php - 一种使用 URL 在 MySQL PHP 中识别和激活用户的足够安全的方法

Question

如果发现与这两个值匹配，使用用户电子邮件和专用哈希检查我的表是否足以验证并激活帐户？

用户被要求使用用户数据和电子邮件 ID 进行注册。然后，他们会收到一个 URL 到他们的电子邮件地址，要求他们点击该 URL 来确认并激活他们的帐户。

这是我当前的设置:

<?php //The user-account-creation processing page

    $email_id = taken from user input;
    $randomnessWhateverItsCalled = "lots-of-randomness-here";

    UPDATE advert SET advert_hash = SHA1(CONCAT($email_id, $randomnessWhateverItsCalled))

    //For simplicity's sake I omitted the PDO stuff
    INSERT INTO table_name (..., user_email, hash, account_activated, ...) VALUES (..., usersEmail, advert_hash, NO, ...) 


    /**
        Send an email with some php code with the URL that would look like this
        URL to click on attached to email body: 
     */
     $attachStringToEmailBody = "http://www.domainname.com/activate-user?email_id=" . $usersEmail . "&hash=" . $randomnessWhateverItsCalled;
enter code here

    //Send email from this process page with a little email php code  

    //Redirect user to a page informing the user to activate the account by visiting their email and clicking on the url
?>

然后在activate-user.php页面中我有以下内容:

<?ph
    $user_email = $_GET['email_id'];
    $hash = $_GET['hash'];


   /**
        search database and return a row if there is a match containing both the $user_email and the $hash
        if(match){
            Update database and set the `account_activated` column to `YES`
        }
        else{
            //Tell if there was no match then activation failed

            //Let the user know that we do not recognise the link they used to try and activate their account.
        }
        */

?>

Answer 1

只要你让“随机性”部分变得难以猜测，它看起来就足够安全了。您可以将电子邮件、用户名、密码等放在那里，并将它们与另一个 key 混合在一起 - 全部加密 - 这就是我通常所做的。

但我建议您使用 0/1 来表示事件/非事件 - 为什么要使用字符串，当您可以使用smallint (1) 执行相同操作时 - 并节省一些空间，从而使数据库更轻一些？