Jump to content

Recommended Posts

Hi all, I am trying to write a user membership script but have hit a brick wall.

I have a registration form, I can validate I, I can enter the valid details into a dB and I can send a hashed code via email with a link to a log in page. All ok, a bit rough cos I am brand spanking new at this!!!

My problem is this... When I enter a new user and validate its all fine but once I get my echo message telling the new user 'they have mail' (to complete their registration) if I click 'view source' I can clearly see the link plus the full hashed code! Am I reading this wrong or can I just cut and paste that link into my browser and then log in by bypassing the email verification altogether. That is to say I can use someone else's email instead of my own??? As I wouldn't have to go to the email to complete the registration. Have I got this right? And if so how can I make this process more secure? I have not yet found any different strategies in forums or tutorials. Many thanks in advance.

Yes you certainly probably don't want the hash displayed so they can bypass the email step.  But the real question is, why is the hash being displayed in the first place, even if it's only in the source code?  It's virtually impossible to help you without your code.

Thanks for the reply. I'm using phpmailer to send the email. It asks for a HTML message, stored in a variable like $message. My hash variable is $hash. When I clicked view source I was expecting to see variables but instead I saw the variable values, ie I saw the actual hash. Is there something I am supposed to do to the variables to mask their values on a view source render???

The only way you would be able to see a php variable value is if it is being echoed/printed to the browser.  View source, just like what you see in the browser normally, will ONLY show what you tell it to.  It CAN'T display php code/values unless you tell it to.  Like I said before, we can't help you without your code.

<?php
require 'PHPMailer-master/PHPMailerAutoload.php';
print "OK HERE WE GO<br><br>";
$activation = md5(uniqid(rand(), true));
$mail = new PHPMailer;

$mail->SMTPDebug = 0;                               // Enable verbose debug output

$mail->isSMTP();                                      // Set mailer to use SMTP
$mail->Host = 'mail.smtp.com';  // Specify main and backup SMTP servers
//$mail->SMTPAuth = true;                               // Enable SMTP authentication
$mail->Username = '[email protected]';                 // SMTP username
$mail->Password = 'password';                           // SMTP password
//$mail->SMTPSecure = 'tls';                            // Enable TLS encryption, `ssl` also accepted
$mail->Port = 25;                                    // TCP port to connect to

$mail->From = '[email protected]';
$mail->FromName = 'tim';
$mail->addAddress('[email protected]', 'User');     // Add a recipient

$mail->isHTML(true);                                  // Set email format to HTML
$message ="http://www.something.com/login.php?&key=$activation";
$mail->Subject = 'Here is the subject';
$mail->Body    = " $message";
$mail->AltBody = 'This is the body in plain text for non-HTML mail clients';
print "code is: $activation";
if(!$mail->send()) {
    echo 'Message could not be sent.';
    echo 'Mailer Error: ' . $mail->ErrorInfo;
} else {
    echo 'Message has been sent';
}


?>
 

Well I can only assume that this line is there for debugging.

print "code is: $activation";

That is the only line in your code that displays anything with the activation code and that should be displayed to the screen, not just the view source.  You're going to have to give use more detailed info than you have.  How about posting your view source and highlighting where the hash is being shown.  Please make sure to use the proper code posting buttons to post your code.  It's the blue <> button.

Not to do with your problem, but are you saving that in the database somewhere before sending the email off?

 

I'd change

$mail->AltBody = 'This is the body in plain text for non-HTML mail clients';
print "code is: $activation";

 

to

$mail->AltBody = "This is the body in plain text for non-HTML mail clients\n\n" . $message;

and just send your original message, which is just a link. Even in text, most email clients will convert a link starting with "http" to a clickable link.


