Safety check: account resetcode

programming
1

Hey everyone,

Still working on my site with the login system, and yesterday I’ve built a custom piece of code that generates a resetcode. This code is encrypted in the database, and different for each user. When a user asks to recover their password, this code is sent to the user through e-mail.
The code that I’ve written is a bit long though, because I couldn’t find a better/faster way to do it. I’ve written 26 possibilities for the letters a-z, while 0-9 only takes 1 line…

$resetcode = "";
for($i=1; $i<=rand(7,11); $i++)
{
	if(rand(0,1))
	{
		$char = rand(0,9);
	}
	else
	{
		$r = rand(1,26);
		switch($r)
		{
			case 1:
				$char = "a";
				break;
			case 2:
				$char = "b";
				break;
			case 3:
				$char = "c";
				break;
			case 4:
				$char = "d";
				break;
			case 5:
				$char = "e";
				break;
			case 6:
				$char = "f";
				break;
			case 7:
				$char = "g";
				break;
			case 8:
				$char = "h";
				break;
			case 9:
				$char = "i";
				break;
			case 10:
				$char = "j";
				break;
			case 11:
				$char = "k";
				break;
			case 12:
				$char = "l";
				break;
			case 13:
				$char = "m";
				break;
			case 14:
				$char = "n";
				break;
			case 15:
				$char = "o";
				break;
			case 16:
				$char = "p";
				break;
			case 17:
				$char = "q";
				break;
			case 18:
				$char = "r";
				break;
			case 19:
				$char = "s";
				break;
			case 20:
				$char = "t";
				break;
			case 21:
				$char = "u";
				break;
			case 22:
				$char = "v";
				break;
			case 23:
				$char = "w";
				break;
			case 24:
				$char = "x";
				break;
			case 25:
				$char = "y";
				break;
			case 26:
				$char = "z";
				break;
		}
		if(rand(0,1))
		{
			$char = strtoupper($char);
		}
	}
	$resetcode .= $char;
}

I think this is a pretty safe way to come up with such security codes, right? If anyone knows a better or faster way, please help me out :slight_smile: Or if you find any possible security flaws…

2

You could cut the code down a lot by using the chr () function. It would take 1 line like the number code


if(rand(0,1))
{ 
  $char = rand(0,9); 
} 
else 
{ 
  $char = chr(rand(97,122)); 
}

97 is the ascii character code for lower case a. 122 is the z.

Remember that every character is represented by a code - check www.asciitable.com

3

Oh cool :smiley: That’s exactly what I was looking for. I searched around in the PHP’s functions, but must’ve missed this one… Thanks alot!

4

So pretty much shortened to:

$char = rand(0,61);
if($char >= 10)
{
    $char += 55;
    $char = chr($char);
}
$resetcode .= $char;

Thanks! :slight_smile:

Edit:silly me…

This is the good code:

	$char = rand(0,61);
if($char >= 10)
{
	$char += 55;
	if($char >= 91)
	{
		$char += 6;
	}
	$char = chr($char);
}
$resetcode .= $char;
5

You could also use uniqid:


$resetcode = md5(uniqid(rand(), true));

…just my two cents.

http://us3.php.net/manual/en/function.uniqid.php

6

You could always do something like:

$alphabet = "abcdefghijklmno";
$char = $alphabet{rand(0, strlen($alphabet)-1)};

I think

7

Depends - whats an alphabat? :smiley: