Should I use the md5 password of a user to verify his account through email?
I am creating a register form and I will have an email verification. The email will have an activation link that will update verified column from 0 to 1. Since the user's password is hashed with md5 I thought instead of creating a new column with a random number to use as verification, I thought to use his password.
So instead of *domain.com/verification.php?token=new_random_number* I will have domain.com/veri开发者_如何学Gofication.php?token=md5
How do you find this ?
This is of course just to avoid one column.
Generate a new random ID for the explicit purpose of the email, then you can invalidate/clear the ID after the user has performed the account management action.
you can use something like :
$secret_word ='COMPLEX-WORD-HERE';
I highly recommend using username instead, since it's unique per user
$validation_token = substr(md5($user_password.$secret_word),0,10);
101% secure :)
精彩评论