I have a form which collects basic user information. On the subsequent page it asks the user to enter a ‘verification’ code to ensure they have access to the email account mentioned.

Additionally, in the event somebody accidentally leaves the site altogether before entering their validation code, I will provide a link with a unique $_GET variable so they can verify their email address.

A couple questions:

1. Is there any harm in storing the validation code in plain site (say the code was 12345) next to the customers email address in a database?
2. Is there a need to ‘hash’ the verification URL $_GET variable? My thought was to simply create a 64 character string, append to the end of a URL and check against a database value (again stored alongside email address).

I would never do the same for user passwords (leave in open un-hashed) but in this case, what is the proper method?

edit

it seems people like the GUID idea (though I’m not sure how it is more unique than say a 64 character randomly generated string). Does the function below seem sufficient?

function getGUID(){
    if (function_exists('com_create_guid')){
        return com_create_guid();
    }else{
        mt_srand((double)microtime()*10000);//optional for php 4.2.0 and up.
        $charid = strtoupper(md5(uniqid(rand(), true)));
        $hyphen = "-";
        $uuid = "{"
            .substr($charid, 0, 8).$hyphen
            .substr($charid, 8, 4).$hyphen
            .substr($charid,12, 4).$hyphen
            .substr($charid,16, 4).$hyphen
            .substr($charid,20,12)
            ."}";
        return $uuid;
    }
}