanted to figure out this after they created a fake email, then already know the fake email and just add it to the link they will be spamming your server with to guess the random number. So just have the (large) random number (as random as you can get).

However, what you should do is put an expiration field for validation. You should only make that random number valid for maybe an hour or so. If they hit that link after the hour then it's no longer valid. This helps fight hackers since if they are guessing they need time and each fake account they register they get a new random number and only 1 hour of guessing time. If you can get a very long and good random number that should do a better job of fighting against hackers.

In your email have a support link for users to request another validation code and handle this manually so you can see any patterns happening. This should happen all that often.