Account registration verification with email.

[tjdww]

Hi all, I am trying to write a user membership script but have hit a brick wall.

I have a registration form, I can validate I, I can enter the valid details into a dB and I can send a hashed code via email with a link to a log in page. All ok, a bit rough cos I am brand spanking new at this!!!

My problem is this... When I enter a new user and validate its all fine but once I get my echo message telling the new user 'they have mail' (to complete their registration) if I click 'view source' I can clearly see the link plus the full hashed code! Am I reading this wrong or can I just cut and paste that link into my browser and then log in by bypassing the email verification altogether. That is to say I can use someone else's email instead of my own??? As I wouldn't have to go to the email to complete the registration. Have I got this right? And if so how can I make this process more secure? I have not yet found any different strategies in forums or tutorials. Many thanks in advance.

[fastsol]

Yes you certainly probably don't want the hash displayed so they can bypass the email step.  But the real question is, why is the hash being displayed in the first place, even if it's only in the source code?  It's virtually impossible to help you without your code.

[tjdww]

Thanks for the reply. I'm using phpmailer to send the email. It asks for a HTML message, stored in a variable like $message. My hash variable is $hash. When I clicked view source I was expecting to see variables but instead I saw the variable values, ie I saw the actual hash. Is there something I am supposed to do to the variables to mask their values on a view source render???

[fastsol]

The only way you would be able to see a php variable value is if it is being echoed/printed to the browser.  View source, just like what you see in the browser normally, will ONLY show what you tell it to.  It CAN'T display php code/values unless you tell it to.  Like I said before, we can't help you without your code.

[tjdww]

<?php
require 'PHPMailer-master/PHPMailerAutoload.php';
print "OK HERE WE GO<br><br>";
$activation = md5(uniqid(rand(), true));
$mail = new PHPMailer;

$mail->SMTPDebug = 0;                               // Enable verbose debug output

$mail->isSMTP();                                      // Set mailer to use SMTP
$mail->Host = 'mail.smtp.com';  // Specify main and backup SMTP servers
//$mail->SMTPAuth = true;                               // Enable SMTP authentication
$mail->Username = 'xyz.abc@any.com';                 // SMTP username
$mail->Password = 'password';                           // SMTP password
//$mail->SMTPSecure = 'tls';                            // Enable TLS encryption, `ssl` also accepted
$mail->Port = 25;                                    // TCP port to connect to

$mail->From = 'xyz.abc@any.com';
$mail->FromName = 'tim';
$mail->addAddress('any.one@gmail.com', 'User');     // Add a recipient

$mail->isHTML(true);                                  // Set email format to HTML
$message ="http://www.something.com/login.php?&key=$activation";
$mail->Subject = 'Here is the subject';
$mail->Body    = " $message";
$mail->AltBody = 'This is the body in plain text for non-HTML mail clients';
print "code is: $activation";
if(!$mail->send()) {
    echo 'Message could not be sent.';
    echo 'Mailer Error: ' . $mail->ErrorInfo;
} else {
    echo 'Message has been sent';
}


?>
 

[fastsol]

Well I can only assume that this line is there for debugging.

print "code is: $activation";

That is the only line in your code that displays anything with the activation code and that should be displayed to the screen, not just the view source.  You're going to have to give use more detailed info than you have.  How about posting your view source and highlighting where the hash is being shown.  Please make sure to use the proper code posting buttons to post your code.  It's the blue <> button.

[tjdww]

Thank you, will post more info tomorrow.

[CroNiX]

Not to do with your problem, but are you saving that in the database somewhere before sending the email off?

 

I'd change

$mail->AltBody = 'This is the body in plain text for non-HTML mail clients';
print "code is: $activation";

 

to

$mail->AltBody = "This is the body in plain text for non-HTML mail clients\n\n" . $message;

and just send your original message, which is just a link. Even in text, most email clients will convert a link starting with "http" to a clickable link.

