[FX.php List] [OFF] sending email confirmation

Steve Winter steve at bluecrocodile.co.nz
Tue Mar 4 09:01:20 MST 2008 

Hi Roger,

 

You’re quite right, there is in theory no way to decode md5
 I see now what
you’re trying to do, you actually want to be able to ‘extract’ the ID from
the URL


 

Probably the suggestions for urlencoding the == will resolve the issue for
you


 

Here’s an alternative way to deal with it, which uses the md5 and prevents
people from ‘hacking’ the url when their ID is in clear text


 

In your db, create a ‘secret’ field, and put a value in there, say
‘Bt7£sFg’, then when you create your URL go for
edit2.html?id=0001&h=md5(id+secret)

 

On your receiving page, (assuming it’s PHP) you can check that the id in the
url matches the id in the hash;

 

$secret = ‘Bt7£sFg’;

$hash = $_GET[‘id’].$secret;

if($hash != $_GET[‘h’]) {

  echo ‘You have tried to hack into someone else\’s account’

} else {

  //The rest of your page goes here

}

 

That way you can be certain that the person hasn’t hacked your url to try
and access someone else’s details.

 

If like Jonathan you want to place a time limit on this as well you can
extend your URL a bit further and put a (unix) timestamp in there, so your
url would become something like
edit2.html?id=0001&ts=11234267&h=md5(id+timestamp+secret)

 

Then on your page you can do;

$secret = ‘Bt7£sFg’;

$hash = $_GET[‘id’].$_GET[‘ts’].$secret;

if($hash != $_GET[‘h’]) {

  echo ‘You have tried to hack into someone else\’s account’

} elseif ($_GET[‘ts’] < time() + howlong you it live for) {

  echo ‘The link you tried to use has expired. We are no longer collecting
data from previous students’;

} else {

  //The rest of your page goes here

}

 

Helpful
??

 

Cheers

Steve

 

  _____  

From: fx.php_list-bounces at mail.iviking.org
[mailto:fx.php_list-bounces at mail.iviking.org] On Behalf Of Roger Price
Sent: 04 March 2008 15:40
To: FX.php Discussion List
Subject: Re: [FX.php List] [OFF] sending email confirmation

 

Steve

 

Yes when you base64 encode '0001' you get the 'MDAwMQ=='

 

I have since looked at md5() and while it's just as easy to encode there
does not appear to be a simple decode function.

 

I'm not quite so worried about security as this strategy would not in any
case prevent malicious responses but it should limit them to only the very
dedicated hacker and quite frankly I don't suppose they would be bothered!

 

Roger

 

 

----- Original Message ----- 

From: Steve <mailto:steve at bluecrocodile.co.nz>  Winter 

To: 'FX.php <mailto:fx.php_list at mail.iviking.org>  Discussion List' 

Sent: Tuesday, March 04, 2008 3:15 PM

Subject: RE: [FX.php List] [OFF] sending email confirmation

 

Hi Roger,

 

I presume that the presence of the two == are a function of base64_encode
??
If not, what purpose do they serve
? 

 

Perhaps using an alternative encoding method (eg md5) might resolve the
issue, since it would not result in == characters
??

 

Cheers

Steve

 


  _____  


From: fx.php_list-bounces at mail.iviking.org
[mailto:fx.php_list-bounces at mail.iviking.org] On Behalf Of Roger Price
Sent: 04 March 2008 15:10
To: FX.php Discussion List
Subject: [FX.php List] [OFF] sending email confirmation

 

As part of a web project I am collecting data from our some of our past
students that we have lost contact with.

 

I want to try to ensure that we don't get too many malicious returns so I
intend to send a confirmation to the entered email address with an
activation link.

 

So far so good!

 

In order that the database record key is not blatantly obvious I'm using
base64_encode!

 

however when I mail a link such as:
<http://www.xxx.xxx.xx.xx..edit2.html?rec=MDAwMQ>
http://www.xxx.xxx.xx.xx..edit2.html?rec=MDAwMQ==

the two '=' characters that are generated at the end of this particular
record are omitted from the hyperlink when viewed in Outlook Express or
Windows Mail. Entourage only omits one! However Outlook and my webmail
program work perfectly.

If anybody resolved this problem before I would be grateful to know the best
way.

Roger 

 

  


  _____  


_______________________________________________
FX.php_List mailing list
FX.php_List at mail.iviking.org
http://www.iviking.org/mailman/listinfo/fx.php_list

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.iviking.org/pipermail/fx.php_list/attachments/20080304/0d127e16/attachment-0001.html

More information about the FX.php_List mailing list