|
|
Posted by Jerry Stuckle on 11/03/05 15:50
Angelos wrote:
> Hello...
> I wrote a simple subscribe script that when a user completes the
> subscription form he gets added in the database and then he receives an
> e-mail where he/she clicks on the follow link :
>
> <a
> href=www.mysite.com?confirm&subscribers_id=mysql_insert_id($rs_subscriber_id)>Confirm</a>
>
> and gets added in the newsletter subscribers.
>
> The problem with that is that you can easily exploit it... if you start
> subscribing and then just copy pasting the above url with ascending ids.
>
> Same happens with the unsubscribe.
> <a
> href=www.mysite.com?unsubscribe&subscribers_id=$row_subscriber_id>Unsubscribe</a>
> Exploit: just use random subscriber_ids and start unsubscribing people.
>
> But if that Number was encoded somehow and then decoded... it would solve
> the proble... or at least the chances would be less.
>
>
> Could you please help me ???
> Please !!!
> Thanks.
>
>
Create an extra table "verification" in your database containing:
user_id
verification_code
Generate a random number for the verification code and save both to the
verification table.
Now send the email with both the user_id and the verification_code in
the link. When the user clicks on the link, compare both fields. If
they both match, remove the entry from the verification table.
Alternatively - concatenate an internal (known only to you) string to
the user id and MD5 hash the result. Use this as the verification code
and send just that. When the code comes back in, check the hash against
the verification table to get the user id.
(Note: use the string concatenated to the user id instead of a random
number, because random numbers can repeat!).
--
==================
Remove the "x" from my email address
Jerry Stuckle
JDS Computer Training Corp.
jstucklex@attglobal.net
==================
Navigation:
[Reply to this message]
|