Current Location: Home> Latest Articles> How to Use Email Verification in PHP to Prevent Account Hijacking

How to Use Email Verification in PHP to Prevent Account Hijacking

gitbox 2025-06-05

What Is Email Verification?

Email verification is a method used during user registration or account updates to ensure the email address provided is valid and owned by the user. It helps protect account integrity and prevents unauthorized access by malicious users.

How to Implement Email Verification in PHP

Step 1: Retrieve the User's Email Address

In PHP, we can obtain the email address submitted through a form like this:


$email = $_POST['email']; // Retrieve the email address entered by the user

This uses the $_POST method to fetch the input with the name attribute set to "email".

Step 2: Generate and Send a Verification Code

Use PHP’s rand() function to generate a six-digit verification code and the mail() function to send it to the user:


$verify = rand(100000, 999999); // Generate a six-digit random code
$to = $email; // Recipient email
$subject = "Email Verification Code"; // Email subject
$message = "Your verification code is: " . $verify; // Email content
$headers = "From: [email protected]"; // Sender's email
mail($to, $subject, $message, $headers); // Send the email

Step 3: Validate the User's Input

After the user enters the received code, we compare it with the originally generated code:


if ($_POST['code'] == $verify) {
    // Verification successful, proceed with registration or update
} else {
    echo "Incorrect verification code, please try again.";
}

Additional Methods to Prevent Account Hijacking

Besides email verification, you can enhance security using the following methods:

Method 1: Limit Login Attempts

Implement a restriction on failed login attempts. Temporarily blocking access after several failed tries helps mitigate brute-force attacks.

Method 2: Use SSL Encryption

Enable HTTPS to secure data during transmission. SSL prevents credentials from being intercepted or modified by attackers.

Method 3: Add CAPTCHA

Using a CAPTCHA on the login page prevents bots from automating brute-force attacks. Here’s an example of generating a graphical CAPTCHA:


session_start();
$code = rand(1000, 9999); // Generate a 4-digit code
$_SESSION['code'] = $code; // Store code in session

// Create CAPTCHA image
$image = imagecreatetruecolor(60, 20);
$bgcolor = imagecolorallocate($image, 255, 255, 255); // Background color
imagefill($image, 0, 0, $bgcolor);
$fontcolor = imagecolorallocate($image, 0, 0, 0); // Font color
imagestring($image, 5, 10, 4, $code, $fontcolor);

header('content-type:image/png');
imagepng($image);
imagedestroy($image);

This code generates a simple image with a 4-digit CAPTCHA code, which can be verified later by comparing it to the session-stored value.

Conclusion

Combining email verification with login attempt limits, SSL encryption, and CAPTCHA offers a robust defense against unauthorized logins. Developers should tailor these strategies to their specific application needs to ensure maximum user security.

Related