NYCPHP Meetup

NYPHP.org

[nycphp-talk] MD5 + Flash

csnyder chsnyder at gmail.com
Mon Aug 22 08:35:30 EDT 2005


On 8/21/05, -sry Boston <sryboston at hotmail.com> wrote:

> What I want to do:
> 
> (1) user gives me email address
> 
> (2) with a PHP script (free from http://www.allhype.co.uk/tools/md5/
> and a very nice script actually!!) I MD5 their email address
> 
> (3) I send user a message (to validate the address works) that has
> their MD5'd address as a link for them to come back and get what
> they want
> 
> (4) user clicks unique query string in the email I've sent them
> 
> (4) I validate the string .....how/from where is the ??? :)
> 
> (5) if valid, give them the Flash file; if not, give them an error message
> 
> Any help much appreciated!

I think you have the purpose of the MD5 hash confused. In this case,
you want it to be an *unguessable* token that the user can bring back
to you to prove that they got they got your validation message, and
that they own the mailbox associated with the provided email address.

In other words, it should be random. If it's just the hash of their
email address, then an impersonator could easily generate the right
token and validate an address that isn't their own (as Hans pointed
out).

You will need some sort of DB -- MySQL or flat file or otherwise -- to
store the email address and the random token in the same record, so
that when the user clicks the link with the token in it, you can look
up the email and mark it valid.

-- 
Chris Snyder
http://chxo.com/



More information about the talk mailing list