Determining Whether an Email Account Exists

dangtruong

Author lv1 (3900/5000)

3,865 views

1 Comment

(5 votes, average: 4.40 out of 5)

A common web application is having users sign up for some service. Often you want to confirm whether the given email truly exists. Realistically, there is only one accurate way of determining whether an email account exists and is active. You must actually send an email to the user and require that the user either respond to it or click a link in it to verify that the user received the email.

Using a link is the better solution because automatic responders could take care of responding to your query. But most of the time, a real person clicks the link. All you need to do is include some information in that link that will identify who the user is. For example, when someone first enters an email address on a web page, the address is stored in a table along with a uniquely generated number. This number is then passed back on the link.

The example in this section uses a simpler solution, not relying on any data storage in the first place. When given the email address, we will manipulate it in various ways before returning it. Then on returning to the confirmation page, the manipulations are reversed to see whether the email is valid. This will be accomplished via a basic mechanism. We will take the email given to us and create a hash value from it, in this case using md5(). However, we will first prepend a value to the string before creating the hash. This way, someone would have to know what that string was to duplicate the hash. First, the tutorial creates a web page that takes the user’s email address and generates the email.

[source:php]

<?php

// If we had a POST element called 'email', then we need to prep and send:

if (isset($_POST['email'])) {

    // Make sure it wasn't blank:

    $email = trim($_POST['email']);

    if ($email) {

        // Prepare by setting a timezone, mail() uses this.

        date_default_timezone_set('America/New_York');        // Take the address given, prepend a magic string, and hash it:

        $hashed = md5('magic_string' . $email);

// Make the email address ready to be sent via, well, email:

        $prepped = urlencode($email);

// Generate the email message that these people need to verify:

        // For simplicity, doing this as pure text email at this point.

        mail($email, 'Please verify your email address', "

Someone has entered your email address into our form.

If it was you, and you wish to verify your address, please click the

following link:

http://example.com/verify.php?e={$prepped}&h={$hashed}

", 'From: php@example.com');

// Let them know that this email is sent.

        echo "

<p>A verification email has been sent to {$email},

 please following the instructions included in it.</p>

";

    }

}

?>

<form action="<?= $_SERVER['PHP_SELF'] ?>" method="post" name="f1">

<p>What is your email address? <input name="email" type="text" /></p>

<p><input type="submit" /></p>

</form>

[/source]

Then, accepts the data from this link and attempts to reverse engineer the hash provided for it.

[source:php]

<?php
// This is the verification script
// We need to check if we got the appropriate fields
if (isset($_GET['e']) && isset($_GET['h'])) {
    // Attempt to create an identical hash using the same magic string
    $hashed = md5('magic_string' . $_GET['e']);

    // If the new hash equals what was passed in
    if ($hashed == $_GET['h']) {
        // They have passed muster.  Let them know this.  In a real
        //  application you would need to save this fact and continue in
        //  the process at this point.
        echo "<p>Your email has been validated.<p>n";
    } else {
        // It didn't pass.
        echo "<p>Your email failed it's validation test.<p>n";
    }
} else {
    echo "<p>Invalid page access!<p>n";
}
?>

[/source]

As it stands this is a simple algorithm. The email address is visible as part of the link, and it is a simple hash algorithm. Therefore if someone really wanted to he might be able to crack this. It would take some effort, though, and therefore this is a good solution for some basic authentication. Again, if more complicated methods are desired, storing data in a database and providing only a unique, random key to the client will give you the better solution that you need.