Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
So I’m writing a simple user system where I want users to verify their email address (like pretty much every other site). What do you think is the best way to generate this string that would then be used to verify a user?
At first I thought I would just use uniqid(), but as I am thinking more about it what type of security concerns should I keep in mind.
PS. I am using PDO w/ prepare (MySQL); what other sanitizing should I be doing with my db operations?
You want to be able to generate a string that’s sufficiently hard to reproduce externally. For instance, a simple SHA1 hash of the user’s email address would be easy to replicate and wouldn’t be suitable.
Due to the way a hashing function works, though, you could always spike in a “secret” and it would work well enough. For instance, generate a long random string constant that’s used for this purpose and append that to the user’s email address, then hash it. You can also generate random strings as verification tokens.
Whatever method you use, be sure to record the verification token you sent to the user in a column of their record, and index your table on this column so retrieval time is quick. Later you’ll be doing this:
If you can find an entry matching that token you know it’s a valid user and they can be flagged as verified.