PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Sun Jun 24, 2018 11:39 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 8 posts ] 
Author Message
PostPosted: Wed Dec 13, 2017 1:25 pm 
Offline
Forum Contributor

Joined: Wed Jan 18, 2017 4:43 pm
Posts: 197
I want to know if BigInt is enough in size. I have created a registration.php where the user gets emailed an account activation link to click to verify his email so his account gets activated.

Account Activation Link is in this format:
Syntax: [ Download ] [ Hide ]
$account_activation_link =
"http://www.".$site_domain."/".$social_network_name."/activate_account.php?primary_website_email=".$primary_website_email."&account_activation_code=".$account_activation_code."";


Account Activation Code is in this format:

$account_activation_code = sha1( (string) mt_rand(5, 30)); //Type Casted the INT to STRING on the 1st parameter of sha1 as it needs to be a STRING.

Now, the following link got emailed: http://www.myssite.com/folder/activate_account.php?primary_website_email=my.email@gmail.com&account_activation_code=22d200f8670dbdb3e253a90eee5098477c95c23d

Note the account activation code that got generated by sha1: 22d200f8670dbdb3e253a90eee5098477c95c23d

But in my mysql db, in the "account_activation_code" column, I only see: "22". The rest of the activation code is missing. Why is that ? The column is set to BigInt. Is not that enough to house the Sha1 generated code ? What is your suggestion ?
I changed mysql column type to VARCHAR(40) and then VARCHAR(160) and even to BINARY(40) but no luck.
The sha1 generates the account activation code to 40 digits in the account activation link that gets emailed to the user but the account_activation_code mysql column does not hold that 40 digit value. Only holds the first 2 or 3 digits. What is wrong ?
Using php 5.

Here is the full script registration.php.
And the account_activation.php

registration.php.
Syntax: [ Download ] [ Hide ]
<?php

/*
ERROR HANDLING
*/


declare(strict_types=1);
ini_set('display_errors', '1');
ini_set('display_startup_errors', '1');
error_reporting(E_ALL);
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);

include 'config.php';

//Step 1: Check if User is already logged-in or not. If logged-in then do not register a 2nd account.
if (is_logged() === true) {
        die("You are already logged-in to your account! No need to register again for another account! Only one account per user.");
}

//Perform following actions after REGISTER button is clicked.
if ($_SERVER['REQUEST_METHOD'] == "POST")
{
//Step 2: Check user submitted details.
       
        //2A. Check whether user made all the required inputs or not.
        if (isset($_POST['agree_to_tos']) &&
           isset($_POST["username"]) &&
           isset($_POST["password"]) &&
           isset($_POST["password_confirmation"]) &&
           isset($_POST["primary_website_domain"]) &&
           isset($_POST["primary_website_email_account"]) &&
           isset($_POST["primary_website_email_account_confirmation"]) &&
           isset($_POST["primary_website_email_domain"]) &&
           isset($_POST["primary_website_email_domain_confirmation"]) &&
           isset($_POST["first_name"]) &&
           isset($_POST["middle_name"]) &&
           isset($_POST["surname"]) &&
           isset($_POST["gender"]) &&
           isset($_POST["working_status"]))
        {          
                //2B. Create variables based on user inputs.
                $agree_to_tos = trim($_POST['agree_to_tos']);
                $username = trim($_POST["username"]);
                $password = $_POST["password"];
                $password_confirmation = $_POST["password_confirmation"];              
                $primary_website_domain = trim($_POST["primary_website_domain"]);              
                $primary_website_email_account = trim($_POST["primary_website_email_account"]);
        $primary_website_email_account_confirmation = trim($_POST["primary_website_email_account_confirmation"]);
                $primary_website_email_domain = trim($_POST["primary_website_email_domain"]);
        $primary_website_email_domain_confirmation = trim($_POST["primary_website_email_domain_confirmation"]);
                //Combine Primary Website Email Account and Primary Website Email Domain to form Primary Email.
                $primary_website_email = "$primary_website_email_account"."@"."$primary_website_email_domain";         
        $first_name     = trim($_POST["first_name"]);
                $middle_name = trim($_POST["middle_name"]);
        $surname = trim($_POST["surname"]);
                $gender = $_POST["gender"];
                $working_status = $_POST["working_status"];
                $account_activation_code = sha1( (string) mt_rand(5, 30)); //Type Casted the INT to STRING on the 1st parameter of sha1 as it needs to be a STRING.
                $account_activation_link = "http://www.".$site_domain."/".$social_network_name."/activate_account.php?primary_website_email=".$primary_website_email."&account_activation_code=".$account_activation_code."";
                $account_activation_status = 0; // 1 = Active or Account Activated; 0 = Active or Pending Registration.
        $hashed_password = password_hash($password, PASSWORD_DEFAULT); //Encrypt the password.
       
                //2C. Check whether user inputs valid or not.
               
                // Check if inputted Username is between the required 8 to 30 characters long or not.
               
                if ($agree_to_tos != 'yes') {
                        echo "You must agree to our Terms & Conditions!<br>";
                        echo "Click the BACK button on your browser and try again!";
                        exit();
            } elseif (strlen($username) < 8 || strlen($username) > 30) {
                        echo "Username must be between 8 to 30 characters long!<br>";
                        echo "Click the BACK button on your browser and try again!";
                        exit();
                // Check if Password is between 8 to 30 characters long or not.
                } elseif (strlen($password) < 8 || strlen($password) > 30) {
                        echo "Password must be between 8 to 30 characters long!<br>";
                        echo "Click the BACK button on your browser and try again!";
                        exit();
                // Check if inputed Email is valid or not.
                } elseif (!filter_var($primary_website_email, FILTER_VALIDATE_EMAIL)) {
                        echo "Invalid Email! Insert your real Email in order for us to email you your account activation details.<br>";
                        echo "Click the BACK button on your browser and try again!";
                        exit();
                // Check if both inputted Passwords match or not.
                } elseif ($password != $password_confirmation) {
                        echo "Your inputted Passwords don't match<br>";
                        echo "Click the BACK button on your browser and try again!";
                        exit();                
                // Check if both inputted Email Account match or not.
                } elseif ($primary_website_email_account != $primary_website_email_account_confirmation) {
                        echo "Your inputted Email Accounts don't match!<br>";
                        echo "Click the BACK button on your browser and try again!";
                        exit();
                // Check if both inputted Email Domain match or not.
                } elseif ($primary_website_email_domain != $primary_website_email_domain_confirmation) {
                        echo "Your inputted Email Domains don't match!<br>";
                        echo "Click the BACK button on your browser and try again!";
                        exit();
                // Check if both inputted Primary Website Email and Primary Website Domain match or not.
                } elseif ($primary_website_email_domain != $primary_website_domain) {
                        echo "Your Primary Website Domain ($primary_website_domain) and Primary Website Email's Domain (@$primary_website_email_domain) don't match!<br>";
                        echo "NOTE: Your inputted Email Address must belong to your Primary Website Domain \"$primary_website_domain\".<br>";
                        echo "Click the BACK button on your browser and try again!<br>";
                        exit();
                }
                else
                {
                        //2D. Check user inputs against DB.
                       
                        //Select Username, Primary Domain and Primary Domain Email to check against Mysql DB if they are already registered or not.
                        $stmt = mysqli_prepare($conn, "SELECT username, primary_website_domain, primary_website_email FROM users WHERE username = ? OR primary_website_domain = ? OR primary_website_email = ?");
                        mysqli_stmt_bind_param($stmt, 'sss', $username, $primary_website_domain, $primary_website_email);
                        mysqli_stmt_execute($stmt);
                        $result = mysqli_stmt_bind_result($stmt, $db_username, $db_primary_website_domain, $db_primary_website_email); 
                        //$row = mysqli_fetch_array($result, MYSQLI_ASSOC); // Use this line or next ?
                        $row = mysqli_stmt_fetch($stmt); //Use this line or previous ? 
       
                        // Check if inputted Primary Website Domain Name is already registered or not.
                        if ($row['primary_website_domain'] == $primary_website_domain) {
                                echo "That domain name $primary_website_domain is already registered.<br>";
                                exit();
                        //Check if inputted Username is already registered or not.
                        } elseif ($row['username'] == $username) {
                                echo "That username $username is already registered!<br>";
                                echo "Click the BACK button on your browser and try again!";
                                exit();
                        // Check if inputted Email is already registered or not.
                        } elseif ($row['primary_website_email'] == $primary_website_email) {
                                echo "That email $primary_website_email is already registered.<br>";
                                exit();
                        }
                        else
                        {
//Step 3: Insert user's inputs into DB.

