How to implement email verification with php?

Question

I'm using php and laravel as a framework. I want to let user be able to activate their accounts through email.

I have no experience with this however. I already set up a form that asks for username, email and password.

Would this still be the best way to go about it in 2013?

http://net.tutsplus.com/tutorials/php/how-to-implement-email-verification-for-new-members/?search_index=8

So:

1. I need to create a database field for a hashed password.
2. On user account creation create a random password for this field and email it to them.
3. Provide link with the password and user id in the url to a page that compares the emailed password with password in db field.
4. Activate account(set active to 1) when the passwords match.

Something along those lines?

Answer 1

Email verification is a simple process there is two way to verify email either by sending code to user email address or by sending link both works same here is a sample code from a tutorial http://talkerscode.com/webtricks/account-verification-system-through-email-using-php.php on TalkersCode

// Table Scheme for Verify Table
CREATE TABLE `verify` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`email` text NOT NULL,
`password` text NOT NULL,
`code` text NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=MyISAM AUTO_INCREMENT=6 DEFAULT CHARSET=latin1

// Table Scheme for verified_user table
CREATE TABLE `verified_user` (
`id` int(11) NOT NULL AUTO_INCREMENT,
`email` text NOT NULL,
`password` text NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=MyISAM AUTO_INCREMENT=6 DEFAULT CHARSET=latin1


if(isset($_POST['register']))
{
$email_id=$_POST['email'];
$pass=$_POST['password'];
$code=substr(md5(mt_rand()),0,15);
mysql_connect('localhost','root','');
mysql_select_db('sample');

$insert=mysql_query("insert into verify values('','$email','$pass','$code')");
$db_id=mysql_insert_id();

$message = "Your Activation Code is ".$code."";
$to=$email;
$subject="Activation Code For Talkerscode.com";
$from = 'your email';
$body='Your Activation Code is '.$code.' Please Click On This link <a href="verification.php">Verify.php?id='.$db_id.'&code='.$code.'</a>to activate your account.';
$headers = "From:".$from;
mail($to,$subject,$body,$headers);

echo "An Activation Code Is Sent To You Check You Emails";
}

if(isset($_GET['id']) && isset($_GET['code']))
{
$id=$_GET['id'];
$code=$_GET['id'];
mysql_connect('localhost','root','');
mysql_select_db('sample');
$select=mysql_query("select email,password from verify where id='$id' and code='$code'");
if(mysql_num_rows($select)==1)
{
    while($row=mysql_fetch_array($select))
    {
        $email=$row['email'];
        $password=$row['password'];
    }
    $insert_user=mysql_query("insert into verified_user values('','$email','$password')");
    $delete=mysql_query("delete from verify where id='$id' and code='$code'");
}
}

Answer 2

In your explanation you forgot the most important part: the random hash. Compare the hash, not the password. The guide explains it correctly.

The guide looks solid.

I would implement a better random password generator though, rand(1000,5000) is really not very good. You could even set up a first-time logon that asks for a password.

Answer 3

A warning: According to the PHP Manual, EREGI is DEPRECATED! http://php.net/manual/en/function.eregi.php

preg_match would be a good option. http://www.php.net/manual/en/function.preg-match.php