One of the most common security verifications in user registration is email verification. According to common industry practices, email verification is a very important practice to avoid potential security risks. Let us now discuss these best practices and see how to create an email verification in PHP.
Let’s start with a registration form:
<form method="post" action="http://mydomain.com/registration/">
<fieldset class="form-group">
<label for="fname">First Name:</label>
<input type="text" name="fname" class="form-control" required />
</fieldset>
<fieldset class="form-group">
<label for="lname">Last Name:</label>
<input type="text" name="lname" class="form-control" required />
</fieldset>
<fieldset class="form-group">
<label for="email">Last name:</label>
<input type="email" name="email" class="form-control" required />
</fieldset>
<fieldset class="form-group">
<label for="password">Password:</label>
<input type="password" name="password" class="form-control" required />
</fieldset>
<fieldset class="form-group">
<label for="cpassword">Confirm Password:</label>
<input type="password" name="cpassword" class="form-control" required />
</fieldset>
<fieldset>
<button type="submit" class="btn">Register</button>
</fieldset>
</form>
Next is the table structure of the database:
CREATE TABLE IF NOT EXISTS `user` ( `id` INT(10) NOT NULL AUTO_INCREMENT PRIMARY KEY, `fname` VARCHAR(255) , `lname` VARCHAR(255) , `email` VARCHAR(50) , `password` VARCHAR(50) , `is_active` INT(1) DEFAULT '0', `verify_token` VARCHAR(255) , `created_at` TIMESTAMP, `updated_at` TIMESTAMP, );
Once the form is submitted, we need to validate the user's input and create a new user:
// Validation rules
$rules = array(
'fname' => 'required|max:255',
'lname' => 'required|max:255',
'email' => 'required',
'password' => 'required|min:6|max:20',
'cpassword' => 'same:password'
);
$validator = Validator::make(Input::all(), $rules);
// If input not valid, go back to registration page
if($validator->fails()) {
return Redirect::to('registration')->with('error', $validator->messages()->first())->withInput();
}
$user = new User();
$user->fname = Input::get('fname');
$user->lname = Input::get('lname');
$user->password = Input::get('password');
// You will generate the verification code here and save it to the database
// Save user to the database
if(!$user->save()) {
// If unable to write to database for any reason, show the error
return Redirect::to('registration')->with('error', 'Unable to write to database at this time. Please try again later.')->withInput();
}
// User is created and saved to database
// Verification e-mail will be sent here
// Go back to registration page and show the success message
return Redirect::to('registration')->with('success', 'You have successfully created an account. The verification link has been sent to e-mail address you have provided. Please click on that link to activate your account.');
After registration, the user's account remains invalid until the user's email is verified. This feature confirms that the user is the owner of the entered email address and helps prevent spam and unauthorized email use and information disclosure.
The whole process is very simple - when a new user is created, an email containing a verification link will be sent to the email address filled in by the user during the registration process. Before the user clicks the email verification link and confirms the email address, the user cannot log in and use the website application.
There are several things to note about verified links. The verified link needs to contain a randomly generated token that is long enough and only valid for a certain period of time. This is done to prevent network attacks. At the same time, the email verification also needs to include the user's unique identifier, so as to avoid potential dangers of attacking multiple users.
Now let’s see how to generate a verification link in practice:
// We will generate a random 32 alphanumeric string // It is almost impossible to brute-force this key space $code = str_random(32); $user->confirmation_code = $code;
Once this verification is created store it in the database and send it to the user:
Mail::send('emails.email-confirmation', array('code' => $code, 'id' => $user->id), function($message)
{
$message->from('my@domain.com', 'Mydomain.com')->to($user->email, $user->fname . ' ' . $user->lname)->subject('Mydomain.com: E-mail confirmation');
});
Contents of email verification:
<!DOCTYPE html> <html lang="en-US"> <head> <meta charset="utf-8" /> </head> <body> <p style="margin:0"> Please confirm your e-mail address by clicking the following link: <a href="http://mydomain.com/verify?code=<?php echo $code; ?>&user=<?php echo $id; ?>"></a> </p> </body> </html>
Now let’s verify if it works:
$user = User::where('id', '=', Input::get('user'))
->where('is_active', '=', 0)
->where('verify_token', '=', Input::get('code'))
->where('created_at', '>=', time() - (86400 * 2))
->first();
if($user) {
$user->verify_token = null;
$user->is_active = 1;
if(!$user->save()) {
// If unable to write to database for any reason, show the error
return Redirect::to('verify')->with('error', 'Unable to connect to database at this time. Please try again later.');
}
// Show the success message
return Redirect::to('verify')->with('success', 'You account is now active. Thank you.');
}
// Code not valid, show error message
return Redirect::to('verify')->with('error', 'Verification code not valid.');
Conclusion:
The code shown above is just a tutorial example and has not been adequately tested. Please test it before using it in your web application. The above code is done in the Laravel framework, but you can easily migrate it to other PHP frameworks. At the same time, the verification link is valid for 48 hours and expires after that. Introducing a work queue can handle expired verification links in a timely manner.
This article is an original translation by PHPChina. The original text is reprinted at http://www.phpchina.com/portal.php?mod=view&aid=39888. The editor believes that this article is of great learning value and would like to share it with everyone. I hope it will be useful to everyone. Everyone’s learning helps.
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