                //Step 3A. Insert user's inputs into DB using php's sql injection prevention method "Prepared Statements".
                                $stmt = mysqli_prepare($conn, "INSERT INTO users(username, password, primary_website_domain, primary_website_email, first_name, middle_name, surname, gender, working_status, account_activation_status, account_activation_code) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)");
                                mysqli_stmt_bind_param($stmt, 'ssssssssssi', $username, $hashed_password, $primary_website_domain, $primary_website_email, $first_name, $middle_name, $surname, $gender, $working_status, $account_activation_status, $account_activation_code);
                                mysqli_stmt_execute($stmt);
                       
                                //Step 3B. Check whether user's registration data was successfully submitted or not.
                                if (!$stmt)
                                {
                                        echo "Sorry! Our system is currently experiencing a problem registering your account! You may try registering some other time.";
                                        exit();
                                }
                                else
                                {
                                        $account_name = "$username";
                                        //Step 3C. Email user their account activation link for them to click to confirm their Email Address and activate their new Account.

                                        $headers = "From: " . $site_admin_email . "\r\n";
                                        //More headers
                                        //Always set content-type when sending HTML email
                                        $headers = "MIME-Version: 1.0" . "\r\n";
                                        $headers .= "Content-type:text/html;charset=UTF-9" . "\r\n";
                                       
                                        $to = "$primary_website_email";
                                        $subject = "Your SN account activation details!";
                                        $body  = "".$first_name." ".$surname.",
                                        <html>
                                        <head>
                                        <title>Activation Link</title>
                                        </head>
                                        <body>
                                        You need to click on the following link <a href="
.$account_activation_link.">.$account_activation_link.</a> to activate your account.
                                        </body>
                                        </html>"
;
                                       
                                        if (!mail($to,$subject,$body,$headers))
                                        {
                                                //Alert user System Error. System unable to email the Account Activation Link.
                                                echo "Sorry! We have failed to email you your account activation details. Please contact the website administrator!";
                                                exit();
                                        }
                                        else
                                        {
                                                //Alert user System Success. System was able to email the Account Activation Link.
                                                echo "<h3 style='text-align:center'>Thank you for your registration!</h3><br>";
                                                echo "Now, check your email \"$primary_website_email\" for details on how to activate your new account \"$account_name\" which you just registered.";
                                                exit();
                                        }
                                }
                        }
                }
        }
}

?>

<!DOCTYPE html>
<html>
        <head>
                <title><?php $social_network_name ?> Signup Page</title>
        </head>
<body>
<div class ="container">

<?php
// Error Messages.
if (isset($_SESSION['error']) && !empty($_SESSION['error'])) {
        echo '<p style="color:red;">'.$_SESSION['error'].'</p>';
}
?>

<?php
//Session Messages.
if (isset($_SESSION['message']) && !empty($_SESSION['message'])) {
        echo '<p style="color:red;">'.$_SESSION['error'].'</p>';
}
?>

<?php
//Clear Registration Session.
function clear_registration_session()
        {
                //Clear the User Form inputs, Session Messages and Session Errors so they can no longer be used.
                unset($_SESSION['message']);
                unset($_SESSION['error']);
                unset($_POST);
                exit();
        }
?>

