how to generate a random session variable in php

Report · Oct 18, 2009

i want to generate a random session variable and insert the variable in a mysql record to use later to validate an account set up.

person fills out form to create account and submits; inserts form information in mysql record.

i want the random variable to be inserted from a hidden field and the page sends an email with a link to click on to compare the variable to validate the user.

Not sure how to generate a random session variable and get that to the hidden field value to be inserted with the other form information.

thanks for your help,

Jim Balthrop

Report · Oct 18, 2009

To insert the key I would personally do something like...

$key = md5($username . $password . $salt);

Insert that into your MySQL database, then send them a email with it, my next code shows how to activate it.

This is to activate the account.

<?php 
$key;
$errors = array();
if(isset($_GET['key']){
     $key = $_GET['key'];
     $sql = 'SELECT * FROM users WHERE key = \'' . $key '\' LIMIT 1';
     $result = mysql_query($sql) or die(mysql_error());
     if(mysql_num_rows($result)){
          $sql2 = 'UPDATE users SET active = 1 WHERE key = \'' . $key '\' LIMIT 1';
          $result2 = mysql_query($sql2) or die(mysql_error());
          if($result2){
               //successfully activated account
          }
          else{
               //Something Went Wrong!
          }
     }
     else{
          $errors[] = 'Invaild Key, Please try again!';
     }
}
else{
     $errors[] = 'Invaild Key, Please try again!';
}
?>

Report · Oct 19, 2009

thanks for your help.

you pointed me in the right direction

Report · Oct 18, 2009

Your method has holes. If the random variable is in a hidden form field then anyone (including bots) can simply get the variable and activate the account automatically without having a valid email address.