tags:

views:

281

answers:

3

How would I do to check if a email actially exists? Cant understand how sites do to send mails with a unique link that the users clicks to validate that he is the owner of email =/

Make a 2 new columns called activationkey and activated and store some random string, send an email with the activationkey, and update the users activated =1 that match that activation link

register.php?a=activate&key=9cdfb439c7876e703e307864c9167a15

Any better ideas?

+8  A: 

I generally send a link that contains the userid, and the activation key. When they visit my activation script, if I find a match, I activate them.

When they register, I'll generate maybe 32 chars of upper/lower case alphanumeric characters and set it as the activation key. At this point, you can create a field called 'activated,' or you can assume the user is not activated if they have an activation key.

uid |        email       | key
------------------------------------------------------------
001 | [email protected] | e09141f3f5a17fed6222fc0279b9afdf
------------------------------------------------------------
002 | [email protected] | 
------------------------------------------------------------

When the user accesses the activation script, simply check for the provided key along with the provided id and if a match is found, erase the key from the user record on file (or update your boolean 'activated' field) and open the doors up.

If the provided email address doesn't exist, no loss. You can routinely remove all rows with keys after a month of inactivity.

Jonathan Sampson
nice! thanks alot! btw for generating a key do you think md5(uniqid()); will be ok? dont want 2 users with same key :P
Martin
md5 of the same uniqid will still be the same - you can just use prefix (maybe the md5 of their email) for uniqid, or use the 'more entropy' flag of uniq id
eCaroth
smart. think i will go with md5(email); thx
Martin
Martin, if you are going to hash the email then add a salt first
rick
+1@rick: if you just hash the email, it will be easily bypassable as soon as anybody notices (not that it really matters, since anyone can create any amount of trash email addresses)
Lo'oris
A: 

There's no easy way to check if an email actually exists programatically. There are some ways (pinging the mailserver,etc) but none that are proven to work with every mailserver's setup. Forcing the user to activate their account via a link like you described is the best way to do it. Also, you may wish to have some kind of recurring script like a cron-job that removes un-activated members after a certain period of time (which would require another column in your table, timestamp).

This is useful because if a user signs up but never activates their account and deletes the email, and you are using their email as an id (just an example), they will never be able to complete the activation. Alternately, if they try to log in you can simply re-send the activation email to that address again.

Just make sure in the email you are specifying all the headers (reply-to, from, etc) so your email doesn't get flagged as spam.

eCaroth
This method of checking if an email exists is not foolproof. It does not ensure the email belongs to the user.There exists disposable mail services, where you get a temporary email address. The user might use one of those services, activate their account, and login to the system. After a while, the temporary address is disabled.
Inf.S
A: 

One alternative to activation keys is to just send a generated password to the user email, if the user logs in he is activated (and of course, should be able to change the password to what he prefers).

Alix Axel