Save Email Response in Database - php

I have an application that works this way.
I have a users table in mysql with user id and all data
This is what happens:
a) A user signed up to my site(A) goes to another website(B) and answers some question.
b) The website(B) Sends me email with data of a user who is in my database.
now what i want to do is automatically whenever an eamil about a particular received in my inbox. The code in php detects the user id and saves the mail in emailrep field of my database.
Please tell me how can i achieve this in PHP???

I think this is a good start
Reading Emails with PHP

Related

Create a way to "tag" people in PHP messsage system

I'm building a simple web app with PHP and Mysql. One of it's features is a page where all of the users can exchange messages with a textarea inside a form.
On the side of the textarea, i have a div with the pictures of all registed users. When writing a message, you can click on one the users' image and the name of the user will be written in the textarea.
How can i do a "tag" system in PHP so that when a user uses this feature and "tags" someone in a message, it will look for that name in a mySql table and then send a notification for a user?
I'm not asking for an answer with all the specific code to achieve this, just logic guidelines on how to do this.
Thanks in advance!!
I would create a new database table of tags/notifications with at a minimum the User ID of the recipient, message, sent timestamp and read timestamp.
Have your script check this table and show notifications matching that user ID with no read timestamp. Once the user clicks the notification, you can insert the read timestamp in to the row to hide it.
To keep the database tidy, you could create an extra script perhaps a cron to clear all read notifications after a week. :)

PHP / Mail / MySQL: Email Confirmation for Register

I'm not familiar with PHP / MySQL and Emails. And I'm pretty sure this question has been asked somewhere already, but I cannot find it. So I apologise if this is troubling and thank you in advance!
Is it possible to do something that user has to click on a link in email first before the user is added into database???
And you know how, for some websites, they have a unique web address for each email validation (Shown in red on the picture)? How do they create a webpage that's unique in for every email ?
Picture credited: https://kayako.atlassian.net/wiki/download/attachments/5734920/subs-validation.png?version=1&modificationDate=1291956283000&api=v2
Thank you a lot for the attention! If it's possible, I prefer not having straight scripts that I can copy and paste because I like to find out myself :P But please do give me some hints because I'm totally lost.
If there's anything that's not clear, please tell me, I'll try my best to clarify it!
The Registration process
User fills out a form online with basic details including an email and password, and submits the form to register.php
register.php adds user info to a temporary location, such as a pending_users table which has all the fields the user submitted along with an expiration and an activation_code fields. This code can be any random, impossible to guess value. eg: hash('sha1', mt_rand(10000,99999).md_rand(10000,99999)). Just don't do anything predictable such as hash the current time, or the username
register.php sends an email to the user with a URL that will link to activate.php and that includes the activation code. eg: example.com/activate.php?code=a2ef24... The email should also inform the user of the expiration (1 to 12hrs validity seems ok to me)
When user clicks the link, she triggers a GET request to activate.php. In doing so, the user proves ownership of the email address
activate.php gets the code from the request parameters, eg: $code=$_GET['code']. With that code, the script queries the pending_users table for the record matching that code.
If the code is found, check that it hasn't expired before proceeding. Expiration prevents someone else much later who gets in the user's account from completing the registration.
If the code is valid, capture the user details from the matching record and delete that record from pending_users table.
Write a matching record in the regular users table. Until this is done, the user could not log in because login script only checks the users table, and ignores the pending_users table.
Registration complete.
Security Note I:
For your users' protection, never store passwords in cleartext. When you receive it from the registration form (eg: $_POST['pwd'], do:
$pwd = $_POST['pwd'];
//first validate; it should meet minimum requirements
$pwd_hash = password_hash($pwd, PASSWORD_DEFAULT); // <- the hash gets stored
Later, to verify the password, do:
password_verify($cleartext_pwd, $pwd_hash);
It will return true if the password is correct; false otherwise.
Security Note II:
For your protection, never insert user supplied values directly in your DB queries. This means any value that arrives from the outside. Not just usernames, emails, passwords... but also values that you're getting back from the user such as activation_code above or cookie values or headers (eg User-Agent). Instead, learn to use prepared statements. This will protect you from SQL injection.
Not sure if it's possible to add datas in database after the validation...
When I want to do something like that, I create a data in the users table (or metas users table) like "validate".
If this data is "true", then the user already did the validation and he can use his account. If it's still set on "false", the user didn't validate his account : he can't use it.
With that, you have to make sure the account is validate when the user tries to log in, but it's not a big deal ^^
Hope it's usefull.
Those are not a unique websites, there is only one script validating the registration finalization. The incoming requests (when the user has clicked the link) are routed all to the same script by means of server side "request rewriting", so that the random token value is available as an argument (parameter) to the script execution.
What the script does: it checks if that random token value does exist in the database where it has been generated and stored before when the user actually registered.
The only thing left to do for that script is to remove the confirmation random token and/or set a flag indicating that the registered use has actually confirmed his identify (email address) by clicking the link.
Easy and straight forward. Hard to bypass, since you cannot guess what random token value has been generated for what registered user without receiving the email. However take into consideration that it is trivial for an attacking script to use anonymous email services (one time email addresses) to receive and evaluate such a confirmation request, if the process is known to the attacker.

