So right now when a user registers, their password is hashed and stored, their id is stored as a primary key and the cell in the field email_activation is enumerated to 'no' by default. They are then sent an email where their account can be activated by clicking on the below link.
http://website.com/activation.php?id=1&pass=23a000e03e9116c958dh923542
After clicking on the link the following script runs
$id= $_GET['id'];
$hashPass= $_GET['pass'];
mysql_query("UPDATE members SET email_activation='yes' WHERE members_id='$id' AND members_password='$hashPass'")
Does this seem like a safe way to activate someone's account considering their hashed pass is part of the URL (assuming proper sanitation of strings, etc...)?