Create an activation link for a website, what method to generate it?

Question

I need to create an activation system for a website. The user registers, gets an email, then clicks a link with a secret key in the query string, and a script on my end decodes it.

My question is not on the programming itself, but rather, what is a good way of generating the link? Hashing was a thought but it is one way. Should I be encrypting something? Does anyone who has been tasked with this same thing have any insight?

Is there a way to do it that both: Does not store any secret code in the database, Does not put any obvious user info in the query string

The user is in a table with primary key id and other info. It does not need to be insanely secure but should not be easily breakable. I'm doing this with php. I couldn't find a similar question so if I have overlooked one I would appreciate a link.

Answer 1

I have done this before by doing and md5 on the concatenated record id and email address. You could throw in a few extra characters or fields if you want. Then when the user clicks the link you just run the same select again to see if you get a match.

// generate the key
select md5(concat(id,email,'Some custom text')) as `verification_key` from ...

// verify the user
select * from user where '$verifikation_key' = md5(concat(id,email,'Some custom text'));

Then you can update the user record to mark as verified.