phpmysqlconfirmation-email

PHP/MYSQL - Subscription Email - How do they accomplish something like this?


I would like to have a aspect of my site that users can use to sign up for a newsletter.

I am not 100% what the best way to accomplish this task would be.

What I can think of is very simple:


One input with a submit button, the user enters their email address there.

A random 32 character hash is generated and stored along with their addess within a mysql table.

Am email is sent to the address containing the hash and asking the user to enter their email address and the hash on a page that checks it against the mysql table.

If correct the email becomes active by defining an additional entry on the table.


That is about as far as my knowledge of the two can take me...

What i would like to accomplish, is in the confirmation send the user a link that they can click to confirm their address... something like http://www.mysite.com/users/newsletter/?user=aGuy&confirm=blahBlah.

But I really do not know where to start with something like that... And as i understand it, allowing mysql queries in such a manner is not secure...

Would someone be able to provide me with some more information regarding this matter?

This being in the form of suggestions or links to tutorials that may cover something like this.

Thank you for taking the time to read this!!


Solution

  • You're close.

    When a user submits his email address, insert it into the database. At a minimum, the table should 4 fields (id,email,verified,key). The id is just a surrogate key (auto-increment). verified should default to false, and the key shouldn't really be a hash but a randomly generated string -- anything that's hard to guess. Hashes are deterministic, so hashing the user's email address with an md5 wouldn't make for a good key if someone figured out what algorithm you were using. A random element is better suited, but again, anything hard to guess will serve just fine.

    The email should contain a link that holds the id and the key. You use the id to look up the record in the DB (since it's unique) and then check that the key in the URL matches the one stored in the database (key doesn't have to be unique). If they match, set verified to true, and voila.

    For bonus points, you can store a date that the verify email is sent, and you can prune out unverified emails after 24 hours or so.