SitePoint Sponsor

User Tag List

Results 1 to 7 of 7
  1. #1
    SitePoint Enthusiast
    Join Date
    Oct 2006
    Posts
    64
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    encrypting url passed variables

    Hi All,

    i know its a good idea to pass variables using sessions.
    But take this simple instance for example:

    an un-subscribe button on the bottom of a junk email which everyone has seen, unencrypted would be something like:
    unsubscribe.php?user_id=1

    You couldnt pass that through a session?
    obviously anyone could go through every number and unsubscribe everyone.

    in reality, these are encrypted at the bottom of junk emails, so you cant just un-subscribe everyone.

    There are a number of ways to encrypt this, but what is the best method with regards to what you store and reference to in the database also.

    If you use hashed user_id's wouldnt your database grow in size dramatically? compared to numbers. also if you do store hashed user_id's what creates the user id if you dont use an auto_incremented int column? are they created randomly? howabout if you get a duplicate?

    its just a little blurry in my head at the moment, ive never needed to encrypt variables passed via a url before, so if someone could give me a hint, it would be cool.

    bearing in mind i dont want my database to grow 10 times larger just because i want to protect one little passed variable! there must be a simple solution that everyone uses?

    please, tell me if im thinking about this in completely the wrong way. lol

  2. #2
    SitePoint Guru MikeBigg's Avatar
    Join Date
    Jun 2004
    Location
    Reading, UK
    Posts
    970
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    One approach I might take: if the link at the bottom of the email contained a number of bits of data encrypted in a way that can be decrypted, you don't need to store anything different in the database - your script can extract the info needed to select the correct email record.

    For example: you could send the email id, the newsletter edition, a random number and a checksum.

    This might look like: 1003|2007017|161514|P

    encrypted might look like: agtbgdtferdsewsjhiyuhgtf

    your unscubscribe link would add that string as a parameter.

    When someone clicks on the link, the unsubscribe script decrypts the string, checks the check character is right, then unsubscribes the user 1003 and logs that the user unsubscribed because of something you wrote in the 17 edition of 2007.

    Make sense?

    Mike

  3. #3
    Sell crazy someplace else markl999's Avatar
    Join Date
    Aug 2003
    Location
    Manchester, UK
    Posts
    4,007
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Another popular way is to use a link such as unsubscribe.php?email=whatever&id=32charactermd5here

    Where 32charactermd5here is an md5() of the email address + somesecretkey

  4. #4
    SitePoint Enthusiast
    Join Date
    Oct 2006
    Posts
    64
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    I like that idea Mike, seems a nice systematical approach.

    Both seem like good methods! for the method you mention Mark, you would need to store that 32charactermd5 within the database along side the user info i guess?

  5. #5
    Sell crazy someplace else markl999's Avatar
    Join Date
    Aug 2003
    Location
    Manchester, UK
    Posts
    4,007
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    for the method you mention Mark, you would need to store that 32charactermd5 within the database along side the user info i guess?
    Nope. As the url contains the email address and the hash you just need to md5(email address + secret key) and it should equal the hash.

  6. #6
    SitePoint Enthusiast
    Join Date
    Oct 2006
    Posts
    64
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    ahh gotcha!!

    Might give them both a little try and see how they pan out

    Thanks for the tips, its alot less blurry now lol

  7. #7
    SitePoint Addict tbakerisageek's Avatar
    Join Date
    Sep 2006
    Posts
    213
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    What an element solution Mark.


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •