Hi All...

I'm glad to be in this forum. I'm making a system to connect three applications in one and have a user register page.

The register page sends an email to the user asking activate the account in order to use the system.

I'm having some matters.
First: I encrypt the username and password with base64_encode and decrypt with base64_decode to send it to the email. * when I update the page the username gets its encode chars and change. I can see that on the confirmation page. *

Second: after sending the confirmation email to the user, I destroy the cookies i use to go though the registration process and when user clicks in email confirmation link, i activate the cookies again. But there's an error:
The email is sent but the content of the email no.

I use this code:

$email= $_COOKIE["email"];

$pwd= $_COOKIE['password'];
$user= $_COOKIE['usuario'];

if(isset($_COOKIE['usuario'])){

echo 'Bievenido a la seccion'." --". $user . "<br>";

$secret= 'proyectos'; //Change this to something long and complicated
$username = base64_encode($user);
$password2 = base64_encode($pwd); //Clean this variable first!

$hash = sha1($username.$secret);

$Text = "To Confirm, click here: <a href= 'htttp: mydomain/pruebacookies2/confirmacion.php?username=$username&password=$password2&hash=$hash'>Confirmar usuario</a>";

/* echo $Text;  */

}
else{
     echo 'Error: Ha accedido a una sección restringida. Vueva a intentarlo';}

and this is the email part:
$headers = "From: Mydomain.com\r\n";
$headers .= "cc: $from\r\n";
//$headers .= "Bcc: sample3.domainname.com\r\n";
$headers .= "MIME-Version: 1.0\r\n";
$headers .= "Content-type: text/html; charset=iso-8859-1\r\n"; 
   $headers = "MIME-Version: 1.0rn"; 
    $headers  = "From: $from\r\n";
    $headers .= "Content-type: text/html\r\n";


   $enviarmail= mail($to, $subject, $message, $headers);
   
   if ($enviarmail)
  {
	$enviado= true;
	}
	else{ $enviado= false;
	}

Can you help me or telling me where to find an activation by email script?

I don't really know what is wrong...
I need some help, if i don't fix this, my job is hot!

Thanks

Your body message seems to be in $Text and you are sending the variable $message. Is this right?

This is probably a side-issue, but your link html is poorly formed with attribute values having single quotes (') instead of doubles ("). Your http is htttp!

$Text = "To Confirm, click here: <a href= '[B]htttp[/B]: mydomain/pruebacookies2/confirmacion.php?username=$username&password=$password2&hash=$hash'>Confirmar usuario</a>";

could be:

$Text = "To Confirm, click here: <a href= \"http: mydomain/pruebacookies2/confirmacion.php?username={$username}&password={$password2}&hash={$hash}\">Confirmar usuario</a>";

In addition, you seem to be sending 'naked' password and username in the url. This is not a good idea. Anybody looking at the user's screen will get the info. Is the password part of the url absolutely necessary?

Hi ardav.
Thanks for your reply.
I encrypt the password using an encrypt method, because i'm really confused about using cookies or sessions to take my variables into another page.
Ans: Is the password part of the url absolutely necessary?
Re: yes, because i've got to confirm the password.
But i'm looking for a very good way to do it without using the hash.

Can you help me in this?

Do you really need to confirm the pw? Can't you just confirm the decrypted (and cleaned) hash against your db value?.

WRT cookies/sessions, I always use sessions. I suppose there are pros and cons of using each (or both!). I've always used cookies for storing 'preference' data, so that if an user returns to the site after some time, his/her preferences (e.g. language) will be selected automatically. I use sessions for passing vars from page to page (unless there is a specific need for $_GET or $_POST to do so).

I expect some php heavyweight will tell me I'm WRONG, but it seems to work for me.

Hold on... when a user registers, you are placing it in a db right? Not just placing values in a cookie?
I suggest that your user db table has a 'status' field which allows values such as inactive/active (or boolean 0/1). If the incoming url parts (name and hash) authenticate against your db values, you make the user active. Is that what you're doing already?

So authentication could be:

$user = clean($_GET['username']);
$hash = clean($_GET['hash']);

//where 'clean' is your usual cleaning method, e.g. addslashes/htmlentities/various mysql escapes, etc.

//get your user's details from the db and test the hash ($hash) against the password (e.g. $result['pw']):

if($hash == sha1($result['pw'] . $secret){

//say hello and welcome
}else{

//something went wrong
}

It's really late here and I'm sure I've made some mistakes, anyway - something along those lines.

This article has been dead for over six months. Start a new discussion instead.