I am coding a registration page for my brother's web site.

A user submits registration details, and when he clicks submit an email is sent to him so he can verify his registration.

In the body of the email there is a link for the user to click to verify the registration.

What is the most common way of handling this situation? Right not I just have a link which passes the parameters username and password, where the password is encrypted. However, these details I feel should not be visible or obvious.

I'm wondering if there is a better way?

Thanks for any help!

You could generate a random 20 character string to be inlcluded in the e-mail and store that along with the users details on the server.

That's funny, I just thought of doing something like that.
My only reservation would be that perhaps more than one user gets the same random string? I know this would be highly unlikely, but is it possible?

Thanks for the response.

You don't even need to use a random string, just store the details in a database and use an auto incremented user id field.

And for security purposes you think something like this would be fine?

I'm not quite what part of the security you are worried about. I assume your brother has to enter the admin username and password to confirm the details?

Sorry, I should have been more clear.

When the user clicks the link in the email, it takes him to a page which shows a message that his account is activated.
This page will also contain the PHP code which activates his username in the database, by simply changing a value in one of the fields.

Thanks

Then why not use a combination of a random string (could be the result of a "crypt" on their e-mail addy) and their user id.

Ok! Now we're getting somewhere.

This is what I have already done actually. So the details of the link in the email are encrypted. For example:

"Click here" is the link:

www.somesite.com/verify.php?-0193n13gf-9ng0pdld

where the crypted part is really:
"user=name&pass=somepass"

But on the page verify.php,
if I simply echo $user; and echo $pass

I get nothing!

Well, I'm not sure if you already know this, but in order to get a URI argument you have to use $_GET (e.g. $_GET['user']) but since you encrypted the entire query you'll have to do this manually. I don't know how you used the crypt() function, but maybe something like this will help

I'm not sure if this code will be safe enough for you. It does split the query based on literals, but it is case-insensitive. It also checks the username for invaild characters (only letters and numbers are allowed).

Examples
Request: /test2.php?user=d&avid&password=12&345
Output:
query = user=d&avid&password=12&345
user = david
password = 12&345

Request: /test2.php?user=david+4&password=12&345&&&password=123&^4
query = user=david+4&password=12&345&&&password=123&^4
user = david
password = 12&345&&


Hope this points you in the right direction!

Is this what you mean:

$user = $_SERVER['user'];

if "user" is the argument name in the URI?

I suppose I'm also going to have problems using crypt() since it seems only to be one way.

I have no idea why you want to decrypt it? You already have the unencrypted version on the server.

Well then why won't something like this work?

<?php
echo "Username: $user";
echo "Password: " . $pass";
?>

If I use:
$user = $_SERVER['QUERY_STRING'];

it simply returns the entire crypted string which is really:

user=$user&pass=$pass

But how would I extract $user and $pass from that?

Sorry if these are dumb questions, but I'm really quite new to this still.

Thanks

I did this before by getting the time of the registration and using the long value of the time as a temporary registration ID.

You can hash the users password and store it in a temporary table along with the users other information and then just move it when the email address has been verified.