I am building a website where users enter their phone numbers and OTP(one-time password) is sent to their mobile phones. I am using an API service that sends messages to customer's mobile phone but it doesn't create a one-time password and it doesn't have a system for verifications. So I will do this instead and create a 6-digit password and put it inside of the message. But my question is how can I verify if the customer enters the correct password?

One way to do this is: to save that password in the database and check if the customer entered matching passwords. But in this case, I don't know where to store this password inside the database. Should I create a table for password verifications? If so, I also need to create a gsm number column for checking passwords which means I need to hold customers' gsm numbers somewhere but I don't think it is necessary. There should be a way to verify passwords without needing the customer's mobile phone number. (As far as I know)

Another way is to store OTP in the cookie and after the customer enters the password I can check using the password inside the cookie but I think it is not a safe way since there is a way to reach cookies' values in user interface.

I guess I can use trigger and/or stored procedures for this issue but still I have no idea.

CodePudding user response：

You can create a verification table where in this table a number to be verified, verification code, verification status and expiry time are stored. When a user clicks verify, you match his/her code with that one in your database and if its correct and in the corresponding expiry timeframe, you update the verification status