By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
458,020 Members | 1,297 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 458,020 IT Pros & Developers. It's quick & easy.

Using PHP / MySQL for an email subscription

P: n/a
I am a newbie to PHP, and newer still to MySQL.

I have nearly finished writing (offline for use online) a PHP script that
deals with people adding and deleting themselves off a mailing list (using
GET), all data being stored in MySQL database.

When a person signs on via a web-page, they get emailed a link to
unsubscribe from a database - with a unique ID that was generated for that
person only when they signed on (this is saved in a database). So in
any subsequent emails, the user can click the link and delete themselves
off the mailing list (running another PHP code). If the person has tried a
delete and are not listed in the database - the delete request will be
refused.

1) Is there any problems I should consider security wise?
2) How long should the unique ID be? I have currently written code to be
approx 5.6x10^11 odds of getting that same combination. Although it will
be a very small mailing list.
3) If I use the random number generation in PHP, should I use something
like "bit stuffing" to add zeros to a number. For example, If the number
generated is max 9999 - and the php random number is 34, should I
deliberately add zeros to make the number 0034? Any use to doing this?

Dariusz
Jul 17 '05 #1
Share this Question
Share on Google+
2 Replies


P: n/a
Dariusz wrote:

I am a newbie to PHP, and newer still to MySQL.

I have nearly finished writing (offline for use online) a PHP script that
deals with people adding and deleting themselves off a mailing list (using
GET), all data being stored in MySQL database.

When a person signs on via a web-page, they get emailed a link to
unsubscribe from a database - with a unique ID that was generated for that
person only when they signed on (this is saved in a database). So in
any subsequent emails, the user can click the link and delete themselves
off the mailing list (running another PHP code). If the person has tried a
delete and are not listed in the database - the delete request will be
refused.

1) Is there any problems I should consider security wise?
2) How long should the unique ID be? I have currently written code to be
approx 5.6x10^11 odds of getting that same combination. Although it will
be a very small mailing list.
3) If I use the random number generation in PHP, should I use something
like "bit stuffing" to add zeros to a number. For example, If the number
generated is max 9999 - and the php random number is 34, should I
deliberately add zeros to make the number 0034? Any use to doing this?


Why not make the field in the database unique? If you generate the code when
you create the record, test to see if the creation failed. If it did, try
another unique number. Otherwise, you could add the person's email address to
the unsubscribe url like this:

http://yoursite.com/un**************...******@bar.com

Then in your unsubscribe script delete the record that matches the unique id AND
the email address. In this case it won't matter if the same unique id is used
more than once.

Regards,
Shawn
--
Shawn Wilson
sh***@glassgiant.com
http://www.glassgiant.com
Jul 17 '05 #2

P: n/a
Dariusz wrote:

I am a newbie to PHP, and newer still to MySQL.

I have nearly finished writing (offline for use online) a PHP script that
deals with people adding and deleting themselves off a mailing list (using
GET), all data being stored in MySQL database.

When a person signs on via a web-page, they get emailed a link to
unsubscribe from a database - with a unique ID that was generated for that
person only when they signed on (this is saved in a database). So in
any subsequent emails, the user can click the link and delete themselves
off the mailing list (running another PHP code). If the person has tried a
delete and are not listed in the database - the delete request will be
refused.

1) Is there any problems I should consider security wise?
2) How long should the unique ID be? I have currently written code to be
approx 5.6x10^11 odds of getting that same combination. Although it will
be a very small mailing list.
3) If I use the random number generation in PHP, should I use something
like "bit stuffing" to add zeros to a number. For example, If the number
generated is max 9999 - and the php random number is 34, should I
deliberately add zeros to make the number 0034? Any use to doing this?


Oh, and you might want to consider uniqid().

http://ca2.php.net/manual/en/function.uniqid.php

You should not use just an integer between 0 and 9999. It's too easy for me to
write a script like:

for($i=0;$i<10000;++$i)
fopen("http://yousite.com/unsubscribe.php?uniqueid=".$i);

Granted, I wouldn't get 10000 pages before the script timed out, but you get the
idea.

Shawn
--
Shawn Wilson
sh***@glassgiant.com
http://www.glassgiant.com
Jul 17 '05 #3

This discussion thread is closed

Replies have been disabled for this discussion.