Sensitive query string data scrambling

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Stacks
Forum Newbie
Posts: 24
Joined: Thu Jun 05, 2008 7:52 pm

Sensitive query string data scrambling

Post by Stacks »

I need to scamble a user Id in the query string.

When a user signs up for my website I send them out a verification email. They need to click on a link in their email to verify their email address.

In the email there is a message lke this.

Code: Select all

$message = "To verify your account please click this " . SITE_URL . "/" . "verify.php?loginId=" .$loginId;
Now being a newb I figured I could just md5, sha1 it then reverse md5, and sha1 it.

Code: Select all

$message = "To verify your account please click this " . SITE_URL . "/" . "verify.php?loginId=" . md5(sha1($loginId));
Now I realize md5 is a hash algorithm and can't be reversed. It can only be used to compare against that hash value.

Code: Select all

$login = new Login();
$login->verify($_REQUEST['loginId']);
So what kind of function would I use to encrypt it on one side, and decrypt the value when I need to use it.

Or am I going about this verification progress completely wrong? Can anyone point me in the right direction.
bian101
Forum Newbie
Posts: 19
Joined: Fri Aug 20, 2010 9:05 am

Re: Sensitive query string data scrambling

Post by bian101 »

Hey have you tried salting it?
User avatar
PHPHorizons
Forum Contributor
Posts: 175
Joined: Mon Sep 14, 2009 11:38 pm

Re: Sensitive query string data scrambling

Post by PHPHorizons »

Hello Stacks,

Yes you are going about it the wrong way :) You don't need to encrypt any information. The goal here is to put some kind of identification string (a hash) into a link for a user to click on. That id string will be long enough that it would be nearly impossible for someone to guess an id string that is currently live. I.e., those id strings should only be live until used and for most folks, they are going to use those verification links pretty quickly. You should store the id string on your server and put it in the link for the user. When they click the link, simply compare the id string on the server to the one the user submits.

On a side note, never hash a string that has been hashed by something else. md5(sha1('foo')); for instance. You actually make the resulting hash less unique this way. You can use a salt, as the previous poster noted.

Cheers
bian101
Forum Newbie
Posts: 19
Joined: Fri Aug 20, 2010 9:05 am

Re: Sensitive query string data scrambling

Post by bian101 »

The only thing i ever hash and salt is a password :) :) Just for information and it might help you? I dont know :D but its thre if you want, you can salt everything if you like...but only the government will do that :D
User avatar
PHPHorizons
Forum Contributor
Posts: 175
Joined: Mon Sep 14, 2009 11:38 pm

Re: Sensitive query string data scrambling

Post by PHPHorizons »

lol @ bian101

I normally hash potatoes and salt my fries... But that's just me...
bian101
Forum Newbie
Posts: 19
Joined: Fri Aug 20, 2010 9:05 am

Re: Sensitive query string data scrambling

Post by bian101 »

PHPHorizons wrote:lol @ bian101

I normally hash potatoes and salt my fries... But that's just me...
You sir, just made my day :) :)
User avatar
PHPHorizons
Forum Contributor
Posts: 175
Joined: Mon Sep 14, 2009 11:38 pm

Re: Sensitive query string data scrambling

Post by PHPHorizons »

:drunk:
Stacks
Forum Newbie
Posts: 24
Joined: Thu Jun 05, 2008 7:52 pm

Re: Sensitive query string data scrambling

Post by Stacks »

I know I'm late in replying to this but thanks for all the help. =D
Post Reply