I made a PHP script for user to activate their account after they clicked on the confirmation-link. It works as usual - the user click on the link
www.example.org/activation?code=R4nD0mCoD3
The script checks in the database if the code exists and if not it redirect the user to ./index.php
So what is the best solution that people can't spam codes to that site and bring down my database ?
Is there any useful work-a-round ? Sadly I wasnt able to find something in StackOverflow about it yet.
Thanks for helping out :)
$key = sha1($email.time()); // 'email' or any other value
Will give you a 40 character key which should be secure enough, but if you really want to prevent a select for any request with a key, you can return a view with a submit button (disabled by default), then enabled using javascript on document.ready as most bots aren't javascript enabled.
If you go that route, you could also set a 1 or 2 second timeout before enabling the button which will slow down the javascript enabled bots.
As mentioned above though, Its a light query, so you don't have too much to worry about as long as you have a secure activation key.