<p align="left"><font color="red" size="3"><b>Already have an account ? </b><a href="login.php">Login here!</a></font></p>
<form method="post" action="">
        <p align="left"><h2>Signup Form</h2></p>
        <fieldset>
        <div class="form-group">
                <p align="left"><label>* Username:</label>
                <input type="text" placeholder="Enter a unique Username" name="username" required [A-Za-z0-9] value="<?php if(isset($_POST['username'])) { echo htmlentities($_POST['username']); }?>"></p>
        </div>
        <div class="form-group">
                <p align="left"><label>* Password:</label>
                <input type="password" placeholder="Enter a new Password" name="password" required [A-Za-z0-9]></p>
        </div>
        <div class="form-group">
                <p align="left"><label>* Repeat Password:</label>
                <input type="password" placeholder="Repeat a new Password" name="password_confirmation" required [A-Za-z0-9]></p>
        </div>
        <div class="form-group">
                <p align="left"><label>* Primary Website Domain:</label>
                <input type="primary_domain" placeholder="Enter your Primary Website Domain" name="primary_website_domain" required [A-Za-z0-9] value="<?php if(isset($_POST['primary_website_domain'])) { echo htmlentities($_POST['primary_website_domain']); }?>">
        <font color="red" size="1"><b> Don't have a Domain ? </b><a href="domain_register.php">Register one here!</a></font></p>
        </div>
                <div class="form-group">
                <p align="left"><label>* Email Account:</label>
                <input type="text" placeholder="Enter your Email Account name (first part before @)" name="primary_website_email_account" required [A-Za-z0-9] value="<?php if(isset($_POST['primary_website_email_account'])) { echo htmlentities($_POST['primary_website_email_account']); }?>"></p>
        </div>
        <div class="form-group">
                <p align="left"><label>* Repeat Email Account:</label>
                <input type="text" placeholder="Repeat your Email Account name (first part before @)" name="primary_website_email_account_confirmation" required [A-Za-z0-9] value="<?php if(isset($_POST['primary_website_email_account_confirmation'])) { echo htmlentities($_POST['primary_website_email_account_confirmation']); }?>"></p>
        </div>
        <div class="form-group">
                <p align="left"><label>* Email Address Domain:</label>
                <input type="text" placeholder="Enter your Email Account Domain (last part after @)" name="primary_website_email_domain" required [A-Za-z0-9] value="<?php if(isset($_POST['primary_website_email_domain'])) { echo htmlentities($_POST['primary_website_email_domain']); }?>"></p>
        </div>
        <div class="form-group">
                <p align="left"><label>* Repeat Email Address Domain:</label>
                <input type="text" placeholder="Repeat your Email Account Domain (last part after @)" name="primary_website_email_domain_confirmation" required [A-Za-z0-9] value="<?php if(isset($_POST['primary_website_email_domain_confirmation'])) { echo htmlentities($_POST['primary_website_email_domain_confirmation']); }?>"></p>
        </div>
        <div class="form-group">
                <p align="left"><label>* First Name:</label>
                <input type="text" placeholder="Enter your First Name" name="first_name" required [A-Za-z] value="<?php if(isset($_POST['first_name'])) { echo htmlentities($_POST['first_name']); }?>"></p>
        </div>
        <div class="form-group">
                <p align="left"><label>Middle Name:</label>
                <input type="text" placeholder="Enter your Middle Name" name="middle_name" required [A-Za-z] value="<?php if(isset($_POST['middle_name'])) { echo htmlentities($_POST['middle_name']); }?>"></p>
        </div>
        <div class="form-group">
                <p align="left"><label>* Surname:</label>
                <input type="text" placeholder="Enter your Surname" name="surname" required [A-Za-z] value="<?php if(isset($_POST['surname'])) { echo htmlentities($_POST['surname']); }?>"></p>
        </div>
        <div class="form-group">
                <p align="left"><label>* Gender:</label>
                <input type="radio" name="gender" value="Male" <?php if(isset($_POST['gender'])) { echo 'checked'; }?> required>Male<input type="radio" name="gender" value="Female" <?php if(isset($_POST['gender'])) { echo 'checked'; }?> required>Female</p>
        </div>
        <div class="form-group">
                <p align="left"><label>* Working Status:</label>
                <input type="radio" name="working_status" value="Selfemployed" <?php if(isset($_POST['working_status'])) { echo 'checked'; }?> required>Selfemployed<input type="radio" name="working_status" value="Employed" <?php if(isset($_POST['working_status'])) { echo 'checked'; }?> required>Employed<input type="radio" name="working_status" value="Unemployed" <?php if(isset($_POST['working_status'])) { echo 'checked'; }?> required>Unemployed</p>
        </div>
        <div class="form-group">
                <p align="left"><label>* Agree to Terms & Conditions ?:</label>
                <input type="radio" name="agree_to_tos" value="yes" <?php if(isset($_POST['tos'])) { echo 'checked'; }?> required>Yes
                <input type="radio" name="agree_to_tos" value="no" <?php if(isset($_POST['tos'])) { echo 'checked'; }?> required>No
        </div>
        </fieldset>
                <p align="left"><button type="submit" class="btn btn-default" name="submit">Register!</button></p>
</form>
        <p align="left"><font color="red" size="3"><b>Already have an account ? </b><a href="login.php">Login here!</a></font></p>
</body>
</html>
 


activate_account.php
Syntax: [ Download ] [ Hide ]
<?php

/*
ERROR HANDLING
*/

declare(strict_types=1);
ini_set('display_errors', '1');
ini_set('display_startup_errors', '1');
error_reporting(E_ALL);
mysqli_report(MYSQLI_REPORT_ERROR | MYSQLI_REPORT_STRICT);

include 'config.php';

//Step 1: Check whether URL is in the GET Method or not.

