Permalink
Browse files

More security for email confirmation process ... a 15-character random

"secret" key is stored the user record on account creation, sent via
email and checked again during confirmation.
  • Loading branch information...
1 parent ceb7ea7 commit a789fb73f4eeeaa11819ee52fcb4c3175dfa8ce6 martin committed Sep 10, 2002
Showing with 25 additions and 5 deletions.
  1. +1 −1 lib/db/mysql.sql
  2. +2 −2 login/confirm.php
  3. +18 −1 login/signup.php
  4. +4 −1 version.php
View
@@ -167,7 +167,7 @@ CREATE TABLE `user` (
`lastlogin` int(10) unsigned NOT NULL default '0',
`currentlogin` int(10) unsigned NOT NULL default '0',
`lastIP` varchar(15) default NULL,
- `personality` varchar(5) default NULL,
+ `secret` varchar(15) default NULL,
`picture` tinyint(1) default NULL,
`url` varchar(255) default NULL,
`description` text,
View
@@ -2,9 +2,9 @@
require("../config.php");
- if ( isset($x) && isset($s) ) { # x = user.id s = user.username
+ if ( isset($p) && isset($s) ) { # p = user.secret s = user.username
- $user = get_user_info_from_db("id", "$x");
+ $user = get_user_info_from_db("secret", "$p");
if ($user) {
if ($user->username == $s) {
View
@@ -13,6 +13,9 @@
$user->password = md5($user->password);
$user->confirmed = 0;
$user->firstaccess = time();
+ $user->secret = random_string(15);
+ echo $user->secret;
+ $db->debug = true;
if (! ($user->id = insert_record("user", $user)) ) {
error("Could not add your record to the database!");
@@ -96,6 +99,20 @@ function validate_form($user, &$err) {
}
+function random_string ($length=15) {
+ $pool = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
+ $pool .= "abcdefghijklmnopqrstuvwxyz";
+ $pool .= "0123456789";
+ $poollen = strlen($pool);
+ mt_srand ((double) microtime() * 1000000);
+ $string = "";
+ for ($i = 0; $i < $length; $i++) {
+ $string .= substr($pool, (mt_rand()%($poollen)), 1);
+ }
+ return $string;
+}
+
+
function send_confirmation_email($user) {
global $CFG;
@@ -105,7 +122,7 @@ function send_confirmation_email($user) {
$data->firstname = $user->firstname;
$data->sitename = $site->fullname;
- $data->link = "$CFG->wwwroot/login/confirm.php?x=$user->id&s=$user->username";
+ $data->link = "$CFG->wwwroot/login/confirm.php?p=$user->secret&s=$user->username";
$data->admin = "$from->firstname $from->lastname ($from->email)";
$message = get_string("emailconfirmation", "", $data);
View
@@ -18,7 +18,7 @@
// If there's something it cannot do itself, it
// will tell you what you need to do.
-$version = 2002090900; // The current version is a date (YYYYMMDDXX) where
+$version = 2002091000; // The current version is a date (YYYYMMDDXX) where
// XX is a number that increments during the day
$release = "1.0.4"; // For humans only, not used for the upgrade process
@@ -71,6 +71,9 @@ function upgrade_moodle($oldversion=0) {
execute_sql(" ALTER TABLE `course` ADD `teachers` VARCHAR( 100 ) DEFAULT 'Teachers' NOT NULL AFTER `teacher` ");
execute_sql(" ALTER TABLE `course` ADD `students` VARCHAR( 100 ) DEFAULT 'Students' NOT NULL AFTER `student` ");
}
+ if ($oldversion < 2002091000) {
+ execute_sql(" ALTER TABLE `user` CHANGE `personality` `secret` VARCHAR( 15 ) DEFAULT NULL ");
+ }
return true;
}

0 comments on commit a789fb7

Please sign in to comment.