var_dump(parse_url($url, PHP_URL_QUERY )) issue

[Landslyde]

As usual, I'm in over my head. 

 

I'm generating a key to be used in an confirmation email. For testing, I have:

<?php 

  $email = 'email@email.com';
  echo $key = sha1($email.'my_super_duper_secret_sauce_here'.microtime()); 

  $url = 'https://www.mysite.com/?'.$key;
  echo $url; 	

  $key2 = var_dump(parse_url($url, PHP_URL_QUERY ));
  echo $key2;
	
  if($key == $key2) {
    echo "=";
  } else {
    echo "!=";
  }

?>

which produces:

3d6d7dddc7cc9b3571078e8032f69c5ee4ef1256	

https://www.mysite.com/?3d6d7dddc7cc9b3571078e8032f69c5ee4ef1256 

string(40) "3d6d7dddc7cc9b3571078e8032f69c5ee4ef1256" 

!=

How do I get rid of

string(40)  and the beginning and tailing quotation marks

so that all I have left for $key2 will equal the $key?  I've tried substr(), trim(), and rtrim(). And while one of those (or some combination) may be what I need, I don't know how to use them to get rid of the unwanted chars from using

var_dump(parse_url($url, PHP_URL_QUERY ))

Any help on this is appreciated. Thanks.

[benanamen]

You dont use var_dump as part of your code. That is for debugging.

 

 

 

Per the manual:

var_dump — Dumps information about a variable

 

 

 

  $email = 'email@email.com';

  echo $key = sha1($email.'my_super_duper_secret_sauce_here'.microtime()); 

 

// YOU HAVE TO DO THIS IN THE BROWSER. You also need to save the key to a DB. The key constantly changes so you cant compare what is generated directly. It will NEVER match.

//https://www.mysite.com?k=0281cdeb4fa63c4ca087e8052b0c1685fc0a51e6

 

if ($key_from_db==$_GET['k']){

echo 'Match';

}

else

{

echo 'No Match';

}

Edited October 19, 2015 by benanamen

[Jacques1]

You also need to get rid of this weird self-made random number generator. It's both overcomplicated and insecure. Use an actual pseudo-random number generator like openssl_random_pseudo_bytes() or mcrypt_create_iv():

// using the OpenSSL extension
$token = bin2hex(openssl_random_pseudo_bytes(16));
echo $token;

// using the Mcrypt extension
$token = bin2hex(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM));
echo $token;

Edited October 19, 2015 by Jacques1

[benanamen]

The mcrypt link is actually http://php.net/manual/en/function.mcrypt-create-iv.php

[Landslyde]

benanamen:  Thank you for pointing that out abt the intended use of var_dump, and the excerpt of how to GET the key from the URL.  I appreciate that. I plan on using a table to store this once it's generated.  I was only testing to see how it was all working, and even my testing was being done the wrong way.  I see that now from your provided example.  When I put it in production, it'll be done the right way.  

 

Jacques1:  I actually got that "weird, self-made random number generator" idea from SO.  Most Google searches pull up their site and put it front and center for clicking. So when I see an idea from there, a way of doing things, I tend to not ask a lot of questions regarding its validity.  But I thank you for pointing out to me that there's a better, more appropriate way.  I'll study the mcrypt suggestion.

 

I appreciate both of you guys giving me good feedback and pointing me in the right direction.  It's true that I tend to stumble along in the dark at times

Edited October 19, 2015 by Landslyde

[Jacques1]

Jacques1:  I actually got that "weird, self-made random number generator" idea from SO.  Most Google searches pull up their site and put it front and center for clicking. So when I see an idea from there, a way of doing things, I tend to not ask a lot of questions regarding its validity.

 

Just because it's popular doesn't mean it's right.

 

Sure, Stack Overflow is one of the better resources, because the users are relatively knowledgeable, and the voting system tends to favor good replies. But there's still a lot of garbage code and bad advice, so you never know what you get.

 

In my experience, it makes more sense to learn from a few experts than to hope for the wisdom of the crowd. A very good site for security-related topics is the Survive The Deep End online book from Pádraic Brady. Of course you can and should still look for other opinions, but this is a much more solid starting point than some idea somebody posted on Stack Overflow.

[benanamen]

@Jacques1, "Survive The Deep End" is a great read.

[Landslyde]

Just because it's popular doesn't mean it's right.

 

Sure, Stack Overflow is one of the better resources, because the users are relatively knowledgeable, and the voting system tends to favor good replies. But there's still a lot of garbage code and bad advice, so you never know what you get.

 

In my experience, it makes more sense to learn from a few experts than to hope for the wisdom of the crowd. A very good site for security-related topics is the Survive The Deep End online book from Pádraic Brady. Of course you can and should still look for other opinions, but this is a much more solid starting point than some idea somebody posted on Stack Overflow.

I cldn't agree more, sir. Learning to do all of this the right way is hard to do when, like you say, there are so many opinions and myriad bad advice out there, opinions and advice that seem worthy to the unskilled eye. Thanks for your input. I appreciate it a lot. And i'll definitely be looking in to Survive the Deep End.

Edited October 19, 2015 by Landslyde