//Perform following actions if Url is not in the GET Method and does not contain user Email and Account Activation Code.
if (!isset($_GET["primary_website_email"], $_GET["account_activation_code"]) === TRUE)
{
        $primary_website_email = htmlspecialchars($_GET['primary_website_email']);
        $account_activation_code = htmlspecialchars($_GET['account_activation_code']);
        //Give user alert the Account Activation Link is Invalid.
    echo "Invalid Account Activation Link! Try registering for an account if you do not already have one! <a href=\"http://myssite.com/sn/register.php\">Register here!</a>";
    exit();
}
else
{
//Step 2: Check user submitted details.
       
        //2A. Check user inputs against DB.                    
        //Select Username, Primary Domain and Primary Domain Email to check against DB if they are pending registration or not.
        $stmt = mysqli_prepare($conn, "SELECT username, account_activation_status FROM users WHERE primary_website_email = ? AND account_activation_code = ?");
        mysqli_stmt_bind_param($stmt, 'si', $_GET["primary_website_email"],  $_GET["account_activation_code"]);
        mysqli_stmt_bind_result($stmt, $username, $account_activation_status);

        //Perform following if Account Activation Link was valid (Correctly had the registered email and Account Activation Code associated with it).
        if (mysqli_stmt_execute($stmt) && mysqli_stmt_fetch($stmt))
        {
                //Perform following if Account Activation Status is not on "0" (Account Activation Pending) on DB.
                if ($account_activation_status != 0)
                {
                        //Give user alert Account already activated.
                        echo "Since your account is already activated, why are you trying to activate it again ? Do not do that again and just login from <a href=\"login.php\">this webpage</a> next time! Make a note of that webpage, ok ?";
                        exit;
                }
                else
                {
                        //Set Account Activation Status to 1 (1 = "Account Activated" and 0 = "Activation Pending") on DB.
                        $account_activation_status = 1;
                        $stmt = mysqli_prepare($conn, "UPDATE users SET account_activation_status = ? WHERE username = ?");
                        mysqli_stmt_bind_param($stmt, 'is', $account_activation_status, $username);
                        if (mysqli_stmt_execute($stmt))
                        {
                                //Give user alert Account has now been activated.
                                echo "<h3 style='text-align:center'>Thank you for confirming your email \"$primary_website_email\" and activating your account $username.<br /> Redirecting you to the login page ...</h3>";
                                exit;
                        }
                }
        }
        else
        {
                //Perform following if Primary Website Email and/or Account Activation Code is not Pending Registration.
                $primary_website_email = htmlspecialchars($_GET['primary_website_email']);
                $account_activation_code = htmlspecialchars($_GET['account_activation_code']);
               
                //Give user alert the Email Address and/or the Account Activation Code in the Account Activation Link is Invalid or the Account Activation Link is out of date (Email no longer registered).
                echo "Either this Email Address $primary_website_email was not pending registration with this Account Activation Code $account_activation_code or one or both of them are invalid! Or, the Account Activation Link is out of date (Email no longer registered)
                Try registering an account if you have not already done so! <a href=\"http://myssite.com/sn/register.php\">Register here!</a>"
;
                exit;
    }
}

 


Thank You


Last edited by UniqueIdeaMan on Wed Dec 20, 2017 5:03 am, edited 2 times in total.

Top
 Profile  
 
PostPosted: Wed Dec 13, 2017 4:57 pm 
Offline
Spammer :|
User avatar

Joined: Wed Oct 15, 2008 2:35 am
Posts: 6617
Location: WA, USA
Does "22d200f8670dbdb3e253a90eee5098477c95c23d" look like an integer to you? A number? It doesn't look like a number to me, but then again I might have more common sense than you do so who knows.

So you changed the type of column to a VARCHAR(40). Good. You at least know how to count. But are you saying you expect the "22" from the BIGINT to magically become "22d200f8670dbdb3e253a90eee5098477c95c23d" as a VARCHAR? Why? You stored the number 22. That's all you have to work with. You did get the right column type but now you have to regenerate and store new activation codes because what you've managed to store is useless.

Speaking of, this
Syntax: [ Download ] [ Hide ]
$account_activation_code = sha1( (string) mt_rand(5, 30));

is stupid. Do you know what mt_rand(5,30) does? It picks a random number between 5 and 30. That's 26 possible values it can pick. If you sha1() it then you will end up with 26 possible values for an activation code. Twenty. Six. Does that sound like a value that will be hard to guess? It doesn't sound like it to me. Do you understand the purpose of the activation code? It's supposed to be value that people cannot guess so they have to check their email or whatever to find out what it is.


