How to encode url ?

[tmyonline]

Hi guys:

 

My url contains username and password for account activation.  How do I encode/encript the url so that the username and password do not appear the way they do ?  Thanks.

[MasterACE14]

md5();

 

but you would be better off using a POST, rather then GET

 

ACE

[ShoeLace1291]

That's not a very safe way of doing that.  You're better off using the member's ID if your members table uses an auto_increment column.  Then you could just use $_GET to get the user's ID and then do a database query from there.

[tmyonline]

ACE:

 

Suppose I do:

 

$pass = md5($password);

 

How do I get back my original password ?  Is there an md5 inverse function like:

 

$password = inverse_md5($pass) ?  Thanks.

[corbin]

If md5 were reversible, what would stop someone else from reversing it?  ;p

 

 

Anyway, if you're worried about it appearing in the URL, look into POST.

[cooldude832]

If md5 were reversible, what would stop someone else from reversing it?  ;p

 

 

Anyway, if you're worried about it appearing in the URL, look into POST.

 

I know its "irreversible" because the hash length is greater than the input length giving you something that is harder to break than the original source would be to using brute methods, but recently some fairly successful reverse md5 algorithms have been developed.  Although you are correct it is irreversible, it isn't "perfect".  As always i say if someone wants you data bad enough a md5 isn't going to stop them.

 

 

Either way the best way for email verification is to do this  (even better is to use the inserted row's id number to force 2 completely unique pieces of data to be matched. Although 1 25 character random string is fairly hard to crack.

 

1) For the user's table add 2 fields to it 1 is the "Active/Not Active" simply BOOL and then a secondary one is a 25 character random string.

2a) On registration set the active/not to 0 and generate a random string. 

2b) send an email to that user that says click here to activate the link goes to mysite.com/activate.php?email=USEREMAIL&key=RANDOMKEYGENERATED

3) They click the link and your activate.php page looks like

<?php
#connect SQL
$email = mysql_real_escape_string($_GET['email']);
$code = mysql_real_escape_string($_GET['key']);
$q = "Select UserID from `users` where Email  = '".$email."' and Reg_String = '".$code."'";
$r = mysql_query($q) or die(mysql_error()."<Br /><Br />".$q);
if(mysql_num_rows($r) >0){
#they are legit activate them
$row = mysql_fetch_array($r);
$q = "Update `users` set Active = '1' where UserID = '".$row[0]."'";
$r = mysql_query($q) or die(mysql_errro()."<br /><Br />".$q);
echo "Your Activated";
}
else{
#not right combo don't activate
echo "Invalid code.";
}
?>

[corbin]

You're correct about it being reversible, but I've yet to see a public or easy or 100% reversion.

 

To be honest, when I first read this, I saw how the title was oddly worded, read the first few words of the first post, and started reading others' solutions.

 

Yeah, I must agree with cooldude's method of storing a secret string.  I wrote a registration script a while back and did that, but I used a processed form of the username so I wouldn't have to store anything in the DB.  (Yes, someone could figure out the algorithm for making the code, but registering was protected, so it wasn't a particular issue.)

[MasterACE14]

ACE:

 

Suppose I do:

 

$pass = md5($password);

 

How do I get back my original password ?  Is there an md5 inverse function like:

 

$password = inverse_md5($pass) ?  Thanks.

 

md5 is a hash. meaning its 1 way.

 

to check there password against the database or whatever, you simply hash what they put in.

 

example: md5($_POST['password']);

 

ACE

[cooldude832]

they aren't hasing in and regardless a public vision of the hashed password is just as dangerous as an unhashed one ask someone here they dared us to dehash their password which was done in 10 minutes .

[tmyonline]

Thanks everyone.

 

cooldude832, your suggestion makes a lot of sense.  Thanks a lot.