使用user's email
和专用hash
检查我的表是否足以验证并激活帐户(如果发现与这两个值匹配)?
用户被要求使用用户数据和他们的电子邮件id进行注册。然后,他们会收到一个电子邮件的URL,并被要求点击该URL来确认和激活他们的帐户。
这是我目前的设置:
<?php //The user-account-creation processing page
$email_id = taken from user input;
$randomnessWhateverItsCalled = "lots-of-randomness-here";
UPDATE advert SET advert_hash = SHA1(CONCAT($email_id, $randomnessWhateverItsCalled))
//For simplicity's sake I omitted the PDO stuff
INSERT INTO table_name (..., user_email, hash, account_activated, ...) VALUES (..., usersEmail, advert_hash, NO, ...)
/**
Send an email with some php code with the URL that would look like this
URL to click on attached to email body:
*/
$attachStringToEmailBody = "http://www.domainname.com/activate-user?email_id=" . $usersEmail . "&hash=" . $randomnessWhateverItsCalled;
enter code here
//Send email from this process page with a little email php code
//Redirect user to a page informing the user to activate the account by visiting their email and clicking on the url
?>
然后在activate-user.php
页面中,我有以下内容:
<?ph
$user_email = $_GET['email_id'];
$hash = $_GET['hash'];
/**
search database and return a row if there is a match containing both the $user_email and the $hash
if(match){
Update database and set the `account_activated` column to `YES`
}
else{
//Tell if there was no match then activation failed
//Let the user know that we do not recognise the link they used to try and activate their account.
}
*/
?>
它似乎足够安全,只要你让"随机性"部分很难猜测。你可以把电子邮件、用户名、密码等放在那里,然后把它们和另一个密钥混合在一起——都是加密的——这就是我通常做的
但我建议您将0/1用于活动/非活动-为什么要使用字符串,而您可以对smallint(1)执行同样的操作-并节省一些空间,从而使数据库更轻松?