I see now why I was confused by this.
Usually, when a person registers, everything goes into a database before
the confirmation is sent. A column in the db table has a status of confirmed or not confirmed. Then, a unique key is created that is written into the user's db row. That key is part of the confirmation email link ... example:
The script called confirm.php compares the key to the database. If it matches, the status is 'confirmed'.
No other information is ever used with the confirmation email except that key.
Do you see how much more secure that would be? Not having the email and password showing in the URL variables?