blocks|key|1340089|text|就我个人而言，我只是使用了以下几种东西的组合：|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1340090|$generatedKey+=+sha1(mt_rand(10000,99999).time().$email);|code-block|syntax|javascript|1340091|冲突的可能性很小，但我建议在发送之前先检查数据库(使用唯一约束是一种简单的方法)。|1340092|entityMap^0|0|0|0^^$0|@$1|2|3|4|5|6|7|K|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|L|8|@]|9|@]|A|$E|F]]|$1|G|3|H|5|6|7|M|8|@]|9|@]|A|$]]|$1|I|3|-4|5|6|7|N|8|@]|9|@]|A|$]]]|J|$]]

Personally, just I use a combination of things like:

<pre><code>$generatedKey = sha1(mt_rand(10000,99999).time().$email);
</code></pre>

The chance of collision is small, but I recommend checking your database first before sending it out (using UNIQUE constraints is an easy way).

blocks|key|1555727|text|$guid=md5(uniqid(mt_rand(),+true));|type|code-block|depth|inlineStyleRanges|entityRanges|data|syntax|javascript|1555728|unstyled|entityMap^0|0^^$0|@$1|2|3|4|5|6|7|G|8|@]|9|@]|A|$B|C]]|$1|D|3|-4|5|E|7|H|8|@]|9|@]|A|$]]]|F|$]]

<pre><code>$guid=md5(uniqid(mt_rand(), true));
</code></pre>

blocks|key|1340154|text|这应该可以做到这一点，但是您可以通过添加一些盐来改进它，例如：|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1340155|$key+=+sha1($email+.+'doYouLikeSauce');|code-block|syntax|javascript|1340156|另一种方法是生成一个随机密码并通过电子邮件发送。|1340157|entityMap^0|0|0|0^^$0|@$1|2|3|4|5|6|7|K|8|@]|9|@]|A|$]]|$1|B|3|C|5|D|7|L|8|@]|9|@]|A|$E|F]]|$1|G|3|H|5|6|7|M|8|@]|9|@]|A|$]]|$1|I|3|-4|5|6|7|N|8|@]|9|@]|A|$]]]|J|$]]

That should do it, however you can improve it by adding some salt, example:

<pre><code>$key = sha1($email . 'doYouLikeSauce');
</code></pre>

Other approach is just to generate a random password and send it via email.

blocks|key|1555783|text|如果您将激活字符串存储在数据库中，并在以后检查它，则根本不需要散列！|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1555784|您只需要一个长的、随机的字符串。你可以随心所欲地生成它，只要让它变长即可。事实上，理想情况下，它应该与电子邮件或用户名没有任何关系。|1555785|entityMap^0|0|0^^$0|@$1|2|3|4|5|6|7|F|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|G|8|@]|9|@]|A|$]]|$1|D|3|-4|5|6|7|H|8|@]|9|@]|A|$]]]|E|$]]

If you're storing the activation string in the database and checking it later, you don't need a hash at all!

You just need a long, random string. You can generate it however you want, just make it long. In fact, it should ideally have nothing at all do do with the email or username.

blocks|key|1555851|text|你基本上有几个选择：|type|unstyled|depth|inlineStyleRanges|entityRanges|data|1555852|1)创建一个看似随机的唯一标识符，并将其存储在数据库中与其对应的用户名|1555853|2)生成随机密码，并在链接中包含用户id和密码，并将密码存储在数据库中|1555854|3)使用单向散列函数(md5、sah1等)和秘密标识符对用户标识符进行加密。您不必将加密的用户标识符存储在数据库中。|1555855|选择1比较困难，因为您必须检查数据库以查看键是否已经存在。但是，URL不包含被激活的用户名是一件很好的事情。|1555856|如果将来您已经打算使用某种数据库来存储用户信息(可能至少需要一个密码)，那么可以使用选项2。向数据库中添加另一列并不需要花费太多时间。发送电子邮件时，保存用户名和类似$key+=+sha1(rand(1,99999)+)的内容。$username)在包含用户名的行的另一列中。然后让你的链接看起来像这样：http://you.com/activation.php?user=$username&key=$key。在activation.php中，您可以检查键是否等于数据库中存储的值。|offset|length|1555857|如果你想在你的数据库中使用更少的存储空间，选择3是可行的。您可以使用类似$key+=+sha1($mysecret+.$username)作为秘密标识符。使用一些只有你自己知道的奇怪东西，比如‘aaafj_my_+$mysecret+_adfaf’。使用与选项2相同类型的URL。但是，因为您只能基于$username生成$key，所以不需要存储它。因此，当您在activation.php中进行处理时，只需检查sha1($mysecret。$_GETusername)+==+$_GETkey。如果是这样的话，您就知道您找到了正确的用户。从理论上讲，有了足够的注册，有人可以计算出你的$mysecret值，并生成激活密钥。然而，你肯定会注意到，在他们开始计算它是什么之前，它需要数十亿甚至更多的注册。所需的激活次数基于散列函数的密钥大小。使用sha1+(160位)与md5+(128位)来使您的$mysecret值更难猜测。|1555858|entityMap|0|LINK|mutability|MUTABLE|url|http://you.com/activation.php?user=^0|0|0|0|0|0|48|Z|0|0|0^^$0|@$1|2|3|4|5|6|7|X|8|@]|9|@]|A|$]]|$1|B|3|C|5|6|7|Y|8|@]|9|@]|A|$]]|$1|D|3|E|5|6|7|Z|8|@]|9|@]|A|$]]|$1|F|3|G|5|6|7|10|8|@]|9|@]|A|$]]|$1|H|3|I|5|6|7|11|8|@]|9|@]|A|$]]|$1|J|3|K|5|6|7|12|8|@]|9|@$L|13|M|14|1|15]]|A|$]]|$1|N|3|O|5|6|7|16|8|@]|9|@]|A|$]]|$1|P|3|-4|5|6|7|17|8|@]|9|@]|A|$]]]|Q|$R|$5|S|T|U|A|$V|W]]]]

