I am currently working on a big project and the client demands that everything need to be perfect and in standard way, especially in the case of security. There is a user registration session and I have to add email verification feature too.
I was doing email verification with the following method in all my projects.
On registration, save the data to users table, with status (value of status column) as 0 and a generated random code to a column intended for that.
Then send a link to the registered mail id with the random code ans user's id as get variables. Ex: http://site_address.com/verification_url.php?id=1&code=abc123xyz
On verification page, this value of get variable ($_GET['code']) is compared with the random code saved in database for that user with passed id ($_GET['id'])
If both the codes are same, status will be set to 1 and displays a successfully verifies message.
Please let me know whether there is a universally accepted methods for email verification (with guaranteed security). Also I would like to know the security limitations or issues of my method so that I can fix those.
I wouldn't send the user id, otherwise your method works fine. Sending the user id you tell the outside world abit to much of your database/code design. Create strong hashes as code and a expiredate and you will be fine.
Please look on below, it may be help with you
create the activation link like
http://www.hostname.com/verification_url.php?id=base64_encode($id)&code=base64_encode($code)
verification script
<?php
if(isset($_GET['id'])&&isset($_GET['code'])){
$id = base64_decode($id);
# your database connection code here
# get email id using $id for mailing purpose
if($id!=NULL){
# update the user status as active and send success mail
}
else{
# sent failure mail
}
}
?>