Jump to content
Landslyde

var_dump(parse_url($url, PHP_URL_QUERY )) issue

Recommended Posts

As usual, I'm in over my head. 

 

I'm generating a key to be used in an confirmation email. For testing, I have:

<?php 

  $email = 'email@email.com';
  echo $key = sha1($email.'my_super_duper_secret_sauce_here'.microtime()); 

  $url = 'https://www.mysite.com/?'.$key;
  echo $url; 	

  $key2 = var_dump(parse_url($url, PHP_URL_QUERY ));
  echo $key2;
	
  if($key == $key2) {
    echo "=";
  } else {
    echo "!=";
  }

?>

which produces:

3d6d7dddc7cc9b3571078e8032f69c5ee4ef1256	

https://www.mysite.com/?3d6d7dddc7cc9b3571078e8032f69c5ee4ef1256 

string(40) "3d6d7dddc7cc9b3571078e8032f69c5ee4ef1256" 

!=

How do I get rid of

string(40)  and the beginning and tailing quotation marks

so that all I have left for $key2 will equal the $key?  I've tried substr(), trim(), and rtrim(). And while one of those (or some combination) may be what I need, I don't know how to use them to get rid of the unwanted chars from using

var_dump(parse_url($url, PHP_URL_QUERY ))

Any help on this is appreciated. Thanks.

Share this post


Link to post
Share on other sites

You dont use var_dump as part of your code. That is for debugging.

 

 

 

Per the manual:

var_dump — Dumps information about a variable

 

 

 

  $email = 'email@email.com';
  echo $key = sha1($email.'my_super_duper_secret_sauce_here'.microtime()); 
 
// YOU HAVE TO DO THIS IN THE BROWSER. You also need to save the key to a DB. The key constantly changes so you cant compare what is generated directly. It will NEVER match.
//https://www.mysite.com?k=0281cdeb4fa63c4ca087e8052b0c1685fc0a51e6
 
if ($key_from_db==$_GET['k']){
echo 'Match';
}
else
{
echo 'No Match';
}
Edited by benanamen

Share this post


Link to post
Share on other sites

You also need to get rid of this weird self-made random number generator. It's both overcomplicated and insecure. Use an actual pseudo-random number generator like openssl_random_pseudo_bytes() or mcrypt_create_iv():

// using the OpenSSL extension
$token = bin2hex(openssl_random_pseudo_bytes(16));
echo $token;

// using the Mcrypt extension
$token = bin2hex(mcrypt_create_iv(16, MCRYPT_DEV_URANDOM));
echo $token;
Edited by Jacques1
  • Like 1

Share this post


Link to post
Share on other sites

benanamen:  Thank you for pointing that out abt the intended use of var_dump, and the excerpt of how to GET the key from the URL.  I appreciate that. I plan on using a table to store this once it's generated.  I was only testing to see how it was all working, and even my testing was being done the wrong way.  I see that now from your provided example.  When I put it in production, it'll be done the right way.  

 

Jacques1:  I actually got that "weird, self-made random number generator" idea from SO.  Most Google searches pull up their site and put it front and center for clicking. So when I see an idea from there, a way of doing things, I tend to not ask a lot of questions regarding its validity.  But I thank you for pointing out to me that there's a better, more appropriate way.  I'll study the mcrypt suggestion.

 

I appreciate both of you guys giving me good feedback and pointing me in the right direction.  It's true that I tend to stumble along in the dark at times :)

Edited by Landslyde

Share this post


Link to post
Share on other sites

Jacques1:  I actually got that "weird, self-made random number generator" idea from SO.  Most Google searches pull up their site and put it front and center for clicking. So when I see an idea from there, a way of doing things, I tend to not ask a lot of questions regarding its validity.

 

Just because it's popular doesn't mean it's right. ;)

 

Sure, Stack Overflow is one of the better resources, because the users are relatively knowledgeable, and the voting system tends to favor good replies. But there's still a lot of garbage code and bad advice, so you never know what you get.

 

In my experience, it makes more sense to learn from a few experts than to hope for the wisdom of the crowd. A very good site for security-related topics is the Survive The Deep End online book from Pádraic Brady. Of course you can and should still look for other opinions, but this is a much more solid starting point than some idea somebody posted on Stack Overflow.

Share this post


Link to post
Share on other sites

Just because it's popular doesn't mean it's right. ;)

 

Sure, Stack Overflow is one of the better resources, because the users are relatively knowledgeable, and the voting system tends to favor good replies. But there's still a lot of garbage code and bad advice, so you never know what you get.

 

In my experience, it makes more sense to learn from a few experts than to hope for the wisdom of the crowd. A very good site for security-related topics is the Survive The Deep End online book from Pádraic Brady. Of course you can and should still look for other opinions, but this is a much more solid starting point than some idea somebody posted on Stack Overflow.

I cldn't agree more, sir. Learning to do all of this the right way is hard to do when, like you say, there are so many opinions and myriad bad advice out there, opinions and advice that seem worthy to the unskilled eye. Thanks for your input. I appreciate it a lot. And i'll definitely be looking in to Survive the Deep End.

Edited by Landslyde

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.