When users sign up for your website, it’s helpful to know that they’ve provided you with a correct email address.
To validate the email address they provide, send an email to the address they supply when they sign up.
If they don’t visit a special URL included in the email after a few days, deactivate their account.
Example 8-17 contains the SQL to create the table in which the user information is stored.
Example 8-17. SQL for user verification table
|
1 2 3 4 5 6 |
CREATE TABLE users ( email VARCHAR(255) NOT NULL, created_on DATETIME NOT NULL, verify_string VARCHAR(16) NOT NULL, verified TINYINT UNSIGNED ); |
What’s in Example 8-17 is the minimum amount of information necessary for user verification. You probably want to store more information than this about your users.
When creating a user’s account, save information to the users table, and send the user an email telling him how to verify his account.
The code in Example 8-18 assumes that the user’s email address is stored in the variable $email.
Example 8-18. notify-user.php
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 |
// Connect to the database $db = new PDO('sqlite:users.db'); $email = 'david'; // Generate verify_string $verify_string = ''; for ($i = 0; $i < 16; $i++) { $verify_string .= chr(mt_rand(32,126)); } // Insert user into database // This uses an SQLite-specific datetime() function $sth = $db->prepare("INSERT INTO users " . "(email, created_on, verify_string, verified) " . "VALUES (?, datetime('now'), ?, 0)"); $sth->execute(array($email, $verify_string)); $verify_string = urlencode($verify_string); $safe_email = urlencode($email); $verify_url = "http://www.example.com/verify-user.php"; $mail_body=<<<_MAIL_ To $email: Please click on the following link to verify your account creation: $verify_url?email=$safe_email&verify_string=$verify_string If you do not verify your account in the next seven days, it will be deleted. _MAIL_; mail($email,"User Verification",$mail_body); |
The verification page that users are directed to when they follow the link in the email message updates the users table if the proper information has been provided, as shown in Example 8-19.
Example 8-19. verify-user.php
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 |
// Connect to the database $db = new PDO('sqlite:users.db'); $sth = $db->prepare('UPDATE users SET verified = 1 WHERE email = ? '. ' AND verify_string = ? AND verified = 0'); $res = $sth->execute(array($_GET['email'], $_GET['verify_string'])); var_dump($res, $sth->rowCount()); if (! $res) { print "Please try again later due to a database error."; } else { if ($sth->rowCount() == 1) { print "Thank you, your account is verified."; } else { print "Sorry, you could not be verified."; } } |
The user’s verification status is updated only if the email address and verify string provided match a row in the database that has not already been verified.
The last step is the short program that deletes unverified users after the appropriate interval, as shown in
Example 8-20.
Example 8-20. delete-user.php
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 |
// Connect to the database $db = new PDO('sqlite:users.db'); $window = '-7 days'; $sth = $db->prepare("DELETE FROM users WHERE verified = 0 AND ". "created_on < datetime('now',?)"); $res = $sth->execute(array($window)); if ($res) { print "Deactivated " . $sth->rowCount() . " users.\n"; } else { print "Can't delete users.\n"; } |
Run the program in Example 8-20 once a day to scrub the users table of users that haven’t been verified.
If you want to change how long users have to verify themselves, adjust the value of $window, and update the text of the email message sent to users to reflect the new value.
