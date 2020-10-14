Is registration by email a safe and secure way to accept subscribers using PHP and MySQLI

PHP
#1

Hi
I am looking into site registration via a form and registration / verification link. The idea is the user provides an email, username and pass via a form on the site. They then receive an email with a link to click on to verify.

I am really just looking at ideas here but, OK the email has to be valid or they won’t receive the verification link - and it’s easy.

However most examples I see use a link in the email something like

Please click the following link to activate your account: www.mywebsite.com/login/activate.php?email=email@domain.com&code=5f86d8b70d922

This seems a huge security risk since the link basically reveals and transmits the subfolder, the php script name and the variable values in plain text.

Am I paranoid or is this method as insecure as it seems?
Is there a better method?

#2

How risky can it be?
People must know your url.

Even must htaccess rewrite file extension is useless bcs if user type url.php he already have the file. Rewrite only helps in seo

#3

I use email link or otpcode. Which ever way the address to confirm will always show on the address bar.

The keys you appended to the url is the security you need, so each key should be different for each verification

#4

Yes I agree but, it’s easy to create a temporary or even 1 time email address or even intercept text transmitted. I am mostly concerned with possible code injection but wondered if I should have any other concerns

#5

If your codes is flawed, hidding its url wont help you, is called security by obscurity which is the weakest for of security

#6

Most of my project are pending to go live until i understand fully how code injection works.
What i do before launching any app is to check for these things

  1. Session hijacking
  2. SQL injection
  3. Code injection mostly done using java
  4. Bruteforce

So to my poor security intelligence i code along these lines.

#7

Extensions are very few, so if i try yoururl.php or .aspx or .cgi or html
It must be one of this

#8

I don’t understand.
Mostly my validation methods are complex ones.

  1. After registeration button is clicked, generate strong unique key and save it to database with users email nd details.
Key | email

Then append same to url and send to user email.
If user click on the link, extract key and also extract email.

Then query the database search where key is key and email is email.

If empty, validation failed, else proceed and create users account

#9

Not if it’s HTTPS, then the URL is encrypted between server and client.

It’s still plain text in the email of course, nothing much you can do about that, but most email is sent over SSL connections these days too.

I would not include the email address in the URL though, simply because that will end up in your server logs, which is not something you want with all the privacy laws going on like the European GDPR. Just a unique random code should suffice.

Is it a perfect system? No.
Is the best system we have so far? Yes.
Are there better alternatives? You can use split tokens for added security over some random code, but the main principle remains the same, so no.