Making the form:
The first thing you will need is a form to get the email address from. In this tutorial we will use a very basic form. You can make the form as complex or simple as you would like. The commenting system for TranceTronics.com uses this same method for making sure a comment is valid. Here is our quick and dirty form:

code:
<form name=”emailInput” action=”emailInput.php” method=”post”>
Username: <input type=”text” name=”username” size=”40″ maxlength=”255″ /><br/>
Email: <input type=”text” name=”email” size=”40″ maxlength=”255″ /><br/>
<input type=”submit” value=”Create Account” />
</form>

This form will send the username and email address to “emailInput.php” which we will talk about next.

Validating Input and Sending Confirmation Link:
In this section, we want to make sure that the person entered something into the username and email textboxes. If they did, we will create an 8 digit key and store that in the database along with their username and email. After storing the information, we will send them an email with the confirmation link in it.

The first thing we will do is create a function to handle the random string for the confirmation link. Here is what the random function will look like:

php:
<?php
function getRandomString()
{
$length = 8;

//string of all possible characters to go into the new password
$passwordRandomString = "AaBbCcDdEeFfGgHhIiJjKkLlMmNnOoPpQqRrSsTtUuVvWwXxYyZz0123456789";

//initialize the new password string
$newPW = "";

//seed the random function
srand();

//go through to generate a random password.
for($x=0; $x < $length; $x++)
{
$newPW .= substr($passwordRandomString,rand(0,62),1);
}

return $newPW;
}
?>

Here is what the rest of the “emailInput.php” page will look like:

php:
<?php
//database connection goes here
//...

//get input data
$username = $_POST['username'];
$email = $_POST['email'];
$errorMessage = "";

//check to make sure they're not empty.
if(empty($username)) $errorMessage .= "You didn't enter a username.<br/>\n";
if(empty($email)) $errorMessage .= "You didn't enter an email address.<br/>\n";

//if there was no error, do the rest of the code.
if(empty($errorMessage))
{
//get a random 8 character string.
$confirmationCode = getRandomString();

//add the person and the confirmation code to the database.
$query = "INSERT INTO `users` (`username`, `email`, `confirmationCode`, `confirmed`)
VALUES ('$username','$email','$confirmationCode','0')";

$result = mysql_query($query) OR die(mysql_error());

//now we want to send them an email telling them to confirm their account.
$to = "";
$subject = "";
$message="";
$headers="";

/* recipients */
$to  = $email;

/* subject */
$subject = "Site Registration Confirmation";

/* message */
$message = '<html>
<head>
<title>Site Registration Confirmation</title>
</head>

<body style="font-family:verdana, arial; font-size: .8em;">
You\'re receiving this email because you filled out a registration form on this website.
<br/><br/>
If you did not try to create an account, you can simply delete this email. No further action is required.
<br/><br/>
To complete confirmation and add your registration, please click on the link below:<br>
<a title="Confirm Comment"
href="http://www.website.com/confirm.php?c='.$confirmationCode.'">http://www.website.com/confirm.php?c='.$confirmationCode.'</a>
<br/><br/>
Thank you and we hope you enjoy using Website.com!<br/><br/>

</body>
</html>';

/* To send HTML mail, you can set the Content-type header. */
$headers  = "MIME-Version: 1.0\r\n";
$headers .= "Content-type: text/html; charset=iso-8859-1\r\n";

/* additional headers */
$headers .= "From: Website <no-reply@website.com>\r\n";

/* and now mail it */
mail($to, $subject, $message, $headers);

//let them know what's going on.
echo 'Click the link in the email to confirm your account.';
}
else
{
echo $errorMessage;
}
?>

In the query to add the user to the database, I also included a variable called “confirmed” and set it to “0.” I did this because we need some way of knowing if they have clicked on the confirmation link or not. When they click on the confirmation link, we will set the value to “1.”

Creating the Confirm page:
Now that the email has been sent and the users information is stored in the database, we need to find some way to let them confirm it. To do this, we will create a new PHP page called “confirm.php.” Here is what confirm.php will look like:

php:
<?php
$confirmId = $_GET['c'];

$errorMessage = "";
$validCount = 0;

$query = "SELECT confirmed FROM `users` WHERE confirmationCode='$confirmId'";
$result = mysql_query($query);
$validCount = mysql_num_rows($result);

if($result['confirmed'] == 1) $errorMessage .= "You have already confirmed this comment.<br/>";
if($validCount == 0) $errorMessage .= "You are trying to confirm an invalid comment.<br/>";

if(empty($errorMessage))
{
$query = "UPDATE `users` SET confirmed = 1 WHERE confirmationCode='$confirmId'";
mysql_query($query) OR die(mysql_error());

echo 'Your account has been confirmed!';
}
else
{
echo $errorMessage;
}
?>

This code checks to make sure that their account isn’t already confirmed, and that the confirmation code they entered is valid. If there is no error with the input, the “confirmed” value in the table is changed to 1 and they are now valid.

You can use this code as a starting point for many other things that require confirmation codes. Also, while this is not 100% effective at keeping spam out of your site, it sure does help. I have this code running on another site of mine that has a comment form and I receive over 500 spam messages per month that do not get confirmed, so they don’t show up in my site.

If you know how, you can write a cron job that goes and removes all unconfirmed entries that are over a month old.