Guys I think the above method introduces security vulnerabilities that do not need to be there.
The primary goal of email verification is that we want people who signup to provide a real email address that they own or at least have access to. We do not want people signing up with lets say a random email address that someone else owns, for instance your email address.
The above code has vulnerabilities that could enable a hacker to register a random email address someone else owns and then relevantly easily brute force the $user_id value and the $code value on your email verification page.
1st vulnerability
You are using $user_id. Now I know this value could be any number of things but typically this is going to be an integer especially if using wordpress which is circa 30% of the websites on the internet and looking at the above php code it is indeed based on wordpress. The hacker is either given their $user_id as part of the signup process or else they guess their $user_id via brute force just going up sequentially starting at the number 1 and continuing 2 , 3, 4, 5, 6 ..... they will guess their $user_id in less than a day perhaps in even in less than an hour if your website does not have that many members.
2nd vulnerability
You are creating a $code using the MD5 hashing function and the time of signup. The hacker knows what time they signed up. Let's say the hacker signs-up at 3pm. Now all the hacker has to do is MD5 hash times from 2.55pm to 3.05pm and they will brute force the $code in less than an hour.
Looking at the above the hacker can just brute force the $user_id and $code in less than a day and verify an email address that they do not own
tut tut tut
A better approach would be to generate a $code with the rand() function using uppercase (A-Z) and lower case (a-z), numbers (0-9) and special characters e.g. (!&#). That MD5 hashing function is only using numbers 0-9 and lower case letters a-f and they way ye are using it based on the time of signup is making it incredibly easy to narrow down and brute force attack.
I have written the below PHP code the generate a random $code with Uppercase Letters/Lowercase Letters/Intergers/Special Characters. Don't make it so easy for hackers guys.
function generateRandomString($stringLength){
//specify characters to be used in generating random string, do not specify any characters that wordpress does not allow in the creation.
$characters = "0123456789ABCDEFGHIJKLMNPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_[]{}!@$%^*().,>=-;|:?";
//get the total length of specified characters to be used in generating random string
$charactersLength = strlen($characters);
//declare a string that we will use to create the random string
$randomString = '';
for ($i = 0; $i < $stringLength; $i++) {
//generate random characters
$randomCharacter = $characters[rand(0, $charactersLength - 1)];
//add the random characters to the random string
$randomString .= $randomCharacter;
};
//sanitize_user, just in case
$sanRandomString = sanitize_user($randomString);
//check that random string contains Uppercase/Lowercase/Intergers/Special Char and that it is the correct length
if ( (preg_match('([a-zA-Z].*[0-9]|[0-9].*[a-zA-Z].*[_\W])', $sanRandomString)==1) && (strlen($sanRandomString)==$stringLength) )
{
//return the random string if it meets the complexity criteria
return $sanRandomString;
} else {
// if the random string does not meet minimium criteria call function again
return call_user_func("generateRandomString",($stringLength) );
}
}//end of generateRandomString function
//call the function to generate a random string with Uppercase Letters/Lowercase Letters/Intergers/Special Characters
//into the function we pass the length of string we require, in this exampe it will generate a string 32 characters long
$code = generateRandomString(32);
echo $code;