I have a website like SO. When users create an account, their accounts is deactivated until opening their emails and click on such an URL that I sent before.
Well, that URL should be containing what parameters?
currently I hash user's email and pass it as a parameter to that URL. So when user clicks on it, I get that hashed-email and compare it. But my algorithm isn't good, because user can hash himself-email and pass it to my script, without opening his email. Well I want to know, how can I make a confirm-account-url and how do I validate it?
You can generate a random string, and store it in the database, in the user's record. Then send the email with a URL containing that string. So you can easily lookup for that string in the database, and activate the account.