Right now register.php provides a direct link to verify the account, though in a production environment it's typical to send the link in an e-mail to the address provided. The hope is that legitimate users will supply legitimate e-mail accounts and actively confirm their accounts, and bulk spammers wouldn't.
The mail() function is used to send e-mails from within PHP. The first argument is the user's e-mail address, the second is the e-mail's subject, and the third is the message. The use of @ to suppress warning messages is generally discouraged, though in this case it is necessary because mail() will return false and generate a warning if it fails.
The code you integrate into register.php to send a message instead of displaying the validation link in the browser window might look something like this:
<?php ... // create an inactive user record $user = new User(); $user->username = $_POST['username']; $user->password = $password; $user->emailAddr = $_POST['email']; $token = $user->setInactive(); $message = 'Thank you for signing up for an account! Before you '. ' can login you need to verify your account. You can do so ' . 'by visiting http://www.example.com/verify.php?uid=' . $user->userId . '&token=' . $token . '.'; if (@mail($user->emailAddr, 'Activate your new account', $message)) { $GLOBALS['TEMPLATE']['content'] = '<p><strong>Thank you for ' . 'registering.</strong></p> <p>You will be receiving an ' . 'email shortly with instructions on activating your ' . 'account.</p>'; } else { $GLOBALS['TEMPLATE']['content'] = '<p><strong>There was an ' . 'error sending you the activation link.</strong></p> ' . '<p>Please contact the site administrator at <a href="' . 'mailto:[email protected]">[email protected]</a> for ' . 'assistance.</p>'; } ... ?>
Figure 1-3 shows the confirmation message sent as an e-mail viewed in an e-mail program.
Sending the message as a plain text e-mail is simple, while sending an HTML-formatted message is a bit more involved. Each have their own merits: plain text messages are more accessible and less likely to get blocked by a user's spam filter while HTML-formatted messages appear friendlier, less sterile and can have clickable hyperlinks to make validating the account easier.
An HTML-formatted e-mail message might look like this:
<html> <p>Thank you for signing up for an account!</p> <p>Before you can login you need to verify your account. You can do so by visiting <a href="http://www.example.com/verify.php?uid=###&token=xxxxx"> http://www.example.com/verify.php?uid=###&token=xxxxx</a>.</p> <p>If your mail program doesn't allow you to click on hyperlinks in a message, copy it and paste it into the address bar of your web browser to visit the page.</p> </html>
However, if you sent it as the previous example then the e-mail would still be received as plain text even though it contains HTML markup. The proper MIME and Content-Type headers also need to be sent as well to inform the e-mail client how to display the message. These additional headers are given to mail()'s optional fourth parameter.
<?php // assume the formatted message is stored as $html_message // formatted mail requires a MIME and Content-Type header $headers = array('MIME-Version: 1.0', 'Content-Type: text/html; charset="iso-8859-1"'), // additional headers are supplied as the 4th argument to mail() mail($user->emailAddr, 'Please activate your new account', $html_message, join(" ", $headers)); ?>
It's possible to have the best of both e-mail worlds by sending a mixed e-mail message. A mixed e-mail contains both plain-text and HTML-formatted messages and then it becomes the mail client's job to decide which portion it should display. Here's an example of such a multi-part message:
--==A.BC_123_XYZ_678.9 Content-Type: text/plain; charset="iso-8859-1" Thank you for signing up for an account! Before you can login you need to verify your account. You can do so by visiting http://www.example.com/verify.php?uid=##&token=xxxxx. --==A.BC_123_XYZ_678.9 Content-Type: text/plain; charset="iso-8859-1" <html> <p>Thank you for signing up for an account!</p> <p>Before you can login you need to verify your account. You can do so by visiting <a href="http://www.example.com/verify.php?uid=###&token=xxxxx"> http://www.example.com/verify.php?uid=###&token=xxxxx</a>.</p> <p>If your mail program doesn't allow you to click on hyperlinks in a message, copy it and paste it into the address bar of your web browser to visit the page.</p> </html> --==A.BC_123_XYZ_678.9--
The correct headers to use when sending the message would be:
MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="==A.BC_123_XYZ_678.9"
Note that a special string is used to mark boundaries of different message segments. There's no significance to ==A.BC_123_XYZ_678.9 as I've used — it just needs to be random text which doesn't appear in the body of any of the message parts. When used to separate message blocks, the string is preceded by two dashes and is followed by a blank line. Trailing dashes mark the end of the message.
3.15.219.80