1

I need some way to generate a unique token that can be passed to a MySQL database, and stored there until it's manually reset. So it needs to be a random token that will be displayed to a user which should stay valid, but also have some function that can reset it - like a "reset key" link to automatically update, change, and then display the new token.

I was trying out this code, but it refreshes each time the page reloads:

global $wpdb;
global $user_login;
$token = uniqid();
$hashedtoken = md5($token);
$user = $user_login;

$wpdb->insert('wp_tokens', 
array('user' => $user, 'token' => $hashedtoken),
array('%s','%s')
);
echo $hashedtoken;

It might be obvious I am using Wordpress, if that matters. I'm not even sure PHP is the best option here.

Edit: My question was flagged as being similar to this, and some cool people have notified that I need to query the database to check if the token exists for the user. However, no clue how to do these. Thanks.

Community
  • 1
  • 1
Sky Davis
  • 127
  • 2
  • 9
  • 1
    Instead of always setting it, you need to check if a token already exists for that specific user first by querying the database. – jeroen Mar 10 '15 at 11:45
  • Oh I see, that seems quite obvious now. So I can do that with a simple if -> then logic? Also, I can share the MySQL code I used to create the table if that matters. – Sky Davis Mar 10 '15 at 12:06
  • possible duplicate of [How to create a random string using PHP?](http://stackoverflow.com/questions/853813/how-to-create-a-random-string-using-php) – Marcus Adams Mar 10 '15 at 12:29
  • Since you have MySQL at your disposal and you need some sort of unique string, why don't you use MySQL's `UUID()` function? – N.B. Mar 10 '15 at 13:21

3 Answers3

1

Here's what PHP says about using uniqid() for generating "random" strings:

Warning This function does not create random nor unpredictable strings. This function must not be used for security purposes. Use a cryptographically secure random function/generator and cryptographically secure hash functions to create unpredictable secure IDs.

A hash of a non-random string still isn't random.

Here's a link to two popular questions about generating a random string in PHP:

How to create a random string using PHP?

PHP random string generator

Community
  • 1
  • 1
Marcus Adams
  • 53,009
  • 9
  • 91
  • 143
0

first you should at least use sha http://php.net/manual/de/function.sha1.php - no matter what you do with a token - script kiddies these days love to scan the web for pages that still uses md5 string length.

a fast hack would be to check to check if the token already exist in your database

TSchiffler
  • 11
  • 3
  • Thanks, I did some googling and found this function: $result = $mysqli->query("SELECT token from wp_tokens where user = $user") But I am unsure how to match that in my case. And then it would still need to either generate a new token or print the existing token. Any ideas how to achieve this? – Sky Davis Mar 10 '15 at 13:18
-1
md5(uniqid($your_user_login, true))
j08691
  • 204,283
  • 31
  • 260
  • 272
ashish patel
  • 34
  • 2