<html>
<head>
<title>Mail Tester</title>
</head>

<body>

OK HERE WE GO<br><br>code is: a9f1e5cf855cffc3ab1807f62dee3ebd2015-06-12 06:34:44 SERVER -> CLIENT: 220 mail-out2.one.com ESMTP Postfix
2015-06-12 06:34:44 CLIENT -> SERVER: EHLO wisewarrior.co.uk
2015-06-12 06:34:44 SERVER -> CLIENT: 250-mail-out2.one.com
250-PIPELINING
250-SIZE 104857600
250-ETRN
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN
2015-06-12 06:34:44 CLIENT -> SERVER: MAIL FROM:<XXXXXXXXXXXXXXXXXXXX>
2015-06-12 06:34:44 SERVER -> CLIENT: 250 2.1.0 Ok
2015-06-12 06:34:44 CLIENT -> SERVER: RCPT TO:<XXXXXXXXXXXXXXXXXXXX>
2015-06-12 06:34:44 SERVER -> CLIENT: 250 2.1.5 Ok
2015-06-12 06:34:44 CLIENT -> SERVER: DATA
2015-06-12 06:34:44 SERVER -> CLIENT: 354 End data with <CR><LF>.<CR><LF>
2015-06-12 06:34:44 CLIENT -> SERVER: Date: Fri, 12 Jun 2015 06:34:44 +0000
2015-06-12 06:34:44 CLIENT -> SERVER: To: User <XXXXXXXXXXXXXXXXXXXXXX>
2015-06-12 06:34:44 CLIENT -> SERVER: From: Me <XXXXXXXXXXXXXXXXXXXXXXX>
2015-06-12 06:34:44 CLIENT -> SERVER: Subject: Here is the subject
2015-06-12 06:34:44 CLIENT -> SERVER: Message-ID: <[email protected]>
2015-06-12 06:34:44 CLIENT -> SERVER: X-Priority: 3
2015-06-12 06:34:44 CLIENT -> SERVER: X-Mailer: PHPMailer 5.2.10 (https://github.com/PHPMailer/PHPMailer/)
2015-06-12 06:34:44 CLIENT -> SERVER: MIME-Version: 1.0
2015-06-12 06:34:44 CLIENT -> SERVER: Content-Type: multipart/alternative;
2015-06-12 06:34:44 CLIENT -> SERVER: boundary="b1_bb519cc9520b2b4bd0d0532190b929bc"
2015-06-12 06:34:44 CLIENT -> SERVER: Content-Transfer-Encoding: 8bit
2015-06-12 06:34:44 CLIENT -> SERVER:
2015-06-12 06:34:44 CLIENT -> SERVER: This is a multi-part message in MIME format.
2015-06-12 06:34:44 CLIENT -> SERVER:
2015-06-12 06:34:44 CLIENT -> SERVER: --b1_bb519cc9520b2b4bd0d0532190b929bc
2015-06-12 06:34:44 CLIENT -> SERVER: Content-Type: text/plain; charset=us-ascii
2015-06-12 06:34:44 CLIENT -> SERVER:
2015-06-12 06:34:44 CLIENT -> SERVER: This is the body in plain text for non-HTML mail clients
2015-06-12 06:34:44 CLIENT -> SERVER:
2015-06-12 06:34:44 CLIENT -> SERVER:
2015-06-12 06:34:44 CLIENT -> SERVER: --b1_bb519cc9520b2b4bd0d0532190b929bc
2015-06-12 06:34:44 CLIENT -> SERVER: Content-Type: text/html; charset=us-ascii
2015-06-12 06:34:44 CLIENT -> SERVER:
2015-06-12 06:34:44 CLIENT -> SERVER: http://www.somesite.co.uk/login.html?&key=a9f1e5cf855cffc3ab1807f62dee3ebd
2015-06-12 06:34:44 CLIENT -> SERVER:
2015-06-12 06:34:44 CLIENT -> SERVER:
2015-06-12 06:34:44 CLIENT -> SERVER:
2015-06-12 06:34:44 CLIENT -> SERVER: --b1_bb519cc9520b2b4bd0d0532190b929bc--
2015-06-12 06:34:44 CLIENT -> SERVER:
2015-06-12 06:34:44 CLIENT -> SERVER: .
2015-06-12 06:34:44 SERVER -> CLIENT: 250 2.0.0 Ok: queued as 547EA1452C
2015-06-12 06:34:44 CLIENT -> SERVER: QUIT
2015-06-12 06:34:44 SERVER -> CLIENT: 221 2.0.0 Bye
Message has been sent
</body>
</html>

 


Try this..

<?php
require 'PHPMailer-master/PHPMailerAutoload.php';
print "OK HERE WE GO<br><br>";
$activation = md5(uniqid(rand(), true));

$mail = new PHPMailer;
$mail->SMTPDebug = 0; // Enable verbose debug output
$mail->isSMTP(); // Set mailer to use SMTP
$mail->Host = 'mail.smtp.com'; // Specify main and backup SMTP servers
//$mail->SMTPAuth = true; // Enable SMTP authentication
$mail->Username = '[email protected]'; // SMTP username
$mail->Password = 'password'; // SMTP password
//$mail->SMTPSecure = 'tls'; // Enable TLS encryption, `ssl` also accepted
$mail->Port = 25; // TCP port to connect to

$mail->From = '[email protected]';
$mail->FromName = 'tim';
$mail->addAddress('[email protected]', 'User'); // Add a recipient

$mail->isHTML(true); // Set email format to HTML
$message ="http://www.something...y=$activation";
$mail->Subject = 'Here is the subject';
$mail->Body = " $message";
$mail->AltBody = 'This is the body in plain text for non-HTML mail clients';
//print "code is: $activation";
if(!$mail->send()) {
echo 'Message could not be sent.';
echo 'Mailer Error: ' . $mail->ErrorInfo;
} else {
echo 'Message has been sent';
}


?>

Hi devWhizz. By ommitting the print command, that has removed the printout of the message at the top of the source code but the full URL with variable value is still evident at the same point in the source as before. Thanks for the info though, any other ideas?

It looks like you have debugging turned on in PHPMailer. None of this should be seen in your "view source" or webpage at all, except for testing...

