What is the proper way to to activate an account via $_GET?

Question

So right now when a user registers, their password is hashed and stored, their id is stored as a primary key and the cell in the field email_activation is enumerated to 'no' by default. They are then sent an email where their account can be activated by clicking on the below link.

http://website.com/activation.php?id=1&pass=23a000e03e9116c958dh923542

After clicking on the link the following script runs

$id= $_GET['id'];
$hashPass= $_GET['pass'];

mysql_query("UPDATE members SET email_activation='yes' WHERE members_id='$id' AND members_password='$hashPass'")

Does this seem like a safe way to activate someone's account considering their hashed pass is part of the URL (assuming proper sanitation of strings, etc...)?

Answer 1

I'd create another field in your table just for activation. That way you won't have the password hash in the URL.

(I wasn't quick enough on my response.)

Answer 2

It's not very safe to do that, no. It would be better to assign a unique and random key instead.

Answer 3

There's no need to put the password, hashed or not, in the link (and no, you shouldn't do that).

Store a different random value in addition to the password in your database, and then put that random value in the link. (See: http://en.wikipedia.org/wiki/Cryptographic_nonce)

Since the random activation value will only be used once (and isn't something that can grant normal access to the account), it's fine to put it in a URL.

Answer 4

No. Use a separate field to contain the activation hash, and base the hash on multiple things (username, password hash, time of day, etc.).