On Tue, Aug 31, 2010 at 11:56 PM, John Campbell <jcampbe...@gmail.com>wrote:
> > that sounds like a > > poor idea, basically allowing anyone to run an update on anyone else's > > record in the table. > > Are you using the email as the only "GET" parameter to do the > confirmation? That is a mistake. > > Do something like: > > confirm.php?email=...@example.com&checksum=abcdefg123 > > where checksum is md5($email . 'a secret'); > > Totally planning to do it that way. -- Support real health care reform: http://phimg.org/ -- David Mintz http://davidmintz.org/
_______________________________________________ New York PHP Users Group Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk http://www.nyphp.org/Show-Participation
