md5 has for double opt-in: missing something ?

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
hi all,

I have made a script to register contacts in a database with the double
opt-in system.

Anyway, when looking for some examples, I have found the following
script which uses a md5 hash code to append on the confirm url sent by
email to the registering user.
I tried it but with no results. Don't you think is it missing anything
How could it work without storing the hash code for the user in a
To confirm a registration I think the script should look if the access
key matches the one it already knows, shouldn't it ?

Anyway I have no problem to insert into the database the hash code ,
it's just I want to know if I am right to believe the following script
was wrong .



here's the code

/* Simple email validation by TDavid at
If you use this code then please do not remove this header

$from = $_REQUEST['e_addy'];

// is the $from email address in valid format?
if(eregi("([[:alnum:]\.\-]+)(\@[[:alnum:]\.\-]+\.+)", $from)) {

  // create the MD5 hash
  $secret_code = 'secret';
  $formatted_email = preg_replace("/(-|\@|\.)/", "", $from);
  $hashed = md5("$secret_code $formatted_email");

  // wait, are we verifying the email?
  if($_REQUEST['m'] != "") {
    // this is validation routine
    if($hashed == $_REQUEST['m']) {
      print("Congrats, you have successfully validated your email
address. This is just a test and your email address has <b>not</b> been
      // add the email to your double opt-in list here
    } else {
      print("Sorry, this email does not validate");
  } else {
    // since we aren't validating then it is time to send out
validation mail

    $mail_body = "To validate this email click the following
link:\n =$from&m=$hashed";

    mail($from, "Validation Email", $mail_body, "From:\n");
    print("Please check your email <b>$from</b> for the test validation
} else {
  print("Sorry, this email address: <b>$from</b> doesn't seem to be in
the right format.");

Re: md5 has for double opt-in: missing something ?

johnny wrote:
Quoted text here. Click to load it

He doesn't need to store it in the database because the hash is just a
function of the email address and the "secret" which, in your code, is
hardcoded to "secret".  In other words, the md5 hash being passed in
the URL is, more or less, is just the has of the email address.  So if
they match, the script validates it.

Not all that strong, in my opinion.  When I do this sort of thing, I'll
generate a random hash (not based on the email adddress or any other
value) then store it in the database.  You can come up with a
reasonably random (hard to guess) hash like this:

$myHash = md5(uniqid(rand(), true));

That could then be stored in the database and compared to the hash
passed in the URL.

Re: md5 has for double opt-in: missing something ?

Quoted text here. Click to load it

eregi will (because it's POSIX extended) not use the \ as escape but rather  
treat them as a \ character. [:alnum:] will work though. \ in a POSIX  
character class loses its significance (as I've recently learned).  so strip  
those out of the character classes.  should be
if(eregi("([[:alnum:].-]+)(\@[[:alnum:].-]+\.+)", $from)) {

<?php if(eregi("[[:alnum:]]","z")) echo 1; else echo 0; ?>
<?php if(eregi("[\.\-]+","\")) echo 1; else echo 0; ?>
maybe they were looking for preg_match instead.
<?php print preg_match("/[\.]/","\") . "\n" . preg_match("/[.]/","z"); ?>
<?php print preg_match("/[\.]/","."); ?>

I dunno - loks like the validation thing might work.might need an <a  
href=""></a> in the link and send the mail as html email though.

Quoted text here. Click to load it

Site Timeline