|
|
Posted by ZeldorBlat on 01/21/06 18:21
johnny wrote:
> hi all,
>
> I have made a script to register contacts in a database with the double
> opt-in system.
>
> Anyway, when looking for some examples, I have found the following
> script which uses a md5 hash code to append on the confirm url sent by
> email to the registering user.
> I tried it but with no results. Don't you think is it missing anything
> ?
> How could it work without storing the hash code for the user in a
> database?
> To confirm a registration I think the script should look if the access
> key matches the one it already knows, shouldn't it ?
>
> Anyway I have no problem to insert into the database the hash code ,
> it's just I want to know if I am right to believe the following script
> was wrong .
>
> tia
>
> johnny
>
>
He doesn't need to store it in the database because the hash is just a
function of the email address and the "secret" which, in your code, is
hardcoded to "secret". In other words, the md5 hash being passed in
the URL is, more or less, is just the has of the email address. So if
they match, the script validates it.
Not all that strong, in my opinion. When I do this sort of thing, I'll
generate a random hash (not based on the email adddress or any other
value) then store it in the database. You can come up with a
reasonably random (hard to guess) hash like this:
$myHash = md5(uniqid(rand(), true));
That could then be stored in the database and compared to the hash
passed in the URL.
Navigation:
[Reply to this message]
|