Servage Magazine

Information about YOUR hosting company – where we give you a clear picture of what we think and do!

Performing email-verification in PHP

Sunday, February 5th, 2017 by Servage

email-verificationEmail verification is a feature found on almost every website with a login system. Some PHP frameworks come with a built-in email verification, but in case you are using one that does not, you will have to use some other ready-made solution like a library or to build it from scratch. Building the system by yourself also gives you more freedom and flexibility to customize it for your needs.

The Process Explained

Here is how email verification often works in PHP applications: When a user signs up, their data, such as email address, password and name, are inserted into a database. Along with this data, a unique email verification token is stored in the same database record.

When this is done, an email is sent to the user asking to click a link in their email to verify their account. This links makes a GET request with a query string to an email verification page. The query string contains the same unique verification token that was stored in the database earlier. If the tokens match, the user can be considered to own the email address they registered with.

Adding Database Columns

As mentioned earlier, you will need a new column in your database. The field can be called for example “email_verification_token” with a type of CHAR and length of 64.

If you don’t have a column for user status, you should add a status column that stores values such as “active”, “inactive” and “unverified”. Another approach is to have an “email_verified” TINYINT column that you can set to 1 when the email has been verified. The default value should be 0.

Generating a Secure Token

When the user signs up, a secure and unique token must be generated and stored in the column. There are many ways to do this with more or less secure approaches. You can use the bin2hex() function to generate a secure-enough token for this purpose. The following code will generate a 64-character token:

bin2hex(openssl_random_pseudo_bytes(64))

Constructing the Verification Link

Because we are sending the verification link by email, we must use a GET request. This means we cannot submit a form and instead must send the verification token in the URL as a query string. What we can do is make a link to a verification page and append the verification token to the end of the URL, like this:

<a href=”https://www.example.com/verify-email.php?token=64charactertoken”>Verify Email</a>

Clicking this will take the user to the verification page with the verification token.

Verifying the Email Address

The last step we have to do is make sure the verification token sent by the user matches with the value in the database. To get the token sent by the user, we can use the $_GET[] superglobal variable. For instance:

$token = $_GET[“token”];

Compare this with the value in the database to determine whether to mark the user’s email address as confirmed.

Performing email-verification in PHP, 5.0 out of 5 based on 2 ratings
Categories: Guides & Tutorials

Keywords: ,

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

No comments yet (leave a comment)

You are welcome to initiate a conversation about this blog entry.

Leave a comment

You must be logged in to post a comment.