[tjdww]

<html>

<head>

<title>Mail Tester</title>

</head>


<body>


OK HERE WE GO<br><br>code is: a9f1e5cf855cffc3ab1807f62dee3ebd2015-06-12 06:34:44	SERVER -> CLIENT: 220 mail-out2.one.com ESMTP Postfix

2015-06-12 06:34:44	CLIENT -> SERVER: EHLO wisewarrior.co.uk

2015-06-12 06:34:44	SERVER -> CLIENT: 250-mail-out2.one.com

                   	                  250-PIPELINING

                   	                  250-SIZE 104857600

                   	                  250-ETRN

                   	                  250-ENHANCEDSTATUSCODES

                   	                  250-8BITMIME

                   	                  250 DSN

2015-06-12 06:34:44	CLIENT -> SERVER: MAIL FROM:<XXXXXXXXXXXXXXXXXXXX>

2015-06-12 06:34:44	SERVER -> CLIENT: 250 2.1.0 Ok

2015-06-12 06:34:44	CLIENT -> SERVER: RCPT TO:<XXXXXXXXXXXXXXXXXXXX>

2015-06-12 06:34:44	SERVER -> CLIENT: 250 2.1.5 Ok

2015-06-12 06:34:44	CLIENT -> SERVER: DATA

2015-06-12 06:34:44	SERVER -> CLIENT: 354 End data with <CR><LF>.<CR><LF>

2015-06-12 06:34:44	CLIENT -> SERVER: Date: Fri, 12 Jun 2015 06:34:44 +0000

2015-06-12 06:34:44	CLIENT -> SERVER: To: User <XXXXXXXXXXXXXXXXXXXXXX>

2015-06-12 06:34:44	CLIENT -> SERVER: From: Me <XXXXXXXXXXXXXXXXXXXXXXX>

2015-06-12 06:34:44	CLIENT -> SERVER: Subject: Here is the subject

2015-06-12 06:34:44	CLIENT -> SERVER: Message-ID: <bb519cc9520b2b4bd0d0532190b929bc@wisewarrior.co.uk>

2015-06-12 06:34:44	CLIENT -> SERVER: X-Priority: 3

2015-06-12 06:34:44	CLIENT -> SERVER: X-Mailer: PHPMailer 5.2.10 (https://github.com/PHPMailer/PHPMailer/)

2015-06-12 06:34:44	CLIENT -> SERVER: MIME-Version: 1.0

2015-06-12 06:34:44	CLIENT -> SERVER: Content-Type: multipart/alternative;

2015-06-12 06:34:44	CLIENT -> SERVER: 	boundary="b1_bb519cc9520b2b4bd0d0532190b929bc"

2015-06-12 06:34:44	CLIENT -> SERVER: Content-Transfer-Encoding: 8bit

2015-06-12 06:34:44	CLIENT -> SERVER:

2015-06-12 06:34:44	CLIENT -> SERVER: This is a multi-part message in MIME format.

2015-06-12 06:34:44	CLIENT -> SERVER:

2015-06-12 06:34:44	CLIENT -> SERVER: --b1_bb519cc9520b2b4bd0d0532190b929bc

2015-06-12 06:34:44	CLIENT -> SERVER: Content-Type: text/plain; charset=us-ascii

2015-06-12 06:34:44	CLIENT -> SERVER:

2015-06-12 06:34:44	CLIENT -> SERVER: This is the body in plain text for non-HTML mail clients

2015-06-12 06:34:44	CLIENT -> SERVER:

2015-06-12 06:34:44	CLIENT -> SERVER:

2015-06-12 06:34:44	CLIENT -> SERVER: --b1_bb519cc9520b2b4bd0d0532190b929bc

2015-06-12 06:34:44	CLIENT -> SERVER: Content-Type: text/html; charset=us-ascii

2015-06-12 06:34:44	CLIENT -> SERVER:

2015-06-12 06:34:44	CLIENT -> SERVER:  http://www.somesite.co.uk/login.html?&key=a9f1e5cf855cffc3ab1807f62dee3ebd

2015-06-12 06:34:44	CLIENT -> SERVER:

2015-06-12 06:34:44	CLIENT -> SERVER:

2015-06-12 06:34:44	CLIENT -> SERVER:

2015-06-12 06:34:44	CLIENT -> SERVER: --b1_bb519cc9520b2b4bd0d0532190b929bc--

2015-06-12 06:34:44	CLIENT -> SERVER:

2015-06-12 06:34:44	CLIENT -> SERVER: .

2015-06-12 06:34:44	SERVER -> CLIENT: 250 2.0.0 Ok: queued as 547EA1452C

2015-06-12 06:34:44	CLIENT -> SERVER: QUIT

2015-06-12 06:34:44	SERVER -> CLIENT: 221 2.0.0 Bye

Message has been sent

</body>

</html>

 

[devWhiz]

Try this..


<?php

	require 'PHPMailer-master/PHPMailerAutoload.php';

	print "OK HERE WE GO<br><br>";

	$activation = md5(uniqid(rand(), true));


	$mail = new PHPMailer;

	$mail->SMTPDebug = 0;                               // Enable verbose debug output

	$mail->isSMTP();                                      // Set mailer to use SMTP

	$mail->Host = 'mail.smtp.com';  // Specify main and backup SMTP servers

	//$mail->SMTPAuth = true;                               // Enable SMTP authentication

	$mail->Username = 'xyz.abc@any.com';                 // SMTP username

	$mail->Password = 'password';                           // SMTP password

	//$mail->SMTPSecure = 'tls';                            // Enable TLS encryption, `ssl` also accepted

	$mail->Port = 25;                                    // TCP port to connect to


	$mail->From = 'xyz.abc@any.com';

	$mail->FromName = 'tim';

	$mail->addAddress('any.one@gmail.com', 'User');     // Add a recipient


	$mail->isHTML(true);                                  // Set email format to HTML

	$message ="http://www.something...y=$activation";

	$mail->Subject = 'Here is the subject';

	$mail->Body    = " $message";

	$mail->AltBody = 'This is the body in plain text for non-HTML mail clients';

	//print "code is: $activation";

	if(!$mail->send()) {

		echo 'Message could not be sent.';

		echo 'Mailer Error: ' . $mail->ErrorInfo;

	} else {

		echo 'Message has been sent';

	}



?>

[tjdww]

Hi devWhizz. By ommitting the print command, that has removed the printout of the message at the top of the source code but the full URL with variable value is still evident at the same point in the source as before. Thanks for the info though, any other ideas?

[fastsol]

You have something else going on here, none of that stuff should be seen in the browser or view source.  There must be some other setting somewhere in your server or other included files that is causing this to happen.

[CroNiX]

It looks like you have debugging turned on in PHPMailer. None of this should be seen in your "view source" or webpage at all, except for testing...

