-2

Ok, now while I understand the chances of reproducing a verification code made up of some 50-100 random character is slim to none, do any of you guys do anything to hedge against the off chance that two users are provided with the same random verification code? I.e. Would you store these codes (tokens, whatever you want to call them) in a DB? Just wondering, logically, not even necessarily programmatically how you guys go about this or, even in the most secure systems, if it is even necessary. Thanks.

Tom Burns
  • 55
  • 7

1 Answers1

1

You have several options, depending on what php version you're using.

For PHP >= 7.1(I believe) you have random_bytes which returns a random series of bytes, you need to use bin2hex to get a readable series of characters.

For versions less that 7.x you can use openssl_random_pseudo_bytes. Notice the "pseudo" part. It's not truly random, but for your purposes it should be considered "random enough".

You can directly read from random or urandom if using a linux distro.

Read here about the differences between the two.

Storing them in the database is perfectly fine.

Do note that functions like rand aren't truly random. See here.

As for the question itself:

You don't really need truly random tokens for email verification. Normally email verifications are associated with, well, an email and usually have an expiration period (1, 2, 3 hours, whatever you want it to be), you you don't need them to be perfectly random just random enough.

For your purposes even str_shuffle would be good enough.

Don't over complicate things whenever possible.

Andrei
  • 3,434
  • 5
  • 21
  • 44
  • Ah ok. Hadn't thought of making it with a time dependent expiration. I think that's my solution. And yeah I was going to use random bytes for it. Btw, any idea why people are downvoting this? I have no idea why but people on this site seem to downvote like crazy. – Tom Burns May 15 '18 at 14:38
  • Your question is a little too broad. And yes people tend to downvote like crazy, but believe it or not, there's a good reason for that. Imagine yourself googling something related email tokens and coming across this question, it wouldn't be even remotely related. In the future try to be more specific with your question, try googling first, if that doesn't turn up anything feel free to add a question. Don't take the downvotes personally, it's how the sites works. – Andrei May 15 '18 at 14:41
  • Well my thing about that is if you get downvoted enough, then you can't ask more questions. I have to wait like 24h between asks, which is insane imo. I could see if I was being disruptive or ridiculous, but I don't even think my questions are bad questions. Not particularly angry, just inconvenienced by the functionality of the site, which essentially suggests, as you say, that if you're not an SEO expert, or if you're not aware of how specific you need to be, or just if you're not aware of (but even willing to follow) some arbitrary stack-based rules -- you don't get to talk. – Tom Burns May 15 '18 at 14:54
  • But thank you very much for your answer. It really did help a lot. I appreciate it. – Tom Burns May 15 '18 at 14:55
  • Don't get discouraged. Read [this](https://stackoverflow.com/help/how-to-ask), it may seem silly at first but it helps in the long run. Proper formatting, a good, simple and well thought out question, even if not answered can net you a few upvotes. If nothing else you can answer questions yourself. That's how I got started anyway. Most people, aspecially in the PHP tag, ask silly questions, yours is not, but as I said, a little broad. If you spend more than 10 minutes in the "new" part of the PHP tag you'll see what I'm talking about – Andrei May 15 '18 at 14:56
  • Thanks man. Also I reframed the question so hopefully it gives the search engines a better idea of what we're talking about. – Tom Burns May 15 '18 at 14:58
  • And also to anyone reading this, especially downvoters, it really helps if you tell me what I'm doing wrong so I can better frame my questions to fit stack's format and hopefully get less downvotes. Thanks. – Tom Burns May 15 '18 at 14:59
  • Good start, good start. If you're ever bored, try answering questions yourself. God knows this site could use more people who answer queestions, not to mention it's really good practice. Cheers. – Andrei May 15 '18 at 14:59
  • Yeah I think I will. I used to answer a lot of java q's a few years back (might have been on a diff acc...), but I'm more into the web based languages now. So I'm waiting to gain a little more expertise before I throw my hat in the ring. Hopefully by the time I'm done with my current project I'll really know my way around a lot better. But if it's HTML positioning, I swear to god I'll never understand that stuff. I just change from inline block to block to box sizing and just use whatever works XP – Tom Burns May 15 '18 at 15:04
  • Geez, man.."You have reached your question limit Sorry, we are no longer accepting questions from this account. See the Help Center to learn more." – Tom Burns May 19 '18 at 18:59
  • See this is what I'm talking about. Haven't asked a question in days. They basically banned me for asking a question that wasn't good enough. This is beyond ridiculous. – Tom Burns May 19 '18 at 18:59