Home/ Questions/Q 6197847
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-24T03:53:40+00:00

So right now when a user registers, their password is hashed and stored, their

  • 0

So right now when a user registers, their password is hashed and stored, their id is stored as a primary key and the cell in the field email_activation is enumerated to ‘no’ by default. They are then sent an email where their account can be activated by clicking on the below link.

http://website.com/activation.php?id=1&pass=23a000e03e9116c958dh923542

After clicking on the link the following script runs

$id= $_GET['id'];
$hashPass= $_GET['pass'];

mysql_query("UPDATE members SET email_activation='yes' WHERE members_id='$id' AND members_password='$hashPass'")

Does this seem like a safe way to activate someone’s account considering their hashed pass is part of the URL (assuming proper sanitation of strings, etc…)?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    There’s no need to put the password, hashed or not, in the link (and no, you shouldn’t do that).

    Store a different random value in addition to the password in your database, and then put that random value in the link. (See: http://en.wikipedia.org/wiki/Cryptographic_nonce)

    Since the random activation value will only be used once (and isn’t something that can grant normal access to the account), it’s fine to put it in a URL.

    • 0