Page 1 of 1

Sensitive query string data scrambling

Posted: Fri Aug 20, 2010 1:37 pm
by Stacks
I need to scamble a user Id in the query string.

When a user signs up for my website I send them out a verification email. They need to click on a link in their email to verify their email address.

In the email there is a message lke this.

Code: Select all

$message = "To verify your account please click this " . SITE_URL . "/" . "verify.php?loginId=" .$loginId;
Now being a newb I figured I could just md5, sha1 it then reverse md5, and sha1 it.

Code: Select all

$message = "To verify your account please click this " . SITE_URL . "/" . "verify.php?loginId=" . md5(sha1($loginId));
Now I realize md5 is a hash algorithm and can't be reversed. It can only be used to compare against that hash value.

Code: Select all

$login = new Login();
$login->verify($_REQUEST['loginId']);
So what kind of function would I use to encrypt it on one side, and decrypt the value when I need to use it.

Or am I going about this verification progress completely wrong? Can anyone point me in the right direction.

Re: Sensitive query string data scrambling

Posted: Fri Aug 20, 2010 1:39 pm
by bian101
Hey have you tried salting it?

Re: Sensitive query string data scrambling

Posted: Fri Aug 20, 2010 1:50 pm
by PHPHorizons
Hello Stacks,

Yes you are going about it the wrong way :) You don't need to encrypt any information. The goal here is to put some kind of identification string (a hash) into a link for a user to click on. That id string will be long enough that it would be nearly impossible for someone to guess an id string that is currently live. I.e., those id strings should only be live until used and for most folks, they are going to use those verification links pretty quickly. You should store the id string on your server and put it in the link for the user. When they click the link, simply compare the id string on the server to the one the user submits.

On a side note, never hash a string that has been hashed by something else. md5(sha1('foo')); for instance. You actually make the resulting hash less unique this way. You can use a salt, as the previous poster noted.

Cheers

Re: Sensitive query string data scrambling

Posted: Fri Aug 20, 2010 1:53 pm
by bian101
The only thing i ever hash and salt is a password :) :) Just for information and it might help you? I dont know :D but its thre if you want, you can salt everything if you like...but only the government will do that :D

Re: Sensitive query string data scrambling

Posted: Fri Aug 20, 2010 2:00 pm
by PHPHorizons
lol @ bian101

I normally hash potatoes and salt my fries... But that's just me...

Re: Sensitive query string data scrambling

Posted: Fri Aug 20, 2010 2:08 pm
by bian101
PHPHorizons wrote:lol @ bian101

I normally hash potatoes and salt my fries... But that's just me...
You sir, just made my day :) :)

Re: Sensitive query string data scrambling

Posted: Fri Aug 20, 2010 2:12 pm
by PHPHorizons
:drunk:

Re: Sensitive query string data scrambling

Posted: Tue Sep 14, 2010 2:26 pm
by Stacks
I know I'm late in replying to this but thanks for all the help. =D