Activating Accounts

On a site that doesn’t require payment, I normally include an activation process:
1. When the user registers, a random code is stored in the users table.
2. An email is sent to the registered email address, which includes a link to an activation page on the site. The link passes the user’s email address and the specific code to the PHP page:
(For even better security, you could pass a hash of the email address.)
3. The PHP page confirms that there’s a record in the table with that combination of email address and code, then presents the opportunity to log in.
4. When the user logs in, the query must confirm that the email and password combination is correct, and that the code matches, too.
5. Upon successful login, the code column in the table is set to NULL, to indicate that the account is now active.
6. Subsequent logins will require that the email address and password are correct, and that the code column has a NULLvalue.
This is called a “closed-loop” confirmation process and prevents fake registrations. In this “Knowledge Is Power” site, using PayPal will prevent fake registrations, because hackers don’t typically spend money in their hack attempts.
2. Apply the error handler:
This line tells PHP to use the custom function for handling errors. If you don’t execute this function call, PHP will still use its default handler. This is also why a parse error won’t go through your own error handler: The parse error prevents the PHP script from being executed.
function my_error_handler($e_number, $e_message, $e_file, $e_line, $e_vars) {
PHP allows you to define your own functions for handling errors. By doing so, you can precisely control what errors get reported, how, and in what detail. Every time a PHP error occurs, or one is triggered using trigger_error(), this function will be called by a script that will be created shortly. The only errors that can’t use the customer error handler are parse and other serious PHP errors that would prevent this script from being executed in the first place.
define ('BASE_URI', '/path/to/dir/');
define ('BASE_URL', '');
define ('MYSQL', BASE_URI . '');
Foreign key constraints exist in two tables: pages and orders. The constraints require that a corresponding value for a foreign key must exist as a primary key in the related table. For example, an order with a users_id value of 23890 can only be recorded if there’s already a users record with an id of 23890. No actions are set for when an associated primary key record (for example, the users record with an id of 23890) is updated or deleted, as I wouldn’t put that functionality into the site (that is, you’d never delete a record or change a primary key value).
A different type of site testing you could address is performance. If you want to start with the big picture—how well the server copes with demand—software like ApacheBench ( and Siege ( will run benchmarks on your web server, reporting on how many requests can be handled per second. Requests per second (RPS) is the standard measuring tool for a site’s performance. Once you start checking your site’s performance, you’ll find that big, systemwide changes you make will have the greatest impact. These include
 Changing the server hardware: increasing memory, installing faster hard drives, and using faster processors
 Changing the demands on the server: disabling unnecessary features, putting fewer users or sites on a single server, and balancing loads across multiple servers
 Caching the PHP output
 Caching the PHP execution
 Caching the database results
If MySQL is running with the --log-long-format feature enabled, the database will write to the log any queries that aren’t using indexes

Bibliographic Information

Effortless Commerce With PHP And MySQL
by Larry Ullman, ISBN 0321656229 / 978-0321656223
2010, New Riders

These are notes I made after reading this book. See more book notes

Just to let you know, this page was last updated Sunday, May 29 22