Top
 Profile  
 
PostPosted: Wed Dec 13, 2017 6:42 pm 
Offline
Site Administrator
User avatar

Joined: Wed Aug 25, 2004 7:54 pm
Posts: 13564
Location: New York, NY, US
"Twenty. Six." :drunk:

_________________
(#10850)


Top
 Profile  
 
PostPosted: Thu Dec 14, 2017 7:26 pm 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6424
Location: Montreal, Canada
I'll just leave this here

_________________
Supported PHP versions No longer supported versions


Top
 Profile  
 
PostPosted: Sun Dec 17, 2017 11:09 am 
Offline
Forum Contributor

Joined: Wed Jan 18, 2017 4:43 pm
Posts: 197
requinix wrote:
Does "22d200f8670dbdb3e253a90eee5098477c95c23d" look like an integer to you? A number? It doesn't look like a number to me, but then again I might have more common sense than you do so who knows.

So you changed the type of column to a VARCHAR(40). Good. You at least know how to count. But are you saying you expect the "22" from the BIGINT to magically become "22d200f8670dbdb3e253a90eee5098477c95c23d" as a VARCHAR? Why? You stored the number 22. That's all you have to work with. You did get the right column type but now you have to regenerate and store new activation codes because what you've managed to store is useless.

Speaking of, this
Syntax: [ Download ] [ Hide ]
$account_activation_code = sha1( (string) mt_rand(5, 30));

is stupid. Do you know what mt_rand(5,30) does? It picks a random number between 5 and 30. That's 26 possible values it can pick. If you sha1() it then you will end up with 26 possible values for an activation code. Twenty. Six. Does that sound like a value that will be hard to guess? It doesn't sound like it to me. Do you understand the purpose of the activation code? It's supposed to be value that people cannot guess so they have to check their email or whatever to find out what it is.


That sha1 was worked on by another. Not me. I hardly know anything about sha1. These things confuse me. Best you ask him why he limited to 26 numbers from 1-35.
Saying all this, thanks for poiting this error out. So, what should be the limit then ?

$account_activation_code = sha1( (string) mt_rand(1, 9999999));

The above I am going for. Is that good looking on your end ? Or, maybe I go for 6bn for 6bn head count in the world ?
Actually, I might aswell ask you, what is the limit for sha1 ? Might aswell make that the limit.


Top
 Profile  
 
PostPosted: Mon Dec 18, 2017 3:10 pm 
Offline
Site Administrator
User avatar

Joined: Wed Aug 25, 2004 7:54 pm
Posts: 13564
Location: New York, NY, US
UniqueIdeaMan wrote:
So, what should be the limit then ?

$account_activation_code = sha1( (string) mt_rand(1, 9999999));

The above I am going for. Is that good looking on your end ? Or, maybe I go for 6bn for 6bn head count in the world ?
Actually, I might aswell ask you, what is the limit for sha1 ? Might aswell make that the limit.

Since this is being used as a seed value and not a number in a specific set, why do you need to specify any limit other than the max for the mt_rand() function?

See mt_getrandmax() for the max on your system.

_________________
(#10850)


Top
 Profile  
 
PostPosted: Wed Dec 20, 2017 5:15 am 
Offline
Forum Contributor

Joined: Wed Jan 18, 2017 4:43 pm
Posts: 197
Christopher wrote:
UniqueIdeaMan wrote:
So, what should be the limit then ?

$account_activation_code = sha1( (string) mt_rand(1, 9999999));

The above I am going for. Is that good looking on your end ? Or, maybe I go for 6bn for 6bn head count in the world ?
Actually, I might aswell ask you, what is the limit for sha1 ? Might aswell make that the limit.

Since this is being used as a seed value and not a number in a specific set, why do you need to specify any limit other than the max for the mt_rand() function?

See mt_getrandmax() for the max on your system.


Ok, THANKs! :)
https://www.google.com/search?q=mt_getrandmax()&oq=mt_getrandmax()&aqs=chrome..69i57&sourceid=chrome&ie=UTF-8


Top
 Profile  
 
PostPosted: Sat Jan 27, 2018 7:43 pm 
Offline
DevNet Resident
User avatar

Joined: Wed Apr 01, 2009 1:31 pm
Posts: 1532
To answer the original question about why digits get inserted into the database instead of the complete SHA1 string, it is because after you changed the data type on the column, you didn't tell mysqli_stmt_bind_param() that the value should be a string instead of an integer. When you cast the string "22d2..." as an integer, it becomes 22.

By the way, a pretty good and simple solution to the secret generation problem is sha1(mcrypt_create_iv(40)).


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 8 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: Google [Bot], Majestic-12 [Bot] and 8 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group