[nycphp-talk] design question: user self-registration
John Campbell
jcampbell1 at gmail.com
Tue Aug 31 23:56:26 EDT 2010
> that sounds like a
> poor idea, basically allowing anyone to run an update on anyone else's
> record in the table.
Are you using the email as the only "GET" parameter to do the
confirmation? That is a mistake.
Do something like:
confirm.php?email=joe at example.com&checksum=abcdefg123
where checksum is md5($email . 'a secret');
Now when you run the update do:
if($_GET['email'] && md5($_GET['email'] . 'a secret') == $_GET['checksum']) );
// sql update
- - - - -
There are lots of variations on this pattern. You can just save the
checksum in the table, and avoid the email altogether if you want a
shorter url.
Regards,
John Campbell
More information about the talk
mailing list