如果针对这两个值找到匹配项,那么使用user's email和专用hash检查我的表是否足以验证和激活帐户?
要求用户注册用户数据及其电子邮件ID。然后,他们会向他们的电子邮件发送一个网址,要求他们点击这些网址以确认并激活他们的帐户。
这是我目前的设置:
<?php //The user-account-creation processing page
$email_id = taken from user input;
$randomnessWhateverItsCalled = "lots-of-randomness-here";
UPDATE advert SET advert_hash = SHA1(CONCAT($email_id, $randomnessWhateverItsCalled))
//For simplicity's sake I omitted the PDO stuff
INSERT INTO table_name (..., user_email, hash, account_activated, ...) VALUES (..., usersEmail, advert_hash, NO, ...)
/**
Send an email with some php code with the URL that would look like this
URL to click on attached to email body:
*/
$attachStringToEmailBody = "http://www.domainname.com/activate-user?email_id=" . $usersEmail . "&hash=" . $randomnessWhateverItsCalled;
enter code here
//Send email from this process page with a little email php code
//Redirect user to a page informing the user to activate the account by visiting their email and clicking on the url
?>
然后在activate-user.php页面中,我有以下内容:
<?ph
$user_email = $_GET['email_id'];
$hash = $_GET['hash'];
/**
search database and return a row if there is a match containing both the $user_email and the $hash
if(match){
Update database and set the `account_activated` column to `YES`
}
else{
//Tell if there was no match then activation failed
//Let the user know that we do not recognise the link they used to try and activate their account.
}
*/
?>
答案 0 :(得分:0)
只要你做了随机性&#34;它似乎足够安全。部分难以猜测。您可以将电子邮件,用户名,密码等放在那里,然后将其与另一个密钥混合起来 - 所有密码都加密 - 这就是我通常所做的事情。
但我建议你使用0/1进行活动/非活动 - 为什么使用字符串,当你可以使用smallint(1)时也这样做 - 并节省一些空间,从而使数据库更轻一点?