I was thinking about this method:
- User enters username, password etc at registration form and clicks on submit
- I store the values in db (pw is hashed of course) and I generate a random string token variable for this user in database and set a variable false in the database meaning that the user's registration is not confirmed yet.
- I send the confirmation e-mail to the user's e-mail address: please confirm your registration here: domain.com/confirm.php?token=RANDOMSTRING where randomstring is the string which I have generated at registration when he clicks on submit. With this method I think the user cannot confirm anyone else registration, only his/her own registration.
- The user clicks on link in the e-mail, here I ask more data about himself (on domain.com/confirm.php?token=RANDOMSTRING website) adds more data about himself in the form and confirms the registration. And I set true a variable in db meaning the user registration is confirmed. (In the conform.php I check the token if it is exists in database)
Is it a good method??