You basically have a few options: 

1) Create a single unique identifier that is seemingly random and store it in your database with which username it corresponds to

2) Generate a random password and include the user id and password in the link and store the password in the database

3) Use a one way hashing function (md5, sah1, etc) and a secret identifier to encrypt the user identifier. You don't have to store the encrypted user identifier in your database.

Option 1 is difficult because you have to worry about checking the database to see if the key already exists. However, it is nice that the URL does not contain the username being activated.

If you are already going to use some sort of database to store the user information (probably a password at minimum) in the future, you could go with option 2. It doesn't take a lot to add another column to your database. When sending the email, save the username and something like $key = sha1(rand(1, 99999) . $username) in another column for the row that contains the username. Then have your link look like this: <a href="http://you.com/activation.php?user=" rel="noreferrer">http://you.com/activation.php?user=</a>$username&amp;key=$key. In activation.php you check to see if the key is equal to the value stored in the database.

If you want to use less storage space in your database, option 3 will work. You can use something like $key = sha1($mysecret . $username) as the secret identifier. Use something odd that only you know as $mysecret such as 'aaafj_my_secret_adfaf'. Use the same type of URL as in option 2. However, because you can generate $key based only on $username, you don't need to store it. So when you are processing in activation.php, just check to see if sha1($mysecret . $_GET[username]) == $_GET[key]. If it does, you know you have the correct user. Theoretically, with enough registrations, someone could figure out your value for $mysecret and generate the activation keys too. However, you would surely notice the billions or more of registrations that it would take before they could begin to calculate what it is. The number of activations required is based on the key size of the hashing function. Use sha1 (160 bit) vs md5 (128 bit) to make it harder to guess your $mysecret value.

blocks|key|1555862|text|$code+=+md5($_POST['username']+.+microtime());+|type|code-block|depth|inlineStyleRanges|entityRanges|data|syntax|javascript|1555863|unstyled|entityMap^0|0^^$0|@$1|2|3|4|5|6|7|G|8|@]|9|@]|A|$B|C]]|$1|D|3|-4|5|E|7|H|8|@]|9|@]|A|$]]]|F|$]]

<pre><code>$code = md5($_POST['username'] . microtime()); 
</code></pre>

After user subscribe email to my website. My website will generate an email confirmation and send to them. In the email content, i need to include activation key, something like:

www.domain.com/activate.php?key=$generatedKey

How do you generate the key? using sha1($email)??

After generate the key, i store it in database, so that when user click the link I can verified it with the database?? I am new to it, please advise.. I need an Email Confirmation script..

How to generate a secure activation string in php?

用户订阅电子邮件后，我的网站。我的网站将生成一个电子邮件确认，并发送给他们。在电子邮件内容中，我需要包含激活密钥，如下所示：www.domain.com/activate.php?key=$generatedKey密钥是如何生成的？使用sha1($email)?？生成密钥后，我将其存储在数据库中，这样当用户单击链接时，...

问如何在php中生成安全的激活字符串？
EN

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问如何在php中生成安全的激活字符串？EN

社区

活动

资源

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问如何在php中生成安全的激活字符串？
EN