I am a newbie to PHP, and newer still to MySQL.
I have nearly finished writing (offline for use online) a PHP script that
deals with people adding and deleting themselves off a mailing list (using
GET), all data being stored in MySQL database.
When a person signs on via a web-page, they get emailed a link to
unsubscribe from a database - with a unique ID that was generated for that
person only when they signed on (this is saved in a database). So in
any subsequent emails, the user can click the link and delete themselves
off the mailing list (running another PHP code). If the person has tried a
delete and are not listed in the database - the delete request will be
refused.
1) Is there any problems I should consider security wise?
2) How long should the unique ID be? I have currently written code to be
approx 5.6x10^11 odds of getting that same combination. Although it will
be a very small mailing list.
3) If I use the random number generation in PHP, should I use something
like "bit stuffing" to add zeros to a number. For example, If the number
generated is max 9999 - and the php random number is 34, should I
deliberately add zeros to make the number 0034? Any use to doing this?
Dariusz
2  6147 
Dariusz wrote:
I am a newbie to PHP, and newer still to MySQL.
I have nearly finished writing (offline for use online) a PHP script that
deals with people adding and deleting themselves off a mailing list (using
GET), all data being stored in MySQL database.
When a person signs on via a web-page, they get emailed a link to
unsubscribe from a database - with a unique ID that was generated for that
person only when they signed on (this is saved in a database). So in
any subsequent emails, the user can click the link and delete themselves
off the mailing list (running another PHP code). If the person has tried a
delete and are not listed in the database - the delete request will be
refused.
1) Is there any problems I should consider security wise?
2) How long should the unique ID be? I have currently written code to be
approx 5.6x10^11 odds of getting that same combination. Although it will
be a very small mailing list.
3) If I use the random number generation in PHP, should I use something
like "bit stuffing" to add zeros to a number. For example, If the number
generated is max 9999 - and the php random number is 34, should I
deliberately add zeros to make the number 0034? Any use to doing this?
Why not make the field in the database unique? If you generate the code when
you create the record, test to see if the creation failed. If it did, try
another unique number. Otherwise, you could add the person's email address to
the unsubscribe url like this: http://yoursite.com/un**************...******@bar.com
Then in your unsubscribe script delete the record that matches the unique id AND
the email address. In this case it won't matter if the same unique id is used
more than once.
Regards,
Shawn
--
Shawn Wilson sh***@glassgiant.com http://www.glassgiant.com
Dariusz wrote:
I am a newbie to PHP, and newer still to MySQL.
I have nearly finished writing (offline for use online) a PHP script that
deals with people adding and deleting themselves off a mailing list (using
GET), all data being stored in MySQL database.
When a person signs on via a web-page, they get emailed a link to
unsubscribe from a database - with a unique ID that was generated for that
person only when they signed on (this is saved in a database). So in
any subsequent emails, the user can click the link and delete themselves
off the mailing list (running another PHP code). If the person has tried a
delete and are not listed in the database - the delete request will be
refused.
1) Is there any problems I should consider security wise?
2) How long should the unique ID be? I have currently written code to be
approx 5.6x10^11 odds of getting that same combination. Although it will
be a very small mailing list.
3) If I use the random number generation in PHP, should I use something
like "bit stuffing" to add zeros to a number. For example, If the number
generated is max 9999 - and the php random number is 34, should I
deliberately add zeros to make the number 0034? Any use to doing this?
Oh, and you might want to consider uniqid(). http://ca2.php.net/manual/en/function.uniqid.php
You should not use just an integer between 0 and 9999. It's too easy for me to
write a script like:
for($i=0;$i<10000;++$i)
fopen("http://yousite.com/unsubscribe.php?uniqueid=".$i);
Granted, I wouldn't get 10000 pages before the script timed out, but you get the
idea.
Shawn
--
Shawn Wilson sh***@glassgiant.com http://www.glassgiant.com This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Jake |
last post by:
I apologize for what is probably a "stupid", uninformed question but
here goes...
I just inherited an ASP site project currently running off of a
Microsoft Access DB which I'd really like to...
|
by: Chuck Anderson |
last post by:
Can anyone point me in the right direction? I want to use Php to
automate confirmation of someone joining an email list by them replying
to an email (so they don't have to have a browser?).
I...
|
by: KJemison |
last post by:
Well.... just wanted to know if the people at the MySQL.org site ever
look at the posts in this group. If they do, they can possibly us a
little constructive criticism from a slightly irritated...
|
by: Max A. Bündchen |
last post by:
My enterprise is a Registered Microsoft Partner and we would to acquire a
MSDN Universal subscription under the Empower ISV Program to start a new
project in .Net (today we dev under VFP 7).
...
|
by: Eugene Anthony |
last post by:
The problem with my coding is that despite removing the records stored
in the array list, the rptPages repeater
control is still visible. The rptPages repeater control displayes the
navigation...
|
by: christopher_board |
last post by:
Hi all. I am trying to connect to a MySQL Database using PHP on a
local machine using locahost. I am using the following code
<?php
$dbhost = 'localhost';
$dbuser = 'root';
$dbpass =...
|
by: Pseudonyme |
last post by:
A Paris
Le 14 Nv MMVII
Dear Madam and Sir,
Do you know how to access a MYSQL DB from an external server ?
We read the information and studied :
|
by: fperri |
last post by:
I'm trying to send a notification from my application and I get no errors, but never recieve the email message. Here is my code in my .vb file;
Imports System.Net.Mail
Partial Class Subscribe
...
|
by: sld87 |
last post by:
Hi guys, (Newbie member here!)
Having some serious difficulty getting our php email system working after implementing an image captcha to stop the hundreds of bots spamming it.
I may as well...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: emmanuelkatto |
last post by:
Hi All, I am Emmanuel katto from Uganda. I want to ask what challenges you've faced while migrating a website to cloud.
Please let me know.
Thanks!
Emmanuel
|
by: nemocccc |
last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: Oralloy |
last post by:
Hello folks,
I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>".
The problem is that using the GNU compilers,...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
| |