How to deal with user email change

I'm adding an option for my users to change their email, and I'm thinking what is the best way of doing it in a safe and fool-proof manner.. so far I have the following options
1) When user changes the email, system stores in a temporary column in the database and sends an email to the new one, requiring the user to click the link to confirm it and only then, change it (I would need 2 extra fields on my DB - temp_email and email_token)
2) When user changes the email, system would gather data from AccountID and New Email, encrypt it and send it to the new email.. when the user clicks the link, system decrypts it and changes accordingly.
I really like the second option, since it does not require saving extra fields on the database.. so my question is.. which one is a better solution? Or perhaps a third one..
I have two fields in my users table: recovery_hash and recovery_time that are updated when a user changes something. I put in a random hash and the current time.
I then send an email to that person (in your case, to their new address), and in the link is the hash (http://foobar.com/verify/randomHashG03sHere). The user clicks the link and it goes to a verify script on the server - which validates the hash and then checks to see if the current time is within an hour of the recovery_time. If both checks validate, I make the change, which, in your case would be updating the users email field with their new email address - which you could store in a separate table, or even in the same users table as a new_email field.
Since you're anticipating the user wanting to change things, you could just store the new email address in a separate table, such as users_temp.email and then update the users table with that new value after it's been validated.
You could just create another table to deal with temporary e-mail addresses (e-mail + AccountID + token + timestamp (possibly)).
I would highly avoid option 2. Keep all your data local on your server! In case someone breaks your encryption he can mess up your entire database or webservice. Especially credentials or email-addresses should never be outsourced. Option 1 is much more recommended, though the data could also be stored in a different manner.

Mail according to the device OS using Php

i got strucked with a task! can anyone help me out... if a user opens his emailid in iphone iwant to mail "hi", if the same user opens his email in android "hello" should be sent and if the user opens in windows "hey" should be sent.
"$_SERVER['HTTP_USER_AGENT']" will gives the device info after clicking on it.. but the conditions should be worked before user gets a mail based on its device name.
php and javascript will not work in the email. The only way you can achieve this behavior is that thisis an email first it will store the data of the user such as name, email and etc. In this factor I will recommend when you get the user data include what device the user is using. In this way you can manipulate your greetings for the user.

When sending an e-mail to confirm user registration, at what point is the username/password stored in the database?

I'm designing a user registration form and am working on sending a confirmation e-mail. The script that is responsible for adding the username/password/e-mail address etc. to the database is getting rather long and I wanted to break the code responsible for e-mails into another file. I was thinking about how the two scripts would work together; would the database script include the e-mail script or redirect to it and pass the arguments. Or do I have it backwards? Would it be the e-mail script including/calling the database script?
What happens first? Does 1) an e-mail containing an account activation link get sent out before any data is added to the database or 2)is the data put in the database right away with an "activated" field set to false and when the user clicks on the link in the e-mail the field will be updated to true 3)or some other way?
#2, this is so that other users don't take the username twice. If you don't save the information instantly, then other users can also activate their account and you'll have errors with that.
Most websites have an expire on their activation so that the usernames can't be held for a long period of time.
A column for state such as user/banned/confirmed/unactivated would be necessary to keep track of who has activated and who has not. A cron job could be used to sweep the database for old inactive users, basing on the timestamp of registration.
Every system I've worked with has just stored the user in the database until it's used, but when spam becomes an issue you can look at other answers.
You need to store the username and password somewhere and sending it in the email is going to cause issues, and otherwise the link you give the email won't know which user to activate, and doing wacky things like storing it in the session is going to cause many, many ux issues.
Other than creating a second table for un-activated accounts, and searching both for the two different calls you need to search both (creating new user/email, and changing username/email), I don't see a better solution.

Categories