-2

I need create random key store in MySQL If I use:

<?php echo md5(rand(10000,99999)); ?>

Where can I store it

<?php
require 'config.inc.php';

foreach($_POST as $k=>$v) 
{
    $_POST[$k] = trim($v);
}

if(!isset($_POST['produgg_username']) or !isset($_POST['produgg_password']) or !isset($_POST['produgg_email']))
{
    print "Please use all fields";
}elseif(empty($_POST['produgg_username'])){
    print "Please choose a username";
}elseif(empty($_POST['produgg_password'])){
    print "Please choose a password";
}elseif(empty($_POST['produgg_email'])){
    print "Please enter an email address";
}elseif(!filter_var($_POST['produgg_email'], FILTER_VALIDATE_EMAIL)) {    
    print "Please enter a valid email address";
}elseif(!preg_match("/^[a-z0-9]+$/i", $_POST['produgg_username'])) {
    print "Please use only characters and numbers for username";
}elseif($usersClass->checkUserExists($_POST['produgg_username'])) {
    print "Username Taken, please choose another";
}else{
    if($usersClass->register($_POST['produgg_username'], md5($_POST['produgg_password']), $_POST['produgg_email']))
    {
        print "success";
        $toemail = $_POST['produgg_email'];
        $touser = $_POST['produgg_username'];
        // Send activation email 
         $to = $toemail;
         $subject = "Activation";
         $headers = "From: [email protected]";
         $body = "Howdy $touser! 

         To activate your please click on the following link - http://www..co.uk/activateuser.php?email=$toemail";

        mail($to, $subject, $body, $headers);

    }else{
        print "Something weird happened and we couldn't setup the account!";
    }
}

?>
Improve this question
2
  • 2
    In your code your are not storing anything, are you? Commented Jun 24, 2011 at 8:44
  • Show us the function register() of the class of the object $userClass? Also, md5(rand(10000,99999)); will generate a random id, but it won't guarantee uniqueness. If you need it to be unique, you need to add another variable to it, maybe time(). Commented Jun 24, 2011 at 8:50

2 Answers 2

Reset to default
3

First, it seems that you are using plain md5() to store user passwords... DO NOT DO THAT, IT IS A SECURITY RISK. You are putting your users and yourself at risk. Use key strengthening with a stronger hash algorithm or bcrypt. See this answer for more information.

It seems that you are actually trying to generate a nonce for email activation.

If anything, a Universally Unique IDentifier (UUID) will do the job. It has a very low change of collision and allows for 3 × 1038 unique values (once a value is used, you can reuse it for another user anyway for your use case).

You can use this function I wrote to generate UUIDs in PHP. What you want for your needs is a v4 UUID.

function UUIDv4() {
  $bytes = str_split(crypto_random_bytes(16));

  // Set UUID Version Number
  $bytes[6] = $bytes[6] & "\x0f" | "\x40";

  // Set UUID DCE1.1 varient
  $bytes[8] = $bytes[8] & "\x3f" | "\x80";

  $uuid = bin2hex(implode($bytes));

  return sprintf('%08s-%04s-%04s-%04s-%12s',
    // 32 bits for "time_low"
    substr($uuid, 0, 8),

    // 16 bits for "time_mid"
    substr($uuid, 8, 4),

    // 16 bits for "time_hi_and_version",
    // four most significant bits holds version number 4
    substr($uuid, 12, 4),

    // 16 bits, 8 bits for "clk_seq_hi_res",
    // 8 bits for "clk_seq_low",
    // two most significant bits holds zero and one for variant DCE1.1
    substr($uuid, 16, 4),

    // 48 bits for "node"
    substr($uuid, 20, 12)
  ); 
}

function crypto_random_bytes($count) {
  static $randomState = null;

  $bytes = '';

  if(function_exists('openssl_random_pseudo_bytes') &&
      (strtoupper(substr(PHP_OS, 0, 3)) !== 'WIN')) { // OpenSSL slow on Win
    $bytes = openssl_random_pseudo_bytes($count);
  }

  if($bytes === '' && is_readable('/dev/urandom') &&
     ($hRand = @fopen('/dev/urandom', 'rb')) !== FALSE) {
    $bytes = fread($hRand, $count);
    fclose($hRand);
  }

  if(strlen($bytes) < $count) {
    $bytes = '';

    if($randomState === null) {
      $randomState = microtime();
      if(function_exists('getmypid')) {
        $randomState .= getmypid();
      }
    }

    for($i = 0; $i < $count; $i += 16) {
      $randomState = md5(microtime() . $randomState);

      if (PHP_VERSION >= '5') {
        $bytes .= md5($randomState, true);
      } else {
        $bytes .= pack('H*', md5($randomState));
      }
    }

    $bytes = substr($bytes, 0, $count);
  }

  return $bytes;
}
Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

+1 but there is a problem with your class: it's using mt_rand(). You'd more ideally want a cryptographically secure random source such as openssl_random_pseudo_bytes() if available, /dev/urandom, or COM.
@Denis: UUIDs don't need to be cryptographically secure. You are generating a nonce, not an private/public key used to keep something secure. mt_rand() provides sufficient entropy for our needs here.
@Andrew-Moore I disagree - if the UUID is not cryptographically secure, and someone knows your algorithm, and has at least one UUID they can guess future UUIDs. A nonce needs to be unguessable.
@Ariel: Then I shall refer you to RFC 4122 which clearly states that UUIDs are not meant to be secure.
rad-dev.org/lithium/source/util/String.php (UUID with /dev/urandom)
|
0

Use the uniqid() function instead of doing it with the md5. Make sure to set more_entropy to true.

i.e.

uniqid('prefix', true);

Change 'prefix' to something appropriate for your application.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.