SitePoint Sponsor

User Tag List

Results 1 to 4 of 4
  1. #1
    SitePoint Columnist Skunk's Avatar
    Join Date
    Jan 2001
    Location
    Lawrence, Kansas
    Posts
    2,066
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Verify a User\'s Email Address Using PHP

    This forum thread discusses the SitePoint article 'Verify a User\'s Email Address Using PHP' by Joe Marini.

    "So you published a registration page on your site... and all you get is fake email addresses? Joe shows how to use PHP's checkdnsrr function to ensure the mail domain exists, and those addresses are valid."

  2. #2
    SitePoint Columnist Skunk's Avatar
    Join Date
    Jan 2001
    Location
    Lawrence, Kansas
    Posts
    2,066
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Erk, I don't like the fact that just the act of me clicking on the "discuss" link on the article caused me to create a new thread. I didn't want to post anything at all - I just wanted to see if other people had said anything.

    Anyway, since I'm here... the technique described in the article provides practically no defence against invalud email addresses as many people, when entereing a fake address, will enter a valid domain by mistake. Besides which, once their email address is rejected they are likely to either try again with a more plausible fake address or give up and leave without registering at all.

    People don't provide fake email addresses out of malice - they do it because they don't WANT to hand out their email address, usually because they feel they will not receive anything of value from doing so. If you're goign to insist on an email address, make sure you have a good reason for doing so and that this reason is announced clearly to the user.

    Alternatively, the proven method of ensuring an email address is valid is to send an "activate your account" email to that address (or to send the user's initial password to that address along with instructions on how to log in and change it).

  3. #3
    SitePoint Zealot rae's Avatar
    Join Date
    Apr 2003
    Location
    bedroom :P
    Posts
    157
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Yeah... that's my thread!

    Alternatively, the proven method of ensuring an email address is valid is to send an "activate your account" email to that address (or to send the user's initial password to that address along with instructions on how to log in and change it).
    Yeah, that's not a 100 percent reliable script... there's NO reliable e-mail validator script. Checking the host etc... isn't enough.

    But I dont exactly agree with you.

    -an activate your account email...
    -I'm sure we can write a program, that will activate your account automatically.

    The script needs to read the incoming mail... get the URL and act like a browser... it calls the activating script with the correct parameters.
    I had a problem with that last year. (Account harvesting)

    And how will you know, that... there's a real person behind the e-mail address... and not a program...?

    It's an interesting thread! Let's discuss it!

  4. #4
    SitePoint Zealot
    Join Date
    Aug 2002
    Posts
    180
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Quote Originally Posted by rae
    Yeah... that's my thread!



    Yeah, that's not a 100 percent reliable script... there's NO reliable e-mail validator script. Checking the host etc... isn't enough.

    But I dont exactly agree with you.

    -an activate your account email...
    -I'm sure we can write a program, that will activate your account automatically.

    The script needs to read the incoming mail... get the URL and act like a browser... it calls the activating script with the correct parameters.
    I had a problem with that last year. (Account harvesting)

    And how will you know, that... there's a real person behind the e-mail address... and not a program...?

    It's an interesting thread! Let's discuss it!
    i find that this *IS* fairly secure, as the user would have to supply a fully valid email address to recieve the email with their password in it. As long as the password is not dictionary based (i find substr(md5(uniqid(microtime())), 0, 7);works well). There are a few flaws in this (for securing against account harvisting, this is still good for getting valid email addresses), such as a catch all email address (recieves everything@yourdomain.com), but still, the email has to be valid, so if you notice a pattern you can just ban that domain.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •