Sending E-Mail to validate User Sign-up

In one of our last tutorials we covered how to verify that a user’s email address is formatted correctly as well as verify that it goes to a valid domain name. That is great, but still not a great way to make sure a user actually owns or uses that e-mail address. This tutorial will walk you through one method of sending the user an e-mail upon signing up that gives them a link to activate their account. This will require them to click on the link in the e-mail before they can actually login to the site. Let’s get started. First, let’s create a table to hold our user information. I made a database called teamtutorials on my local server and ran this to create the table.

CREATE TABLE `users` (
  `user_id` int(7) unsigned NOT NULL auto_increment,
  `display_name` varchar(20) NOT NULL,
  `password` varchar(255) NOT NULL,
  `first_name` varchar(25) NOT NULL,
  `last_name` varchar(25) NOT NULL,
  `email_address` varchar(255) NOT NULL,
  PRIMARY KEY  (`user_id`)
) ENGINE=MyISAM  DEFAULT CHARSET=latin1 AUTO_INCREMENT=0;

Now that the table is set up and configured the way we need it to be we can start creating the php files. We will start with the simple form file. This is adduser.php (it doesn’t have to be a php file but I do it so that If I add something later that is php it is already a php file.)

<form method="post" action="register.php" name="createuser">
	UserName:<input type="text" name="display_name" id="display_name"/><br />
	First Name:<input type="text" name="fname" id="name"/><br />
	Last Name:<input type="text" name="lname" id="surname"/><br />
	E-mail:<input type="text" name="email" id="email"/><br />
	Password:<input type="password" name="pass" id="pass"/><br />
	Confirm PW:<input type="password" name="pass2" id="pass2"/><br />
	<input type="submit" value="Sign Me Up!"/>
</form>

Next, we will need to create the register.php file that will be called when the form is submitted.

<?php
if ((!isset($_POST&#91;'display_name'&#93;))||(!isset($_POST&#91;'fname'&#93;))||(!isset($_POST&#91;'lname'&#93;))||(!isset($_POST&#91;'email'&#93;))||(!isset($_POST&#91;'pass'&#93;))){
		header('Location: https://tutorials.bot');
	}
&#91;/sourcecode&#93;

First, we start the php tag and then check for the POST variables to be set. If any of them are not set it will send them back to the creation form.

&#91;sourcecode language='php'&#93;
else
	{
		$servername='localhost';
		$dbusername='dbusername';
		$dbpassword='dbpassword';
		$dbname='full db name';
		global $link;
		$link=mysql_connect ($servername,$dbuser,$dbpassword);
		if(!$link){die("Could not connect to MySQL");}
		mysql_select_db($dbname,$link) or die ("could not open db".mysql_error());
&#91;/sourcecode&#93;

If all of the POST variables are set we continue by setting the server variables and creating the database connection. Ensure that you change the variables to your server access information.

&#91;sourcecode language='php'&#93;
		$display_name = $_POST&#91;'display_name'&#93;;
		$password = $_POST&#91;'pass'&#93;;
		$first_name = $_POST&#91;'fname'&#93;;
		$last_name = $_POST&#91;'lname'&#93;;
		$email_address = $_POST&#91;'email'&#93;;
		$sha_password = sha1($password);
		$hash_string = hash('md5',$display_name);	
&#91;/sourcecode&#93;

This just stores all the values into variables that are easier to work with so we don’t have to call the POST global every time. We sha1 the password because it is not reversible so it makes it the most secure. The hash_string is a md5 hash value of the display_name so that it isn’t easily readable. We use the display name because it will be unique and specific to the user. 

&#91;sourcecode language='php'&#93;
$query = "insert into `users` values(Null,'$display_name','$sha_password','$first_name','$last_name','$email_address',0,1,CURRENT_TIMESTAMP,Null,'$company_name',8);";
		mysql_query($query) or die ("Error in query: $query " . mysql_error());
		$user_id = mysql_insert_id();
&#91;/sourcecode&#93;

Next, we insert a row into our table that we made using the variables that were passed from the form. We also get the ID of the inserted row so we know what the user id will be.

&#91;sourcecode language='php'&#93;
		$headers = "From: activations@tutorials.bot \r\n";
		$validate_link = "https://tutorials.bot/validate.php?id=$user_id&string=$hash_string";
		$email_body = "Thank-you for signing up on tutorials.bot. Click on the link below to complete your registration. If you have any issues completing the verfication please let us know. \n\n $validate_link \n\n tutorials.bot Staff";
&#91;/sourcecode&#93;

This builds all the information needed to generate an e-mail using php. The headers sets the from field so that the email will be from a user (if you don’t set this it will be nobody (the user which apache runs under in linux). The validate link is a link to the file that will validate the user when they click on it. The \n command is the php new line command.

&#91;sourcecode language='php'&#93;
		if (mail($email_address,"tutorials.bot Sign-Up",$email_body,$headers)){
			echo "Email has been sent to ".$email_address.". Please check your e-mail for steps to activate your account. Check your spam folder as sometimes these 		e-mail get marked as spam. If you still do not see your e-mail, please <a href='https://tutorials.bot/sendemail.php?function=validation&id=$user_id'> Click Here</a> to resend.";
		}
		else
		{
			echo "There was an error sending an e-mail to your e-mail address. Please contact us to let us know of the issue.";
		}
	}
?>

Finally we attempt to send the e-mail and echo success or failure. That concludes this file. Finally we need to make the file that will validate the user when they click on the link in the e-mail that we just sent them. This file is validate.php.

<?php
if (isset($_GET&#91;'id'&#93;))&&(isset($_GET&#91;'id'&#93;)){
	$id = $_GET&#91;'id'&#93;; 
	$hashstring = $_GET&#91;'string'&#93;; 
	$storedhashvalue = "";
&#91;/sourcecode&#93;

First we make sure the values are in the url that we are expecting. At the end of the file we will re-direct them to the home page if these values aren’t set.

&#91;sourcecode language='php'&#93;
$query = "select user_id,display_name from `users` where user_id=$id;";
	$result = mysql_query($query) or die ("Error in query: $query " . mysql_error());
	$row = mysql_fetch_assoc($result);
	$storedhashvalue = hash('md5',$row&#91;'display_name'&#93;);
	mysql_free_result($result);
&#91;/sourcecode&#93;

These lines run a query against the table to get the information for the user based on the user id in the url. It then re-hashes the value so that we can compare the on in the url to match.

&#91;sourcecode language='php'&#93;
	if ($storedhashvalue == $hashstring){
		$query = "update `users` set active_flag=1 where user_id=$id;";
		$result = mysql_query($query) or die ("Error in query: $query " . mysql_error());
		echo "Your account has been activated. Please <a href='https://tutorials.bot/login.php>Click Here To Login</a>";
	}
	else
	{
		echo "Your account could not be verified. Please verify that the link has not been modified from the e-mail. If it still does not work, please contact us.";
	}

If the values match we update the database to see the user as active and if it doesn’t work we tell them that it failed.

}
else
{
header('Location: https://tutorials.bot');
}
?>

Finally we re-direct the user if the variables are not in the url. Now if you go to adduser.php and fill out the form and hit submit. It will send whatever e-mail you put in the form an e-mail with a link in it. Click on the link to activate the user. That concludes this tutorial. If you have any questions, please leave it in the comments. Thanks for viewing.