?
Solved

Creating a random validation code for email confirmation when registering as a new user

Posted on 2016-08-28
9
Medium Priority
?
61 Views
Last Modified: 2016-08-29
I want to create a secure random code that the user must click on in an email to activate their account. I have read a few posts on google and as usual, everybody has a different opinion! It seems though that a decent one is random_bytes. Is this acceptable? Also, I don't know how to actually use it. I tried this but it has symbols as well which I don't think I can store in a database?

I did this:

$identifier = random_bytes(12);
echo (bin2hex($identifier));

Open in new window


which generated : 2111d60a465f2f8c31ab7596

Is that sufficient or is there a more secure method?
0
Comment
Question by:Black Sulfur
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 111

Accepted Solution

by:
Ray Paseur earned 2000 total points
ID: 41773789
One issue with random_bytes() is that it may generate character strings that are not binary-transport safe.  Email is sensitive about such things.  Almost any string will work for a token.  The important characteristics are (1) the token must be unique and (2) the token must not be easy to guess.

Here's a full explanation complete with working code you can copy and install.
https://www.experts-exchange.com/articles/3939/Registration-and-Email-Confirmation-in-PHP.html
0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41773791
Thanks, Ray. I see this article was written in 2010. Have you updated the code since then or is it still code from 2010?
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 41773806
It is still code from 2010, and it still works just fine.  You're smart to notice the date -- there are a lot of outdated examples scattered about the internet.  Here at E-E we try to update the articles as the technology advances.  There is an update trail, but I don't believe anybody except the authors and the editors can see it.  This one was last updated in 2015, IIRC.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 1

Author Comment

by:Black Sulfur
ID: 41773808
Okay, great. 2015 sounds good. I just ask because with php 7 there are a lot of "better" ways to do things and more secure. So, I would rather try learn using the latest methods.

But like you said, the article was updated in 2015 so that is great, I will check it out. Thanks so much!
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 41773822
Agreed, it's always best to use the latest methods.  But as a friend of mine has said, "Good programmers recognize great programming.  Great programmers recognize good-enough programming!"

:-)
0
 
LVL 1

Author Comment

by:Black Sulfur
ID: 41773855
Just to confirm, is it okay to use MD5 for this? Please note that I am still new to this and there is so much information out there it makes my head spin sometimes as everybody has their own opinion. Anyway, from what I understand, MD5 is not good enough anymore for storing passwords, so I use the password_hash and BCRYPT.

BUT, this isn't for storing a password in the database so I just wanted to confirm that MD5 is still okay as per your article.
0
 
LVL 84

Expert Comment

by:Dave Baldwin
ID: 41773884
MD5 is still widely used for hashing passwords because it is 'good enough' in most situations.  The 'goodness' of encryptions depends as much on the value of the information as the method of encryption.  If there is no financial value to breaking the encryption, then any method that makes it difficult to guess is 'good enough'.  If there is credit card data or other financial info that needs to be protected, then other people have a lot more interest in 'breaking in' to steal the info.
0
 
LVL 111

Expert Comment

by:Ray Paseur
ID: 41773920
...this isn't for storing a password in the database so I just wanted to confirm that MD5 is still okay...
Yep, it's still OK in this context and many other contexts, too.  

For a little more perspective on md5() and other encoding / encryption techniques, see the discussion at the end of this article: See An Afterword: About Storing Passwords
https://www.experts-exchange.com/articles/2391/PHP-Client-Registration-Login-Logout-and-Easy-Access-Control.html
1
 
LVL 58

Expert Comment

by:Julian Hansen
ID: 41774551
My preference is to use GUID's which can be generated in code or if you are using a MySQL server with a simple query. GUID's are in common use for this sort of application - the string is guaranteed to be unique and is non guessable so it satisfies all the requirements you are looking for.

Assumes MySQLi
$result=$mysqli->query("SELECT UUID()");
$row = $result->fetch_row();
$uuid = $row[0];

Open in new window

1

Featured Post

[Webinar] How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Author Note: Since this E-E article was originally written, years ago, formal testing has come into common use in the world of PHP.  PHPUnit (http://en.wikipedia.org/wiki/PHPUnit) and similar technologies have enjoyed wide adoption, making it possib…
Part of the Global Positioning System A geocode (https://developers.google.com/maps/documentation/geocoding/) is the major subset of a GPS coordinate (http://en.wikipedia.org/wiki/Global_Positioning_System), the other parts being the altitude and t…
Learn how to match and substitute tagged data using PHP regular expressions. Demonstrated on Windows 7, but also applies to other operating systems. Demonstrated technique applies to PHP (all versions) and Firefox, but very similar techniques will w…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question