Is registration by email a safe and secure way to accept subscribers using PHP and MySQLI

I am looking into site registration via a form and registration / verification link. The idea is the user provides an email, username and pass via a form on the site. They then receive an email with a link to click on to verify.

I am really just looking at ideas here but, OK the email has to be valid or they won’t receive the verification link - and it’s easy.

However most examples I see use a link in the email something like

Please click the following link to activate your account:

This seems a huge security risk since the link basically reveals and transmits the subfolder, the php script name and the variable values in plain text.

Am I paranoid or is this method as insecure as it seems?
Is there a better method?

How risky can it be?
People must know your url.

Even must htaccess rewrite file extension is useless bcs if user type url.php he already have the file. Rewrite only helps in seo

I use email link or otpcode. Which ever way the address to confirm will always show on the address bar.

The keys you appended to the url is the security you need, so each key should be different for each verification

Yes I agree but, it’s easy to create a temporary or even 1 time email address or even intercept text transmitted. I am mostly concerned with possible code injection but wondered if I should have any other concerns

If your codes is flawed, hidding its url wont help you, is called security by obscurity which is the weakest for of security

Most of my project are pending to go live until i understand fully how code injection works.
What i do before launching any app is to check for these things

  1. Session hijacking
  2. SQL injection
  3. Code injection mostly done using java
  4. Bruteforce

So to my poor security intelligence i code along these lines.

Extensions are very few, so if i try yoururl.php or .aspx or .cgi or html
It must be one of this

I don’t understand.
Mostly my validation methods are complex ones.

  1. After registeration button is clicked, generate strong unique key and save it to database with users email nd details.
Key | email

Then append same to url and send to user email.
If user click on the link, extract key and also extract email.

Then query the database search where key is key and email is email.

If empty, validation failed, else proceed and create users account

Not if it’s HTTPS, then the URL is encrypted between server and client.

It’s still plain text in the email of course, nothing much you can do about that, but most email is sent over SSL connections these days too.

I would not include the email address in the URL though, simply because that will end up in your server logs, which is not something you want with all the privacy laws going on like the European GDPR. Just a unique random code should suffice.

Is it a perfect system? No.
Is the best system we have so far? Yes.
Are there better alternatives? You can use split tokens for added security over some random code, but the main principle remains the same, so no.


SMS verification.

You can combine the email, a user ID and “random” key, and hash the lot into a key.
That way the private info isn’t in plain text in the URL, but the info is there to reference it to the valid user account.

1 Like

I love this concept,

But i have big questions

  1. If is in plain text does it mean someone privacy have been breached?

  2. Was the url containing the users email published on the site pages?

  3. Was it not sent to the very email that owns it?

  4. And if some one reads the email it does mean the person already have the email address you intend hiding from and much more can even access the said email?

  5. This question i really need to know, if the url is sent via none https protocol what will happen? Who read’s the content and how?

Even though everyone can read the content, they won’t know this email is donald trump email or prince Richard email.
So they sit recording email addresses whose owners they know not?

Apart from spamming or marketing purpose is a waste of time doing that.

Even they can simply keep checking yahoo or registration page with generic email names and once it said this email already exist they will add it to their records

Every hacker has a target, there are over billions of emails littering everyone. One jobless fellow saw something like and start trying to hack it or what?
What i consider a privacy breach is
Donald trump (president usa)
Phone: 555555555555555

That’s what a privacy breach is because is so descriptive, not a random url that holds nothing but email address

I posted an email
On my public website, and someone saw it and said oh! That’s my email address am suing for GPDR , when he gets to court what exactly will he tell them?
That i said hey guys this email belong to jark or john?

I rather focus my energy on ensuring the
Content is transmitted to the user securely, using https as @rpkamp had pointed out but wont stress myself with privacy laws.

Your choice obviously, but fines for not following them are severe.

To you maybe, but not to the law [in the EU, GDPR]. Under law any leaking of Personally Identifiable Information or failing to remove this when requested is a privacy breach.


And along the lines of GDPR, this is partly why 3rd party processors exist; Why does Paypal exist? Because people dont want to give their credit card details to every website they shop with; Paypal sits in the middle and says “Yes, that user can purchase the item, Paypal certifies the money is available.”

Same way that “Login with Google” works - you don’t need to give your password to the website, Google is trusted by the website, and says “Yes, this person is logged in as, treat them as such.” Your website doesnt need to (or even have access to) their password, but you’ve still got a verified login.

Wow! This is serious matter. :smile:

Yes you are right, but hacking emails or gmail and as such if one google account have been hacked the hacker can login to all the sites you are linked to which i found very disturbing.
Is it not safe to limit the access to only one affected site? If Facebook or Twitter is hacked and more 20 sites are doing login with social media, the hacker will simply access those sites once they have a hold of your gmail or facebook account.

Don’t you think is a cause for concern?

If you’re going to be concerned about that, get off of the internet. It’s the only way to be safe.


People are stupid. Most people reuse passwords. At which point, a hack on one site is a hack on all sites. I’d rather put my trust in a multibillion dollar company’s security team over you sitting in your basement.

Just my opinion.

1 Like