I need to create an activation system for a website. The user registers, gets an email, then clicks a link with a secret key in the query string, and a script on my end decodes it.
My question is not on the programming itself, but rather, what is a good way of generating the link? Hashing was a thought but it is one way. Should I be encrypting something? Does anyone who has been tasked with this same thing have any insight?
Is there a way to do it that both: Does not store any secret code in the database, Does not put any obvious user info in the query string
The user is in a table with primary key id and other info. It does not need to be insanely secure but should not be easily breakable. I'm doing this with php. I couldn't find a similar question so if I have overlooked one I would appreciate a link.
I have done this before by doing and md5 on the concatenated record id and email address. You could throw in a few extra characters or fields if you want. Then when the user clicks the link you just run the same select again to see if you get a match.
// generate the key
select md5(concat(id,email,'Some custom text')) as `verification_key` from ...
// verify the user
select * from user where '$verifikation_key' = md5(concat(id,email,'Some custom text'));
Then you can update the user record to mark as verified.