alternatives to log on
There are users that give feedback about the quality they receive from a prior request they've made.
I would rather not create a username/password scheme for this, since most will only do this a single time. And they may be loose with handling their passwords.
I've considered using other fields to logon with username = email and
"password" = phone # or other such fields, like from a control question
(favorite pet, car, etc) which would insert on a Feedback table, but this sounds weak.
Anybody have better suggestions? Send a form to their email with a clickable link to insert into a Feedback table (rowid passed in email?) Or maybe in CSV format back to me that I would Insert (batch process?) using their email for a rowid match? (downsider being admin time and efforts to process)
One challenge is that these requests they make are carried out over a period of weeks or months to fulfill and this must be complete prior to insert on any Feedback table.
A method I always use is to assign a "SID" (security identifier), which is basically a random string of letters & numbers, to every record in the table.
Then, when you do a mailing, give them a link to "/email@example.com&SID=F5Yef4WJ9
The script "/whatever.asp" will do a lookup and attempt to match the user's email address with the SID found in the table for that particular record. If match, then show the form and allow a submission. If no match, bounce 'em! :rofl:
Even if you have not already done this, you can add the column, fill it with NULLs, then write a VBScript that will update each record with a SID. Note that SIDs don't necessarily have to be unique in your table. It's hard enough to guess a 6-digit number for lotto! I usually make the SID 8 or 10 chars, unless it is something the user must manually type.
Case sensitivity is incorporated into the generation of the code, but you can UCASE or LCASE it just before you do the matching process. It probably won't matter unless you suspect people will tamper with the URL..
If you have multiple instances of a particular email address, then you'll have to be a little more creative.. Possibly, you could unify the SID on a per-email basis or use a "Users" table (with unique emails) for this purpose..
Any unique field that identifies the person in combination with SID will work.
If you're interested in the VBScript, PM me.
dim i, intNum, intUpper, intLower, intRand, strPartPass
' num = number of characters in SID
For i = 1 to num
intNum = Int(10 * Rnd + 48)
intUpper = Int(26 * Rnd + 65)
intLower = Int(26 * Rnd + 97)
intRand = Int(3 * Rnd + 1)
Select Case intRand
strPartPass = Chr(intNum)
strPartPass = Chr(intUpper)
strPartPass = Chr(intLower)
MakeSID = MakeSID & strPartPass
This is helpful, thank you. Luckily this is a new table.
Couldn't I use autogenerate password on the "SID" (security identifier)column?
The only other thing is the timing. I won't know unless one of two parties notifies me of completion of the request to send this email containing SID out. It could be sent out ahead of time of course.
How would you feel about a SID resting in user inboxes for weeks/mo's or permanently? A risk worrying about? Seems it would be a little hard to find, unless they knew of this particular process in relation to my site. But again, this is only a user Feedback form and it could be on its own table.
If even a "bad guy" were to get the SID, as with password, and could enter that record -- he or she would only have access to that particular row, right?
Well, I'm not sure which database / scripting system you are using, but "autogenerate password" isn't something in ASP or SQL Server.. (.net has this?)
It's not a problem to expose the SID to an end-user. Remember, users must supply a password in order to check email, so there is already one line of security in-place. Tampering with the SID, as you suggest, is useless because yes, it will only match one row in that table.
autogenerate password would generate a unique value like "F5Yef4WJ9".
It's php, an extension to dreamweaver mx is what I'm refering to.