doukanwen4114 2011-07-27 22:24
浏览 11
已采纳

通过$ _GET激活帐户的正确方法是什么?

So right now when a user registers, their password is hashed and stored, their id is stored as a primary key and the cell in the field email_activation is enumerated to 'no' by default. They are then sent an email where their account can be activated by clicking on the below link.

http://website.com/activation.php?id=1&pass=23a000e03e9116c958dh923542

After clicking on the link the following script runs

$id= $_GET['id'];
$hashPass= $_GET['pass'];

mysql_query("UPDATE members SET email_activation='yes' WHERE members_id='$id' AND members_password='$hashPass'")

Does this seem like a safe way to activate someone's account considering their hashed pass is part of the URL (assuming proper sanitation of strings, etc...)?

  • 写回答

4条回答 默认 最新

  • dongyan1491 2011-07-27 22:27
    关注

    There's no need to put the password, hashed or not, in the link (and no, you shouldn't do that).

    Store a different random value in addition to the password in your database, and then put that random value in the link. (See: http://en.wikipedia.org/wiki/Cryptographic_nonce)

    Since the random activation value will only be used once (and isn't something that can grant normal access to the account), it's fine to put it in a URL.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(3条)

报告相同问题?

悬赏问题

  • ¥15 寻一个支付宝扫码远程授权登录的软件助手app
  • ¥15 解riccati方程组
  • ¥15 display:none;样式在嵌套结构中的已设置了display样式的元素上不起作用?
  • ¥30 用arduino开发esp32控制ps2手柄一直报错
  • ¥15 使用rabbitMQ 消息队列作为url源进行多线程爬取时,总有几个url没有处理的问题。
  • ¥15 Ubuntu在安装序列比对软件STAR时出现报错如何解决
  • ¥50 树莓派安卓APK系统签名
  • ¥65 汇编语言除法溢出问题
  • ¥15 Visual Studio问题
  • ¥20 求一个html代码,有偿