A question about "salt"

[mischka]

Hi Guys,

I'm currently contemplating a module to "validate" pilots with a validation email. You know the drill: you sign up for something, you get an email and then you click on the link and you get validated.

PHPvms currently doesn't support this - we only have the option to let everyone in or to manually validate people. So I thought this might be a good idea.

All I have to do is set pilots to not be automatically validated and then to write a module which validates them when clicking on a link.

Now, the question is, what to put in the link? I thought about the 'salt' field, which is unique for each user and also quite cryptic. Just putting a pilotid in the link wouldn't be secure enough.

But does this pose any security risks? I mean, if somebody knows the 'salt', could they use this to somehow decrypt passwords or something?

[Tom]

If they knew the salt there would be no point in it existing, so yes it would greatly reduce security.

You could do something like md5 their pilotid+email+something else in the pilot row - something that doesnt change, then you can compare what's in the url without having to add any extra fields in the database.

[mischka]

Hmmmm.. I'm quite good in MD81's but about md5 I haven't got a clue lol

how about a random snapshot of 5 or 10 characters from the salt? that would be enough to identify the record but I suppose just a part of the salt wouldn't be enough to do anything, right?

[Tom]

Well in php to send it to them:

$validationCode = md5($userinfo->pilotid.$userinfo->email.$userinfo->password);

Then when checking:

"SELECT * FROM ".TABLE_PREFIX."pilots WHERE MD5(CONCAT(pilotid, email, password)) = '".$validationCode."'"

Where validation code in the sql is coming from the URL... (so make sure it's cleaned first)

[mischka]

great, thanks I'll give that a try!