PHP / Mail / MySQL: Email Confirmation for Register

Question

I'm not familiar with PHP / MySQL and Emails. And I'm pretty sure this question has been asked somewhere already, but I cannot find it. So I apologise if this is troubling and thank you in advance!

Is it possible to do something that user has to click on a link in email first before the user is added into database???

And you know how, for some websites, they have a unique web address for each email validation (Shown in red on the picture)? How do they create a webpage that's unique in for every email ?

Picture credited: https://kayako.atlassian.net/wiki/download/attachments/5734920/subs-validation.png?version=1&modificationDate=1291956283000&api=v2

Thank you a lot for the attention! If it's possible, I prefer not having straight scripts that I can copy and paste because I like to find out myself :P But please do give me some hints because I'm totally lost.

If there's anything that's not clear, please tell me, I'll try my best to clarify it!

Answer 1

The Registration process

1. User fills out a form online with basic details including an email and password, and submits the form to register.php

2. register.php adds user info to a temporary location, such as a pending_users table which has all the fields the user submitted along with an expiration and an activation_code fields. This code can be any random, impossible to guess value. eg: hash('sha1', mt_rand(10000,99999).md_rand(10000,99999)). Just don't do anything predictable such as hash the current time, or the username

3. register.php sends an email to the user with a URL that will link to activate.php and that includes the activation code. eg: example.com/activate.php?code=a2ef24... The email should also inform the user of the expiration (1 to 12hrs validity seems ok to me)

4. When user clicks the link, she triggers a GET request to activate.php. In doing so, the user proves ownership of the email address

5. activate.php gets the code from the request parameters, eg: $code=$_GET['code']. With that code, the script queries the pending_users table for the record matching that code.

6. If the code is found, check that it hasn't expired before proceeding. Expiration prevents someone else much later who gets in the user's account from completing the registration.

7. If the code is valid, capture the user details from the matching record and delete that record from pending_users table.

8. Write a matching record in the regular users table. Until this is done, the user could not log in because login script only checks the users table, and ignores the pending_users table.

9. Registration complete.

Security Note I:

For your users' protection, never store passwords in cleartext. When you receive it from the registration form (eg: $_POST['pwd'], do:

$pwd = $_POST['pwd'];

//first validate; it should meet minimum requirements

$pwd_hash = password_hash($pwd, PASSWORD_DEFAULT); // <- the hash gets stored

Later, to verify the password, do:

password_verify($cleartext_pwd, $pwd_hash);

It will return true if the password is correct; false otherwise.

Security Note II:

For your protection, never insert user supplied values directly in your DB queries. This means any value that arrives from the outside. Not just usernames, emails, passwords... but also values that you're getting back from the user such as activation_code above or cookie values or headers (eg User-Agent). Instead, learn to use prepared statements. This will protect you from SQL injection.