I was asked by a person to create a php code, which is a part of a larger ERP software development project, so that he can test my skills. The code regarding a simple user authentication once the user registers through a form , by putting name, date of birth ,email.(which I have already done through html).
The action property of the html form, is a php file which consists of php code to get the posted inputs in the form, generate a verification link, and send it to the user via his/her email which he/she has already given.
I have two basic questions or problems:
How can this verification link be created?
Once the user clicks on this type of a link how does PHP know that they did so?
I don't think that there is any concept of event-driven programming in PHP. In that case, how does PHP handle that click and give a "conformational success message"? Is a MySQL database required or is there another easier way?
When you create the user, you are also going to generate a random string for that user. This is their authorization code. You will store it with the user's data in your database.
Then you are going to make your authorize page (ex., authorize.php). It will take a $_GET parameter of 'code', or whatever else you want (ex., authorize.php?code=theHashYouCreated). This page's code will look something like this:
if(!empty($_GET['code']))
{
/*
* Get the data from the database by the provided code.
* If a result is returned, then remove the authorization
* code from the user's record. If no user is found, then
* return an error.
*/
}
else
{
//No code was provided, so we should error.
}
Now, when the user tries to login you also want to check to see if their authorization code is set in the database. If it is, then they have not validated their e-mail address yet. If it isn't, then they have validated it.
Here's a nice tutorial that should help you create a confirmation email:
http://www.learnphponline.com/scripts/email-activation-for-php-forms
It involves creating a randomly generated activation key, that will initially be stored in the database. The key should be emailed to the user in the form of a GET parameter in a link.
Once the link is clicked, the submitted GET parameter is checked with the value in the database.
Related
I am integrating a user verification feature into a plugin I am developing whereby a user must verify their email address by clicking a link sent to them.
It is based on code provided on Github
At the moment I create a 'temporary' user, then delete the user from the users table. Only after verification is the user added back into the users table.
Is there a way to disable the core user registration in Wordpress so that I don't have to delete the user, therefore it is never stored in the database until it is created by the verification code?
I am finding, quite naturally, the user IDs are skipping every one digit so that for example, a verified user has an id '1' then the next is '3'.
Thanks,
Leon
The standar way to do that is through a field in the table users that is set to true for example whenever the user have validated his email via your link.
And with this field you control that if the field is not validated you dont let them sign in on you website.
So in order to apply this you need to find the sections in your wordpress that control de sign in to put the restriction with this new field
I'm going to be more specific so you can remove the downvote...
Lets think for example that you have a field named email_verify which will just contain a 1 or a 0 if the email is already validated or not.
Then you have another field for example session_token with a sha1 or random token that must be unique for the link that will validate the email when clicking on it.
You need to have a php function that catches when someone enters that link and you do it by extracting the sha1 from the link as an url parameter and searching in your table for whoever have that session_token, when you find a record with this session_token then you turn your email_verify value to 1 meaning the email is already verified and then you turn null the session_token field so the link expires.
I'm not familiar with PHP / MySQL and Emails. And I'm pretty sure this question has been asked somewhere already, but I cannot find it. So I apologise if this is troubling and thank you in advance!
Is it possible to do something that user has to click on a link in email first before the user is added into database???
And you know how, for some websites, they have a unique web address for each email validation (Shown in red on the picture)? How do they create a webpage that's unique in for every email ?
Picture credited: https://kayako.atlassian.net/wiki/download/attachments/5734920/subs-validation.png?version=1&modificationDate=1291956283000&api=v2
Thank you a lot for the attention! If it's possible, I prefer not having straight scripts that I can copy and paste because I like to find out myself :P But please do give me some hints because I'm totally lost.
If there's anything that's not clear, please tell me, I'll try my best to clarify it!
The Registration process
User fills out a form online with basic details including an email and password, and submits the form to register.php
register.php adds user info to a temporary location, such as a pending_users table which has all the fields the user submitted along with an expiration and an activation_code fields. This code can be any random, impossible to guess value. eg: hash('sha1', mt_rand(10000,99999).md_rand(10000,99999)). Just don't do anything predictable such as hash the current time, or the username
register.php sends an email to the user with a URL that will link to activate.php and that includes the activation code. eg: example.com/activate.php?code=a2ef24... The email should also inform the user of the expiration (1 to 12hrs validity seems ok to me)
When user clicks the link, she triggers a GET request to activate.php. In doing so, the user proves ownership of the email address
activate.php gets the code from the request parameters, eg: $code=$_GET['code']. With that code, the script queries the pending_users table for the record matching that code.
If the code is found, check that it hasn't expired before proceeding. Expiration prevents someone else much later who gets in the user's account from completing the registration.
If the code is valid, capture the user details from the matching record and delete that record from pending_users table.
Write a matching record in the regular users table. Until this is done, the user could not log in because login script only checks the users table, and ignores the pending_users table.
Registration complete.
Security Note I:
For your users' protection, never store passwords in cleartext. When you receive it from the registration form (eg: $_POST['pwd'], do:
$pwd = $_POST['pwd'];
//first validate; it should meet minimum requirements
$pwd_hash = password_hash($pwd, PASSWORD_DEFAULT); // <- the hash gets stored
Later, to verify the password, do:
password_verify($cleartext_pwd, $pwd_hash);
It will return true if the password is correct; false otherwise.
