hello.
i'm currently working on a mailing list app for my company to have one
central place to manage our mailing list(s). at first it was going to
purely be a place for our staff to manage our list. but then i got to
thinking that it would be very convenient to take a lot of the
management overhead out of the system by giving some control to the
users. i.e. giving them the ability to change their subscription from
plain text to html, or to unsubscribe themself altogether.
so then i started to think about how the subscriber could identify their
account while at the same time prevent a malicious user from exploiting
the system.
using the auto-number id for each user is out of the question since
anyone could easily go in sequential order till another record was
populated. so what i came up with is a unique identifier that is created
by combining three of the users fields and then running that through
md5().
i figure at this point i can easily and securely include a link at the
bottom of each email that's directed at each subscriber. like so:
To unsubscribe yourself or change your subscription settings please
follow the following link:
http://domain.com/mysubscription.php?uid=a7b8f8a7c8a7d8a9d8b8ga7d8a9d8b8
g
so my question is the following:
how does this stack up? i'd like to avoid passwords for each subscriber
and i figure it will be next to impossible for a malicious person to
figure out the combination used to create the hash and subsequently
construct their own hashes, especially considering the fields i've
chosen. one of them being the date the record was created. which by
itself is already impossible to determine (hacking aside) for any random
record.
THE END
chris.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
