ajoo

Thanks Guru Jacques & Funster for the inputs. Funster if you don't store the tokens, then what does the link compare to once it's been clicked by the user? I believe it's not possible to retrieve the data once it has been hashed. Any particular reason for for being so averse to storing tokens. Guru Jacques, I'll read up on the link and revert. Thank you both.

Thank you Guru Jacques for clarifying the subtle but huge differences between the two procedures. Are you suggesting that checking and changing (resetting to NULL once used) the token be an atomic operation? I have also tried to use a bit of logic which prevents multiple tokens from being generated till a certain time period has lapsed. I was thinking of keeping the tokens and its time stamp in separate table and updating the account activation field in the users table once the token had been authenticated and also deleting that row with the token and time stamp from the table (with just token & ts ) all at one go. Reason being that 1. the tokens once used are not needed and are in fact a security hazard if kept. 2. only relevant data is stored in the users table preventing clutter. After psycho advised against using the delete operations I am thinking of forgetting about the deletions and just setting the tokens to NULL. Please advise. Thank you.

Thank you Psycho for that detailed information especially about the delete operations. I'll have to decide about using or not using them but as of now I think i'll just let them be. Thanks

Hi ginerjm, Thanks for the revert. Since the token, once verified & used is no longer required, so I thought if I would create a new table (say temp ) to keep that data ( token with a time stamp) and I would update the activate field in the users table ( the main table with user details. ) Once it's been activated ( for account activation ), the values in the temp table are no longer needed and so that can be deleted. In fact I delete the record as soon as the activation has been achieved. I have no idea so I asked. If I forgot my plain text password and google has no way of knowing it since they don't store plain passwords, how would an old password help? Probably they have the hashes of old passwords stored. So once again, would this be a good or a bad idea to delete the records of the temporary tokens and timestamps for the same. Thanks loads !

Hi all ! It looks to me that sending an activation email and resetting a password are more or less similar operations as both require a token to be returned to the website for verification and thereafter changing the password. The two cannot be confused since password resetting must obviously always, if at all, occur after account activation. The record in the database would in any case be deleted after any of these operations have been executed successfully. So I was wondering if it is alright to use the same table in the database for both these operations. Or do we need to retain some information in the database after these operations are completed. Information that can be handy later for some operations I cannot think of right now. I have noticed that google asks for any old password that a user can recall. What do they do with that? How can they identify a user with that I wonder ? They wouldn't be storing plain passwords would they? Thanks all !

Thank you Guru Jacques. Happy to take your advice always !

By numeric I mean the integer and float values. Values stored in a DB, auto increment values etc. I think, I am almost sure, that I have used the number value for all the number inputs but I'll recheck that. What about filter_validate_number? is that a good option too? Thanks !

Hi Guru Jacques, I think I have asked this before but since I could not find your reply, I'll as ask it once again. For escaping HTML output you suggested a great function html_escape(), that I can use to sanitize all strings. The question is how to validate a numeric output. For example if there is a form field which expects numeric input then we need to check that the input is indeed numeric. Would using the is_numeric() function be sufficient for this purpose ? Anything else that we would need to take care of ? Thanks !

Hi Guru Jacques, Thank you for the response and sorry for the delayed reply. The echo in the code was only for testing the loop traversed but I get the point. Thanks and will come back for more!

Hi all ! I used the following script to send a test mail which works fine. <?php require_once('PHPMailer-master/class.phpmailer.php'); require_once('PHPMailer-master/PHPMailerAutoload.php'); define('USER', 'mymail@gmail.com'); // GMail username define('PWD', 'myPassword'); // GMail password $to = 'mee@gmail.com'; $from = 'mymail@gmail.com'; $from_name = 'Ajoo'; $subject = 'Test Message'; $body = 'This is PHP Mailer in Action'; smtpmailer($to, $from, $from_name, $subject, $body); function smtpmailer($to, $from, $from_name, $subject, $body) { global $error; $mail = new PHPMailer(); // create a new object $mail->IsSMTP(); // enable SMTP $mail->SMTPDebug = 0; // debugging: 1 = errors and messages, 2 = messages only $mail->SMTPAuth = true; // authentication enabled $mail->SMTPSecure = 'ssl'; // secure transfer enabled REQUIRED for GMail $mail->Host = 'smtp.gmail.com'; $mail->Port = 465; $mail->Username = USER; $mail->Password = PWD; $mail->SetFrom($from, $from_name); $mail->Subject = $subject; $mail->Body = $body; $mail->AddAddress($to); if(!$mail->Send()) { $error = 'Mail error: '.$mail->ErrorInfo; echo 'Mail error'; return false; } else { echo 'Message Sent'; $error = 'Message sent!'; return true; } } ?> I just want to know if this is secure enough. It was pointed out in a previous mail that the php mail() function was not secure by itself and the variables were vulnerable to various mail injections. So is this safe now just by virtue of the fact that it's using a library and that takes care of the security ? Or Do we need to take some precautions here too. Thanks all !