Security Note II:
For your protection, never insert user supplied values directly in your DB queries. This means any value that arrives from the outside. Not just usernames, emails, passwords... but also values that you're getting back from the user such as activation_code above or cookie values or headers (eg User-Agent). Instead, learn to use prepared statements. This will protect you from SQL injection.
Not sure if it's possible to add datas in database after the validation...
When I want to do something like that, I create a data in the users table (or metas users table) like "validate".
If this data is "true", then the user already did the validation and he can use his account. If it's still set on "false", the user didn't validate his account : he can't use it.
With that, you have to make sure the account is validate when the user tries to log in, but it's not a big deal ^^
Hope it's usefull.
Those are not a unique websites, there is only one script validating the registration finalization. The incoming requests (when the user has clicked the link) are routed all to the same script by means of server side "request rewriting", so that the random token value is available as an argument (parameter) to the script execution.
What the script does: it checks if that random token value does exist in the database where it has been generated and stored before when the user actually registered.
The only thing left to do for that script is to remove the confirmation random token and/or set a flag indicating that the registered use has actually confirmed his identify (email address) by clicking the link.
Easy and straight forward. Hard to bypass, since you cannot guess what random token value has been generated for what registered user without receiving the email. However take into consideration that it is trivial for an attacking script to use anonymous email services (one time email addresses) to receive and evaluate such a confirmation request, if the process is known to the attacker.
I have two software. I want to create a link in the first one to call and fill a form in the second one.
The second one is written in PHP (with CakePHP) and can be accessed by authenticate users. I need to automatically log the users in and fill the form on click of the link.
I don't know how to do that?
I was thinking of this solution, but can you please tell me if you see a better one.
-The link will contain all information to login my user and all information to prefill the form
-The link will be dedicated to this action in my php application. It will automatically log my user in, put the form data in session and redirect to the form page.
-In the form page, if the session variable is not empty I will fill my form.
Please help me and tell me what do you think of this plan.
You can make a route that log you automatically just pass in args your login/pw encoded in md5 after you redirect to what you want.
I am not using the cake but maybe you need to adjust what I propose to fill your wish
You need to turn the GET parameters into POST, that's all and it's dead easy.
See https://en.wikipedia.org/wiki/Post/Redirect/Get
I usually do web development on computers, and I have newly entered the realm of mobile development. The application I am currently working on requires the registration process to work exactly like Whatsapp, so essentially these are the steps.
1- User enters their phone number.
2- When user submits their phone number, I have to send an SMS back to their phone with a registration code.
3- User enters the registration code, if it matches, user is in.
4- User doesn't have to login ever again.
Going to more details, this is how I suspect this should be implemented, and hopefully with your expertise I can get some advise.
1- I will be using phone gap, so a regular HTML form, referencing back to a PHP script.
2- This I am unsure of. What I think I can do is I can find out what the user's carrier is, and use the user's phone number # carrier and just use the php mail function (015-1231234#carrier.com) But Whatsapp, Viber, etc don't ask for your carrier. Do you guys know how they were able to do that?
3- In my database table I have a registration code stored that is randomly generated by a php script. I store that in the DB, and I send it to the user. When the verifies the code, I just compare it with the table.
4- I actually don't know how to do that. Do smartphones operate on sessions, cookies, something else? How can I make it permanent? Ideally what I would like to have is a simple check before I display the index of the app. Something like:
if($_SESSION['userID']){
//show protected page here
}
else {
//user needs to register. Ideally only once in their lifetime.
}
i need to make activation code for my users. When users are registered, my php script would send an email to users and i dont know how to implement activation code or activation link. I dont know logic for this
This is a four-step process:
Create the activation code
Store it in a database
Email the code to the user with a link to your verification script
Check the code the user enters in your verification script against the value stored in the database.
For an example implementation, please see:
http://www.learnphponline.com/scripts/email-activation-for-php-forms
upon registration create a random string $user_rand;
store the random string in the users table in activation_secret column, set the active column to 0
hash the random string and send an email to the email address the user provided and include a link to your activation page, include the hash as a parameter. e.g. http://host.com/activate.php?activation_code=sfer3423ste&username=john
in activatate.php extract the username and the activation code (which is the hash you sent)
query users table for a record which has active=0 and user=john, return the value in activation_secrete
hash activation_secrete and compare the hash with activation code from the url, if they match, the user should be validated (set active column to 1) if not, inform the user the activation code is not recognized.
You can build on this and make it robust and add exception handling. E.g. you can also set a life time for the activation secrete and more.
I've not done it but I would have thought that it would be along the lines of:
When a user registers generate an activation code, and store it associated with the users id
Have a page which validates a code. this will look up the code given in the url (or have the user enter it manually in a field on the page) and see if it is the code associated with the user (must be logged in to see this page)
Generate a url which goes to the above page and provides the code in the url.
insert the url in an email and send to the user
Or you could simply use CakeDC's users plugin and avoid all that trouble.
You can also use a table-less solution to generate one-time passwords. Have a look at http://bakery.cakephp.org/articles/ashevat/2010/03/12/how-to-implament-one-time-password-for-forgot-my-password-and-account-activation-processes