> that sounds like a > poor idea, basically allowing anyone to run an update on anyone else's > record in the table.
Are you using the email as the only "GET" parameter to do the confirmation? That is a mistake. Do something like: confirm.php?email=...@example.com&checksum=abcdefg123 where checksum is md5($email . 'a secret'); Now when you run the update do: if($_GET['email'] && md5($_GET['email'] . 'a secret') == $_GET['checksum']) ); // sql update - - - - - There are lots of variations on this pattern. You can just save the checksum in the table, and avoid the email altogether if you want a shorter url. Regards, John Campbell _______________________________________________ New York PHP Users Group Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org/Show-Participation
