Expiring Today—Celebrate National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

PHP md5 hash a confirmation URL

Posted on 2010-08-20
4
Medium Priority
?
395 Views
Last Modified: 2013-12-13
Hi,

(using PHP and MySQL)

When a unknown user creates an order on my website I want to send an email confirmation to them that will change the order state for that row to 'Active'. I am doing this to make sure that the user entered in their email address correctly(for billing later).

I am unsure of a secure way to do this as I only want the state to be able to change 1 time from "inactive' to 'Active'.

The part that I cannot figure out is how to securely send the url to change the state of the order to the customer.

How would I md5 hash the order id and maybe the page name? instead of looking like this:

http://www.website.com/activate.php?id=3&state=Active

Any suggestions on doing it a better way or help in figuring it out would be gratefully appreciated.

thanks.
0
Comment
Question by:Solutionabc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 3

Expert Comment

by:JtR
ID: 33489366
if i understand your problem than you just want to make an email confirmation (opt in) for a specific action, right?

you need to save your parameters in the database together with a "randomly" generated hash.
then you send a link on a script with the hash as id to the users email.

when the users runs the script than the script has to read out the action parameters from the database and start the action. and then remove the handle from the database when the action is finished.
0
 
LVL 111

Accepted Solution

by:
Ray Paseur earned 2000 total points
ID: 33489400
Make a hash of the current time() and the email address.  Store the current time(), the email address and the md5() hash in your data base, along with a column that is named "verified" and says FALSE.  Send an email to the client with a link to the verification page that looks something like this (note the md5() code of the hash.

Click here to verify your order:
http://example.com/verify.php?q=6eea9b7ef19179a06954edd0f6c05ceb

In the "verify.php" script, find the value in $_GET["q"] and use it to query the data base for a SELECT match on the md5() hash.  If it is not found, issue an error message.  If it is found, change the column named "verified" to say TRUE.  And send another email to the client saying "Thank You!"

As you code this, remember that email addresses are not case-sensitive, but md5() hashes treat the input as case-sensitive.  So you might want to use strtoupper() on the inputs to the md5() function calls.
0
 
LVL 3

Expert Comment

by:JtR
ID: 33489492
If you do it like Ray Paseur suggest then don't forget to clean/validate the $_SET['q'] before writing it to the MySQL query! (risk of SQL INJECTION).

i would not save the email, i would only save the Hash and the identifiers for the action that you want to do when the address is verified. you also should add a colum for a timeout so that the login handle "expires" after a while.

0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 33491266
If you do not save the email, you won't be able to send a "Thank You" message.  I cannot think of any application design that would deliberately lose a piece of data that is this important.  The idea about having a date for expiring the offer is a good one.  You could even have a cron job that runs once a day and looks for orders that are nearing expiration.  You could send a reminder message ("Only three more days...") to those clients.

I suppose it should go without saying that any script that takes data from the URL ($_GET["q"] is the correct variable in the example, not $_SET) needs to filter that data.  In the case of an expected md5() string, you can see that it consists of letters and numbers only, is 32 bytes long.  These are easy things to test for, and a string that fails these tests can simply be discarded.  For general advice and assistance in cleaning up external input, the PHP filter functions are most valuable.
http://us2.php.net/manual/en/filter.filters.php

Best regards, ~Ray
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In threads here at EE, each comment has a unique Identifier (ID). It is easy to get the full path for an ID via the right-click context menu. However, we often want to post a short link within a thread rather than the full link. This article shows a…
The Windows functions GetTickCount and timeGetTime retrieve the number of milliseconds since the system was started. However, the value is stored in a DWORD, which means that it wraps around to zero every 49.7 days. This article shows how to solve t…
Learn the basics of lists in Python. Lists, as their name suggests, are a means for ordering and storing values. : Lists are declared using brackets; for example: t = [1, 2, 3]: Lists may contain a mix of data types; for example: t = ['string', 1, T…
In this fourth video of the Xpdf series, we discuss and demonstrate the PDFinfo utility, which retrieves the contents of a PDF's Info Dictionary, as well as some other information, including the page count. We show how to isolate the page count in a…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question