antyrat
2010-01-12 15:59:14
A:
I don't know exactly how long your hash is, but not all services (browsers, servers etc) can handle URLs longer than 255 chars. You could look into php's Pack()
The Guy Of Doom
2010-01-12 16:08:44
A example Hash looks like this, is always under 160 Chars.http://testserver/confirmuser?key=c040049c01a93e8f7931e8c4b21db8f7:9d60a9aeb3c853e3f2e099cb16bddc7c:d5c9886cb31f789ae3cdffd55456fe26
Paul Weber
2010-01-12 16:10:11
+2
A:
You might want to use urlencode() for the url parameter.
It is also recommendable to check fgets() against false. Then, you could save the empty() function call by just comparing the response to an empty string, like:
$line = fgets($fp);
if ($line !== false && $line !== '') {
// ...
}
Generally, it is advisable to check everything against false first, if the function returns values of different types such as integer or boolean. This can be crucial because 0 and false mean in comparisons the same. Because of PHP's lack for type safety, it is strongly recommended to always check for type equality. There are even cases when the documentation recommends this explicitly, e.g. in the case of strpos(). Meanwhile, I've forced myself to use === over to ==, same for `!=' etc. It requires more typing but it is definitely worth the effort because you eliminate possible pitfalls.
The rest of your code looks good to me.
A:
What is the point of using a "super-long hash", if you are immediately shortening it to a 7-8 character tinyurl?
Nobody would bother with guessing the long hash, and would crack the tinyurl instead.
Use a 10-character hash yourself and be more secure than you are now.
Joel L
2010-04-03 12:37:36
Well ... how the Hash looks is not in my domain. I just have to send a working Email with the Hash included in it.The Intention of the Developer was to hide some Information in the Hash, so we can reconstruct wich user wanted to register etc ...There is also a component that is encrypted, so as long as nobody finds out the Key, our hashes are pretty secure.And i am not sure if i understand you correctly, but why should the Tinyurl be easier or harder to crack?
Paul Weber
2010-04-06 15:15:00
Regarding tinyurl being easier to hack – if they only have a 10-character, pattern-following key, then guessing the urls (and testing to see if they redirect to your domain) will be much easier than guessing a long hash. But given that the long urls themselves are not under your control – sorry for the confusion... :)
Joel L
2010-04-06 19:34:13