Using PHP / MySQL for an email subscription

Re: Using PHP / MySQL for an email subscription

Dariusz wrote:[color=blue]
>
> I am a newbie to PHP, and newer still to MySQL.
>
> I have nearly finished writing (offline for use online) a PHP script that
> deals with people adding and deleting themselves off a mailing list (using
> GET), all data being stored in MySQL database.
>
> When a person signs on via a web-page, they get emailed a link to
> unsubscribe from a database - with a unique ID that was generated for that
> person only when they signed on (this is saved in a database). So in
> any subsequent emails, the user can click the link and delete themselves
> off the mailing list (running another PHP code). If the person has tried a
> delete and are not listed in the database - the delete request will be
> refused.
>
> 1) Is there any problems I should consider security wise?
> 2) How long should the unique ID be? I have currently written code to be
> approx 5.6x10^11 odds of getting that same combination. Although it will
> be a very small mailing list.
> 3) If I use the random number generation in PHP, should I use something
> like "bit stuffing" to add zeros to a number. For example, If the number
> generated is max 9999 - and the php random number is 34, should I
> deliberately add zeros to make the number 0034? Any use to doing this?[/color]

Why not make the field in the database unique? If you generate the code when
you create the record, test to see if the creation failed. If it did, try
another unique number. Otherwise, you could add the person's email address to
the unsubscribe url like this:



Then in your unsubscribe script delete the record that matches the unique id AND
the email address. In this case it won't matter if the same unique id is used
more than once.

Regards,
Shawn
--
Shawn Wilson
shawn@glassgian t.com

Re: Using PHP / MySQL for an email subscription

Dariusz wrote:[color=blue]
>
> I am a newbie to PHP, and newer still to MySQL.
>
> I have nearly finished writing (offline for use online) a PHP script that
> deals with people adding and deleting themselves off a mailing list (using
> GET), all data being stored in MySQL database.
>
> When a person signs on via a web-page, they get emailed a link to
> unsubscribe from a database - with a unique ID that was generated for that
> person only when they signed on (this is saved in a database). So in
> any subsequent emails, the user can click the link and delete themselves
> off the mailing list (running another PHP code). If the person has tried a
> delete and are not listed in the database - the delete request will be
> refused.
>
> 1) Is there any problems I should consider security wise?
> 2) How long should the unique ID be? I have currently written code to be
> approx 5.6x10^11 odds of getting that same combination. Although it will
> be a very small mailing list.
> 3) If I use the random number generation in PHP, should I use something
> like "bit stuffing" to add zeros to a number. For example, If the number
> generated is max 9999 - and the php random number is 34, should I
> deliberately add zeros to make the number 0034? Any use to doing this?[/color]

Oh, and you might want to consider uniqid().



You should not use just an integer between 0 and 9999. It's too easy for me to
write a script like:

for($i=0;$i<100 00;++$i)
fopen("http://yousite.com/unsubscribe.php ?uniqueid=".$i) ;

Granted, I wouldn't get 10000 pages before the script timed out, but you get the
idea.

Shawn
--
Shawn Wilson
shawn@glassgian t.com