By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
435,241 Members | 799 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 435,241 IT Pros & Developers. It's quick & easy.

md5 has for double opt-in: missing something ?

P: n/a
hi all,

I have made a script to register contacts in a database with the double
opt-in system.

Anyway, when looking for some examples, I have found the following
script which uses a md5 hash code to append on the confirm url sent by
email to the registering user.
I tried it but with no results. Don't you think is it missing anything
?
How could it work without storing the hash code for the user in a
database?
To confirm a registration I think the script should look if the access
key matches the one it already knows, shouldn't it ?

Anyway I have no problem to insert into the database the hash code ,
it's just I want to know if I am right to believe the following script
was wrong .

tia

johnny
here's the code

<?
/* Simple email validation by TDavid at http://www.tdscripts.com/
for http://www.php-scripts.com/php_diary/011103.php3
If you use this code then please do not remove this header
*/

$from = $_REQUEST['e_addy'];

// is the $from email address in valid format?
if(eregi("([[:alnum:]\.\-]+)(\@[[:alnum:]\.\-]+\.+)", $from)) {

// create the MD5 hash
$secret_code = 'secret';
$formatted_email = preg_replace("/(-|\@|\.)/", "", $from);
$hashed = md5("$secret_code $formatted_email");

// wait, are we verifying the email?
if($_REQUEST['m'] != "") {
// this is validation routine
if($hashed == $_REQUEST['m']) {
print("Congrats, you have successfully validated your email
address. This is just a test and your email address has <b>not</b> been
saved.");
// add the email to your double opt-in list here
exit;
} else {
print("Sorry, this email does not validate");
}
} else {
// since we aren't validating then it is time to send out
validation mail

$mail_body = "To validate this email click the following
link:\nhttp://www.php-scripts.com/php_diary/example37.php?e_addy=$from&m=$hashed";

mail($from, "Validation Email", $mail_body, "From:
ex*******@php-scripts.com\n");
print("Please check your email <b>$from</b> for the test validation
message");
}
} else {
print("Sorry, this email address: <b>$from</b> doesn't seem to be in
the right format.");
}
?>

Jan 21 '06 #1
Share this Question
Share on Google+
2 Replies


P: n/a

johnny wrote:
hi all,

I have made a script to register contacts in a database with the double
opt-in system.

Anyway, when looking for some examples, I have found the following
script which uses a md5 hash code to append on the confirm url sent by
email to the registering user.
I tried it but with no results. Don't you think is it missing anything
?
How could it work without storing the hash code for the user in a
database?
To confirm a registration I think the script should look if the access
key matches the one it already knows, shouldn't it ?

Anyway I have no problem to insert into the database the hash code ,
it's just I want to know if I am right to believe the following script
was wrong .

tia

johnny


He doesn't need to store it in the database because the hash is just a
function of the email address and the "secret" which, in your code, is
hardcoded to "secret". In other words, the md5 hash being passed in
the URL is, more or less, is just the has of the email address. So if
they match, the script validates it.

Not all that strong, in my opinion. When I do this sort of thing, I'll
generate a random hash (not based on the email adddress or any other
value) then store it in the database. You can come up with a
reasonably random (hard to guess) hash like this:

$myHash = md5(uniqid(rand(), true));

That could then be stored in the database and compared to the hash
passed in the URL.

Jan 21 '06 #2

P: n/a

"johnny" <mr********@yahoo.com> wrote in message
news:11**********************@g49g2000cwa.googlegr oups.com...
hi all,

I have made a script to register contacts in a database with the double
opt-in system.

Anyway, when looking for some examples, I have found the following
script which uses a md5 hash code to append on the confirm url sent by
email to the registering user.
I tried it but with no results. Don't you think is it missing anything
?
How could it work without storing the hash code for the user in a
database?
To confirm a registration I think the script should look if the access
key matches the one it already knows, shouldn't it ?

Anyway I have no problem to insert into the database the hash code ,
it's just I want to know if I am right to believe the following script
was wrong .

tia

johnny
here's the code

<?
/* Simple email validation by TDavid at http://www.tdscripts.com/
for http://www.php-scripts.com/php_diary/011103.php3
If you use this code then please do not remove this header
*/

$from = $_REQUEST['e_addy'];

// is the $from email address in valid format?
if(eregi("([[:alnum:]\.\-]+)(\@[[:alnum:]\.\-]+\.+)", $from)) {

eregi will (because it's POSIX extended) not use the \ as escape but rather
treat them as a \ character. [:alnum:] will work though. \ in a POSIX
character class loses its significance (as I've recently learned). so strip
those out of the character classes. should be
if(eregi("([[:alnum:].-]+)(\@[[:alnum:].-]+\.+)", $from)) {

<?php if(eregi("[[:alnum:]]","z")) echo 1; else echo 0; ?>
1
<?php if(eregi("[\.\-]+","\\")) echo 1; else echo 0; ?>
1
maybe they were looking for preg_match instead.
<?php print preg_match("/[\.]/","\\") . "\n" . preg_match("/[.]/","z"); ?>
0
0
<?php print preg_match("/[\.]/","."); ?>
1

I dunno - loks like the validation thing might work.might need an <a
href=""></a> in the link and send the mail as html email though.

// create the MD5 hash
$secret_code = 'secret';
$formatted_email = preg_replace("/(-|\@|\.)/", "", $from);
$hashed = md5("$secret_code $formatted_email");

// wait, are we verifying the email?
if($_REQUEST['m'] != "") {
// this is validation routine
if($hashed == $_REQUEST['m']) {
print("Congrats, you have successfully validated your email
address. This is just a test and your email address has <b>not</b> been
saved.");
// add the email to your double opt-in list here
exit;
} else {
print("Sorry, this email does not validate");
}
} else {
// since we aren't validating then it is time to send out
validation mail

$mail_body = "To validate this email click the following
link:\nhttp://www.php-scripts.com/php_diary/example37.php?e_addy=$from&m=$hashed";

mail($from, "Validation Email", $mail_body, "From:
ex*******@php-scripts.com\n");
print("Please check your email <b>$from</b> for the test validation
message");
}
} else {
print("Sorry, this email address: <b>$from</b> doesn't seem to be in
the right format.");
}
?>

Feb 16 '06 #3

This discussion thread is closed

Replies have been disabled for this discussion.