OK HERE WE GO<br><br>code is: a9f1e5cf855cffc3ab1807f62dee3ebd2015-06-12 06:34:44    SERVER -> CLIENT: 220 mail-out2.one.com ESMTP Postfix
2015-06-12 06:34:44    CLIENT -> SERVER: EHLO wisewarrior.co.uk
2015-06-12 06:34:44    SERVER -> CLIENT: 250-mail-out2.one.com
     250-PIPELINING
     250-SIZE 104857600
     250-ETRN
     250-ENHANCEDSTATUSCODES
     250-8BITMIME
     250 DSN
2015-06-12 06:34:44    CLIENT -> SERVER: MAIL FROM:<XXXXXXXXXXXXXXXXXXXX>
2015-06-12 06:34:44    SERVER -> CLIENT: 250 2.1.0 Ok
2015-06-12 06:34:44    CLIENT -> SERVER: RCPT TO:<XXXXXXXXXXXXXXXXXXXX>
2015-06-12 06:34:44    SERVER -> CLIENT: 250 2.1.5 Ok
2015-06-12 06:34:44    CLIENT -> SERVER: DATA
2015-06-12 06:34:44    SERVER -> CLIENT: 354 End data with <CR><LF>.<CR><LF>
2015-06-12 06:34:44    CLIENT -> SERVER: Date: Fri, 12 Jun 2015 06:34:44 +0000
2015-06-12 06:34:44    CLIENT -> SERVER: To: User <XXXXXXXXXXXXXXXXXXXXXX>
2015-06-12 06:34:44    CLIENT -> SERVER: From: Me <XXXXXXXXXXXXXXXXXXXXXXX>
2015-06-12 06:34:44    CLIENT -> SERVER: Subject: Here is the subject
2015-06-12 06:34:44    CLIENT -> SERVER: Message-ID: <bb519cc9520b2b4bd0d0532190b929bc@wisewarrior.co.uk>
2015-06-12 06:34:44    CLIENT -> SERVER: X-Priority: 3
2015-06-12 06:34:44    CLIENT -> SERVER: X-Mailer: PHPMailer 5.2.10 (https://github.com/PHPMailer/PHPMailer/)
2015-06-12 06:34:44    CLIENT -> SERVER: MIME-Version: 1.0
2015-06-12 06:34:44    CLIENT -> SERVER: Content-Type: multipart/alternative;
2015-06-12 06:34:44    CLIENT -> SERVER:     boundary="b1_bb519cc9520b2b4bd0d0532190b929bc"
2015-06-12 06:34:44    CLIENT -> SERVER: Content-Transfer-Encoding: 8bit
2015-06-12 06:34:44    CLIENT -> SERVER:
2015-06-12 06:34:44    CLIENT -> SERVER: This is a multi-part message in MIME format.
2015-06-12 06:34:44    CLIENT -> SERVER:
2015-06-12 06:34:44    CLIENT -> SERVER: --b1_bb519cc9520b2b4bd0d0532190b929bc
2015-06-12 06:34:44    CLIENT -> SERVER: Content-Type: text/plain; charset=us-ascii
2015-06-12 06:34:44    CLIENT -> SERVER:
2015-06-12 06:34:44    CLIENT -> SERVER: This is the body in plain text for non-HTML mail clients
2015-06-12 06:34:44    CLIENT -> SERVER:
2015-06-12 06:34:44    CLIENT -> SERVER:
2015-06-12 06:34:44    CLIENT -> SERVER: --b1_bb519cc9520b2b4bd0d0532190b929bc
2015-06-12 06:34:44    CLIENT -> SERVER: Content-Type: text/html; charset=us-ascii
2015-06-12 06:34:44    CLIENT -> SERVER:
2015-06-12 06:34:44    CLIENT -> SERVER: http://www.somesite.co.uk/login.html?&key=a9f1e5cf855cffc3ab1807f62dee3ebd
2015-06-12 06:34:44    CLIENT -> SERVER:
2015-06-12 06:34:44    CLIENT -> SERVER:
2015-06-12 06:34:44    CLIENT -> SERVER:
2015-06-12 06:34:44    CLIENT -> SERVER: --b1_bb519cc9520b2b4bd0d0532190b929bc--
2015-06-12 06:34:44    CLIENT -> SERVER:
2015-06-12 06:34:44    CLIENT -> SERVER: .
2015-06-12 06:34:44    SERVER -> CLIENT: 250 2.0.0 Ok: queued as 547EA1452C
2015-06-12 06:34:44    CLIENT -> SERVER: QUIT
2015-06-12 06:34:44    SERVER -> CLIENT: 221 2.0.0 Bye

The only thing that should really be seen is whether the message was sent or not..."Message has been sent"

 

In PHPMailer config, make sure:

$config['smtp_debug'] = 0;

Edited June 12, 2015 by CroNiX

[tjdww]

Ha ha!!! Yep that was it. I had debugging set to 2 (for some reason I changed it to 0 when I posted the code!) Works like a charm now. Many thanks guys. Rookie error I guess! It sucks being a newbie...

OK, onward and upward. Can anyone recommend a good hash algorithm, was gonna go with sha256 as I'd heard md5 and sha1 might have been cracked.

[fastsol]

Depends on what reason you are hashing.  Sha is not really secure enough anymore either.  If it's just regular info you are hashing, I would suggest using hash() with the whirlpool algorithm.  If it's for a password, then if you have php 5.5 or higher you should use the password_hash() in php.  You can even use something similar to that with older php versions by utilizing a library that someone made on github (not sure who, google it).