Thank you Sir !

Hi Guru Jacques, Would this be the correct equivalent ? $mailcode = bin2hex(random_bytes(16)); // Use this to send as a token in the email $s = hash('sha256', $mailcode, true); // Store this hash in the DB for the comparison later. if the above is OK, then I would like to ask what is the need to hash the token before storing it in the DB ? Thank !

Thank you Guru Jacques!! for those inputs. I'll look into them and revert soon with the changes. Thanks !!

Hi Kicken, Would this be the right way to do it and is this good enuff from the security standpoint. $user = 'Jack'; $mailcode = bin2hex(random_bytes(16)); $s = hash_hmac('sha256', $mailcode, $user, true); $s = base64_encode($s); And then use $s as the secure token. Thanks loads.

Thanks for the clarifications once again.

Hi Kicken, Thanks for the reply. The token is being used only to mark the account active. There is no autologin after that. Just a message on a page welcoming the user and a button to redirect to the login page. $mc = md5($_SERVER['REMOTE_ADDR'].microtime().rand(1,100000)); is this method of creating a random token good enough ? I am using the email to check if it's a valid email matching one in the database before I go ahead and actually activate the account but I could do that with the token as well I guess. So maybe I can remove the email in that case as suggested by you. Thanks again.

Hi all, I am using the following code snippet to send a mail on registration for the purpose of account verification by the user. <?php $user = 'Jack'; $pass = 'You may pass'; // a random string to be checked against intself stored in the DB $mc = md5($_SERVER['REMOTE_ADDR'].microtime().rand(1,100000)); function send_mail($from,$to,$subject,$body) { $headers = ''; $headers .= "From: $from\n"; $headers .= "Reply-to: $from\n"; $headers .= "Return-Path: $from\n"; $headers .= "Message-ID: <" . md5(uniqid(time())) . "@" . $_SERVER['SERVER_NAME'] . ">\n"; $headers .= "MIME-Version: 1.0\n"; $headers .= "Date: " . date('r', time()) . "\n"; if(mail($to,$subject,$body,$headers)=== true) return true; else return false; } if(send_mail( 'mymail@gmail.com', 'their@gmail.com', 'Register your Account.' "Click on this link http://www.yoursite.com/registeracc.php?email='their@gmail.com'&mc=".$mc." to activate your account" ) === true) echo "Success"; else echo "Failed"; ?> I would like to know if this is Ok or is there a better and more secure way to do it? Are there any security concerns that should be taken into account here? Thanks all !

Hi Requinix, Thanks for your inputs. I was able to manage it. Thanks !

Hi Requinix, Thanks for that reply. Yes that's happening due to Input[type=submit]. The triangular bit of the arrow disappears. It is retained with button[type=submit] but the arrow is distorted. Please check the new update to the link : https://jsfiddle.net/ajoo/hm11o3oh/9/ . Is it not possible to use the Input[type=submit] without distorting the button? To see the initial button with <a = href='' .. > this link : https://jsfiddle.net/ajoo/hm11o3oh/1/ I mean I need this button to send post values to the page. Thanks.

Hi Requinix, Thanks for the reply and sorry for the delay. I have been struggling with this for quite sometime. I actually need to submit php values using the button, just like a regular button. I have been trying out this on a fiddle and here is the link to it : https://jsfiddle.net/ajoo/hm11o3oh/3/ The triangular part of the button breaks and the button loses its shape. Kindly have a look at the fiddle and guide. Thanks !

I have the following piece of code give me a beautiful button that I want to use in a form. <div class='lbk'><a href='' class='btn_lft'>&nbsp Left</a></div> On pressing the button I want to send some post data back to the page which is where I am totally stumped and can't figure how I can do it with this button. It would be very simple to send it using a basically a simple submit button. But then I won't get the arrow button that looks so neat. Please can someone help me figure this out if it is possible. I do not wish to use Ajax etc. Thanks all.

Thanks again Jacques !I request you again to kindly take some time out to answer my query on your mail.

Hi Kicken and Guru Jacques, Thanks for the inputs. My SERVER API shows as Apache 2.0 Handler on my production server. I tried but could not find the file that holds the ProxyErrorOverride directive. Please enlighten. Thanks loads.

Thanks Kicken for the response, I will look it up & revert if I have any further query.

Hi, Just one last thing, 1. What's the mechanics of sending this page on a local server running apache. Should the page be created in the fata_error_handler.php itself or should it be created separately and redirected to it. OR is there a directive in one of the config files on the server that points to some error page by default so that there is no need to make any error page as well. By the way I am using the Amazon aws servers and the server uses Amazon Linux. I am not aware Hmmm I am not aware of this? Where can I find out about it? Kindly take some time out to revert to a query that I had sent on your personal messenger on phpfreaks. Thanks again very much.