douyouchou1085 2011-11-19 13:30
浏览 203
已采纳

验证未经验证的电子邮件地址?

Say a user registers on a site with an email address that needs to be verified first before accepting the user's registration.

The general approach is to send an email to the email address provided. The user then checks his/her inbox and clicks a link that would tell the site that the email address is valid. Usually, the link would have some sort of code embedded in it that tells the site whether it's a legit validation of the email address.

My question is about the code. What's the best way to implement it? Some ideas:

  1. A random string is generated when a new address is entered into the site. This random string is stored in the the DB and then emailed to the registrant. The link in the email will contain the random string as part of the URL.
  2. The email addressed is hashed. This means nothing needs to be saved in the database because the application will know how to unhash this. (My concern with this approach is if the user later changes his email address to something he previously entered, the hash would be the same. Not sure if this poses some sort of security threat.)
  3. Some other approach?

I'm looking for general advice to this problem.

  • 写回答

2条回答 默认 最新

  • duannue2455 2011-11-19 13:34
    关注

    Number one, the random string, is the safest (and AFAIK, the most common) way to go: It makes it completely impossible to maliciously do things to E-Mail addresses that I haven't received the E-Mail for.

    Also, you can remove the random string after successful completion, making it clear that that particular address doesn't need activation any more.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论
查看更多回答(1条)

报告相同问题?

悬赏问题

  • ¥15 求差集那个函数有问题,有无佬可以解决
  • ¥15 【提问】基于Invest的水源涵养
  • ¥20 微信网友居然可以通过vx号找到我绑的手机号
  • ¥15 寻一个支付宝扫码远程授权登录的软件助手app
  • ¥15 解riccati方程组
  • ¥15 display:none;样式在嵌套结构中的已设置了display样式的元素上不起作用?
  • ¥15 使用rabbitMQ 消息队列作为url源进行多线程爬取时,总有几个url没有处理的问题。
  • ¥15 Ubuntu在安装序列比对软件STAR时出现报错如何解决
  • ¥50 树莓派安卓APK系统签名
  • ¥65 汇编语言除法溢出问题