OK HERE WE GO<br><br>code is: a9f1e5cf855cffc3ab1807f62dee3ebd2015-06-12 06:34:44    SERVER -> CLIENT: 220 mail-out2.one.com ESMTP Postfix
2015-06-12 06:34:44    CLIENT -> SERVER: EHLO wisewarrior.co.uk
2015-06-12 06:34:44    SERVER -> CLIENT: 250-mail-out2.one.com
     250-PIPELINING
     250-SIZE 104857600
     250-ETRN
     250-ENHANCEDSTATUSCODES
     250-8BITMIME
     250 DSN
2015-06-12 06:34:44    CLIENT -> SERVER: MAIL FROM:<XXXXXXXXXXXXXXXXXXXX>
2015-06-12 06:34:44    SERVER -> CLIENT: 250 2.1.0 Ok
2015-06-12 06:34:44    CLIENT -> SERVER: RCPT TO:<XXXXXXXXXXXXXXXXXXXX>
2015-06-12 06:34:44    SERVER -> CLIENT: 250 2.1.5 Ok
2015-06-12 06:34:44    CLIENT -> SERVER: DATA
2015-06-12 06:34:44    SERVER -> CLIENT: 354 End data with <CR><LF>.<CR><LF>
2015-06-12 06:34:44    CLIENT -> SERVER: Date: Fri, 12 Jun 2015 06:34:44 +0000
2015-06-12 06:34:44    CLIENT -> SERVER: To: User <XXXXXXXXXXXXXXXXXXXXXX>
2015-06-12 06:34:44    CLIENT -> SERVER: From: Me <XXXXXXXXXXXXXXXXXXXXXXX>
2015-06-12 06:34:44    CLIENT -> SERVER: Subject: Here is the subject
2015-06-12 06:34:44    CLIENT -> SERVER: Message-ID: <[email protected]>
2015-06-12 06:34:44    CLIENT -> SERVER: X-Priority: 3
2015-06-12 06:34:44    CLIENT -> SERVER: X-Mailer: PHPMailer 5.2.10 (https://github.com/PHPMailer/PHPMailer/)
2015-06-12 06:34:44    CLIENT -> SERVER: MIME-Version: 1.0
2015-06-12 06:34:44    CLIENT -> SERVER: Content-Type: multipart/alternative;
2015-06-12 06:34:44    CLIENT -> SERVER:     boundary="b1_bb519cc9520b2b4bd0d0532190b929bc"
2015-06-12 06:34:44    CLIENT -> SERVER: Content-Transfer-Encoding: 8bit
2015-06-12 06:34:44    CLIENT -> SERVER:
2015-06-12 06:34:44    CLIENT -> SERVER: This is a multi-part message in MIME format.
2015-06-12 06:34:44    CLIENT -> SERVER:
2015-06-12 06:34:44    CLIENT -> SERVER: --b1_bb519cc9520b2b4bd0d0532190b929bc
2015-06-12 06:34:44    CLIENT -> SERVER: Content-Type: text/plain; charset=us-ascii
2015-06-12 06:34:44    CLIENT -> SERVER:
2015-06-12 06:34:44    CLIENT -> SERVER: This is the body in plain text for non-HTML mail clients
2015-06-12 06:34:44    CLIENT -> SERVER:
2015-06-12 06:34:44    CLIENT -> SERVER:
2015-06-12 06:34:44    CLIENT -> SERVER: --b1_bb519cc9520b2b4bd0d0532190b929bc
2015-06-12 06:34:44    CLIENT -> SERVER: Content-Type: text/html; charset=us-ascii
2015-06-12 06:34:44    CLIENT -> SERVER:
2015-06-12 06:34:44    CLIENT -> SERVER: http://www.somesite.co.uk/login.html?&key=a9f1e5cf855cffc3ab1807f62dee3ebd
2015-06-12 06:34:44    CLIENT -> SERVER:
2015-06-12 06:34:44    CLIENT -> SERVER:
2015-06-12 06:34:44    CLIENT -> SERVER:
2015-06-12 06:34:44    CLIENT -> SERVER: --b1_bb519cc9520b2b4bd0d0532190b929bc--
2015-06-12 06:34:44    CLIENT -> SERVER:
2015-06-12 06:34:44    CLIENT -> SERVER: .
2015-06-12 06:34:44    SERVER -> CLIENT: 250 2.0.0 Ok: queued as 547EA1452C
2015-06-12 06:34:44    CLIENT -> SERVER: QUIT
2015-06-12 06:34:44    SERVER -> CLIENT: 221 2.0.0 Bye

The only thing that should really be seen is whether the message was sent or not..."Message has been sent"

 

In PHPMailer config, make sure:

$config['smtp_debug'] = 0;

Edited by CroNiX

Ha ha!!! Yep that was it. I had debugging set to 2 (for some reason I changed it to 0 when I posted the code!) Works like a charm now. Many thanks guys. Rookie error I guess! It sucks being a newbie...

OK, onward and upward. Can anyone recommend a good hash algorithm, was gonna go with sha256 as I'd heard md5 and sha1 might have been cracked.

Depends on what reason you are hashing.  Sha is not really secure enough anymore either.  If it's just regular info you are hashing, I would suggest using hash() with the whirlpool algorithm.  If it's for a password, then if you have php 5.5 or higher you should use the password_hash() in php.  You can even use something similar to that with older php versions by utilizing a library that someone made on github (not sure who, google it).

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.