开发者

What is the proper way to to activate an account via $_GET?

So right now when a user registers, their password is hashed and stored, their id is stored as a primary key and the cell in the field email_activation is enumerated to 'no' by default. They are then sent an email where their account can be activated by clicking on the below link.

http://website.com/activation.php?id=1&pass=23a000e03e9116c958dh923542

After clicking on the link the following script runs

$id= $_GET['id'];
$has开发者_Go百科hPass= $_GET['pass'];

mysql_query("UPDATE members SET email_activation='yes' WHERE members_id='$id' AND members_password='$hashPass'")

Does this seem like a safe way to activate someone's account considering their hashed pass is part of the URL (assuming proper sanitation of strings, etc...)?


No. Use a separate field to contain the activation hash, and base the hash on multiple things (username, password hash, time of day, etc.).


There's no need to put the password, hashed or not, in the link (and no, you shouldn't do that).

Store a different random value in addition to the password in your database, and then put that random value in the link. (See: http://en.wikipedia.org/wiki/Cryptographic_nonce)

Since the random activation value will only be used once (and isn't something that can grant normal access to the account), it's fine to put it in a URL.


It's not very safe to do that, no. It would be better to assign a unique and random key instead.


I'd create another field in your table just for activation. That way you won't have the password hash in the URL.

(I wasn't quick enough on my response.)

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