[FX.php List] [OFF] sending email confirmation - follow up

Roger Price rp272 at cam.ac.uk
Wed Mar 5 02:19:37 MST 2008


It was a long day yesterday and I failed to notice the 'obvious'!

Base64 breaks 8 bit bytes into 6 bit chunks and uses the '=' padding character to make up the shortfall when the number of characters encoded is not exactly divisible by 3. I had added leading zeros to my record ID to make it 4 digits thus '==' would always be added to the end. 4 digits was just an arbitrary figure so increasing it to 6 solved the problem!

Thanks to everyone who offered a suggestion

Roger


----- Original Message ----- 
From: Roger Price 
To: FX.php Discussion List 
Sent: Tuesday, March 04, 2008 7:12 PM
Subject: Re: [FX.php List] [OFF] sending email confirmation


Thank you for all your suggestions. It seems that it is a well known problem  for which UTF-7 Modified Base64 was developed which does not use the '='.

The '=' is a padding character which only appears at the end of an encoded string and then only as a single or double. I tried replacing it with other characters inc '_' but OE still ignored them.

Finally I did a str_replace' exchanging '=' with ';1' and '==' with ';2'. Having a digit as the last character seems to fool OE. I haven't yet tried it with Entouage but I expect it will be fine. The code I used was:

if(substr($hash,-2,2)=='==') {$hash = str_replace('==',';2',$hash);}
if(substr($hash,-1,1)=='=')  {$hash = str_replace('==',';1',$hash);}
where $hash was the original base64 encoded 'recid'

This can of course be easily reversed on the target page. It is not a very elegant solution but works well enough.

Roger







----- Original Message ----- 
From: "Chris Hansen" <chris at iViking.org>
To: "FX.php Discussion List" <fx.php_list at mail.iviking.org>
Sent: Tuesday, March 04, 2008 4:46 PM
Subject: Re: [FX.php List] [OFF] sending email confirmation


Roger,

Andrew has the right approach here.  The base64_encode() is great for  
encoding things in a way which makes them not readily recognizable,  
but any string that goes into a url which may have non-alphanumeric  
characters in it needs to be urlencoded. period.  This is fundamental  
to working with the web and would even affect putting a text field  
into a URL (those spaces will cause you problems) or comparing one way  
hashes.  For more information about encoding, check out the PHP docs:

http://us.php.net/manual/en/function.urlencode.php
http://us.php.net/manual/en/function.rawurlencode.php

So most likely what you want to do is first come up with an  
unrecognizable string, and then be sure to urlencode it.  Just one  
extra step, and you should be fine.  HTH

--Chris Hansen
   FileMaker 8 Certified Developer
   FileMaker 7 Certified Developer
   Creator of FX.php
   "The best way from FileMaker to the Web."
   www.iViking.org

On Mar 4, 2008, at 8:36 AM, Andrew Denman wrote:

> Roger,
>
> Since the equal sign is a special character for URLs, it is a good  
> idea to not use them in your data if possible.  If you must use the  
> equal signs, you should URL encode them to ensure they work  
> everywhere.
>
> In FileMaker there is the GetAsURLEncoded() function, and in PHP  
> there is the rawurlencode() function.
>
> Andrew Denman
>
> From: fx.php_list-bounces at mail.iviking.org [mailto:fx.php_list-bounces at mail.iviking.org 
> ] On Behalf Of Steve Winter
> Sent: Tuesday, March 04, 2008 9:15 AM
> To: 'FX.php Discussion List'
> Subject: RE: [FX.php List] [OFF] sending email confirmation
>
> Hi Roger,
>
> I presume that the presence of the two == are a function of  
> base64_encode…?? If not, what purpose do they serve…?
>
> Perhaps using an alternative encoding method (eg md5) might resolve  
> the issue, since it would not result in == characters…??
>
> Cheers
> Steve
>
> From: fx.php_list-bounces at mail.iviking.org [mailto:fx.php_list-bounces at mail.iviking.org 
> ] On Behalf Of Roger Price
> Sent: 04 March 2008 15:10
> To: FX.php Discussion List
> Subject: [FX.php List] [OFF] sending email confirmation
>
> As part of a web project I am collecting data from our some of our  
> past students that we have lost contact with.
>
> I want to try to ensure that we don't get too many malicious returns  
> so I intend to send a confirmation to the entered email address with  
> an activation link.
>
> So far so good!
>
> In order that the database record key is not blatantly obvious I'm  
> using base64_encode!
>
> however when I mail a link such as:  http:// 
> www.xxx.xxx.xx.xx..edit2.html?rec=MDAwMQ==
> the two '=' characters that are generated at the end of this  
> particular record are omitted from the hyperlink when viewed in  
> Outlook Express or Windows Mail. Entourage only omits one! However  
> Outlook and my webmail program work perfectly.
>
> If anybody resolved this problem before I would be grateful to know  
> the best way.
>
> Roger
>
>
>
>
>
> _______________________________________________
> FX.php_List mailing list
> FX.php_List at mail.iviking.org
> http://www.iviking.org/mailman/listinfo/fx.php_list

_______________________________________________
FX.php_List mailing list
FX.php_List at mail.iviking.org
http://www.iviking.org/mailman/listinfo/fx.php_list
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.iviking.org/pipermail/fx.php_list/attachments/20080305/f7cd063a/attachment-0001.html


More information about the FX.php_List mailing list