如何在 php 中生成安全激活字符串?
用户订阅电子邮件到我的网站后。 我的网站将生成一封电子邮件确认并发送给他们。 在电子邮件内容中,我需要包含激活密钥,例如:
www.domain.com/activate.php?key
=$ generatedKey 如何生成密钥? 使用 sha1($email)??
生成密钥后,我将其存储在数据库中,以便当用户单击链接时我可以使用数据库验证它? 我是新手,请告知..我需要一个电子邮件确认脚本..
After user subscribe email to my website. My website will generate an email confirmation and send to them. In the email content, i need to include activation key, something like:
www.domain.com/activate.php?key=$generatedKey
How do you generate the key? using sha1($email)??
After generate the key, i store it in database, so that when user click the link I can verified it with the database?? I am new to it, please advise.. I need an Email Confirmation script..
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(6)
就我个人而言,我只是使用以下组合:
冲突的可能性很小,但我建议在发送之前先检查您的数据库(使用 UNIQUE 约束是一种简单的方法)。
Personally, just I use a combination of things like:
The chance of collision is small, but I recommend checking your database first before sending it out (using UNIQUE constraints is an easy way).
您基本上有几个选择:
1) 创建一个看似随机的唯一标识符,并将其与对应的用户名存储在数据库中
2) 生成随机密码,并在链接中包含用户 ID 和密码并存储密码在数据库中
3) 使用单向散列函数(md5、sah1 等)和秘密标识符来加密用户标识符。 您不必将加密的用户标识符存储在数据库中。
选项 1 很困难,因为您必须担心检查数据库以查看密钥是否已存在。 不过,该 URL 不包含正在激活的用户名是件好事。
如果您将来已经打算使用某种数据库来存储用户信息(可能至少是密码),则可以选择选项 2。向数据库添加另一列并不需要太多时间。 发送电子邮件时,将用户名和类似 $key = sha1(rand(1, 99999) . $username) 的内容保存在包含用户名的行的另一列中。 然后让您的链接如下所示: http://you.com/activation.php?user=$用户名&key=$key. 在activation.php 中,您检查密钥是否等于数据库中存储的值。
如果您想在数据库中使用更少的存储空间,则选项 3 可行。 您可以使用 $key = sha1($mysecret . $username) 之类的内容作为秘密标识符。 使用只有您知道的奇怪内容 $mysecret,例如“aaafj_my_secret_adfaf”。 使用与选项 2 中相同类型的 URL。但是,由于您可以仅根据 $username 生成 $key,因此不需要存储它。 因此,当您在activation.php中进行处理时,只需检查sha1($mysecret . $_GET[username]) == $_GET[key]是否。 如果是这样,您就知道您拥有正确的用户。 理论上,只要有足够的注册,有人就可以计算出您的 $mysecret 值并生成激活密钥。 然而,您肯定会注意到,在他们开始计算它是什么之前,需要数十亿或更多的注册。 所需的激活次数取决于哈希函数的密钥大小。 使用 sha1(160 位)与 md5(128 位)可以使猜测您的 $mysecret 值变得更加困难。
You basically have a few options:
1) Create a single unique identifier that is seemingly random and store it in your database with which username it corresponds to
2) Generate a random password and include the user id and password in the link and store the password in the database
3) Use a one way hashing function (md5, sah1, etc) and a secret identifier to encrypt the user identifier. You don't have to store the encrypted user identifier in your database.
Option 1 is difficult because you have to worry about checking the database to see if the key already exists. However, it is nice that the URL does not contain the username being activated.
If you are already going to use some sort of database to store the user information (probably a password at minimum) in the future, you could go with option 2. It doesn't take a lot to add another column to your database. When sending the email, save the username and something like $key = sha1(rand(1, 99999) . $username) in another column for the row that contains the username. Then have your link look like this: http://you.com/activation.php?user=$username&key=$key. In activation.php you check to see if the key is equal to the value stored in the database.
If you want to use less storage space in your database, option 3 will work. You can use something like $key = sha1($mysecret . $username) as the secret identifier. Use something odd that only you know as $mysecret such as 'aaafj_my_secret_adfaf'. Use the same type of URL as in option 2. However, because you can generate $key based only on $username, you don't need to store it. So when you are processing in activation.php, just check to see if sha1($mysecret . $_GET[username]) == $_GET[key]. If it does, you know you have the correct user. Theoretically, with enough registrations, someone could figure out your value for $mysecret and generate the activation keys too. However, you would surely notice the billions or more of registrations that it would take before they could begin to calculate what it is. The number of activations required is based on the key size of the hashing function. Use sha1 (160 bit) vs md5 (128 bit) to make it harder to guess your $mysecret value.
如果您将激活字符串存储在数据库中并稍后检查,则根本不需要哈希!
你只需要一个长的、随机的字符串。 你可以随心所欲地生成它,只要让它长一些即可。 事实上,理想情况下它应该与电子邮件或用户名完全无关。
If you're storing the activation string in the database and checking it later, you don't need a hash at all!
You just need a long, random string. You can generate it however you want, just make it long. In fact, it should ideally have nothing at all do do with the email or username.
应该可以,但是您可以通过添加一些盐来改进它,例如:
其他方法只是生成随机密码并通过电子邮件发送。
That should do it, however you can improve it by adding some salt, example:
Other approach is just to generate a random password and send it via email.