Jump to content

A question about "salt"


mischka

Recommended Posts

Hi Guys,

I'm currently contemplating a module to "validate" pilots with a validation email. You know the drill: you sign up for something, you get an email and then you click on the link and you get validated.

PHPvms currently doesn't support this - we only have the option to let everyone in or to manually validate people. So I thought this might be a good idea.

All I have to do is set pilots to not be automatically validated and then to write a module which validates them when clicking on a link.

Now, the question is, what to put in the link? I thought about the 'salt' field, which is unique for each user and also quite cryptic. Just putting a pilotid in the link wouldn't be secure enough.

But does this pose any security risks? I mean, if somebody knows the 'salt', could they use this to somehow decrypt passwords or something?

Link to comment
Share on other sites

If they knew the salt there would be no point in it existing, so yes it would greatly reduce security.

You could do something like md5 their pilotid+email+something else in the pilot row - something that doesnt change, then you can compare what's in the url without having to add any extra fields in the database.

Link to comment
Share on other sites

Well in php to send it to them:

$validationCode = md5($userinfo->pilotid.$userinfo->email.$userinfo->password);

Then when checking:

"SELECT * FROM ".TABLE_PREFIX."pilots WHERE MD5(CONCAT(pilotid, email, password)) = '".$validationCode."'"

Where validation code in the sql is coming from the URL... (so make sure it's cleaned first)

  • Like 1
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
×
×
  • Create New...