zVirx Posted August 21, 2009 Share Posted August 21, 2009 Hello, i have an issue with the design of a news subscription script.. well here is the problem... It a news teller subscription script and its for anyone not necessary a user .. so it takes only the email: - Validate it . - Check if its already in the database. - Add it to the database. The issue if the one who subscribed wants to remove his subscription... that's another script that also takes only the email: - Validate it. - Check if its in the database. - Remove it from the database. Now anyone can remove any email form the database, by just typing a correct email that exist in the database in the un-subscription script. I can't find a proper way of validating the integrity of the input email. I was thinking maybe i could send him an email with an ID key, which he must use to un-subscribe his email ! .. but i don't know if that's the right way to go. What do you guys think, Thanks. Quote Link to comment https://forums.phpfreaks.com/topic/171257-solved-subscription-removal/ Share on other sites More sharing options...
Daniel0 Posted August 21, 2009 Share Posted August 21, 2009 I'd just generate an unsubscribe token when they subscribe and store it with the email in the database. Then in the bottom of each email you could have a like like this: http://example.com/unsubscribe.php?email=john@doe.com&token=Kjha987Hlad8a7Dkjhadd Quote Link to comment https://forums.phpfreaks.com/topic/171257-solved-subscription-removal/#findComment-903113 Share on other sites More sharing options...
zVirx Posted August 21, 2009 Author Share Posted August 21, 2009 Oh i was thinking of giving the unsubscribe script its own form... but that's actually better. One question though, there is no security issues with using the ID of the email instead of the token , is there ? so the link would look like: http://example.com/unsubscribe.php?email=john@doe.com&id=1 its just i don't want to overflow the database with hashes like this. Quote Link to comment https://forums.phpfreaks.com/topic/171257-solved-subscription-removal/#findComment-903163 Share on other sites More sharing options...
Daniel0 Posted August 21, 2009 Share Posted August 21, 2009 Unless you can somehow predict the order in which people subscribed, I suppose not. Quote Link to comment https://forums.phpfreaks.com/topic/171257-solved-subscription-removal/#findComment-903167 Share on other sites More sharing options...
gevans Posted August 21, 2009 Share Posted August 21, 2009 http://example.com/unsubscribe.php?email=john@doe.com&id=1 Again, if someone knows a valid email address and really wants to piss someone off it wouldn't be to hard to write some javascript to push out a load of links with that email address and an incrementing id. Daniel's original suggestion of a token would be a better option IMO. The only person that will ever see the token is the receiver of the email. Nice and simple, easy to do. Quote Link to comment https://forums.phpfreaks.com/topic/171257-solved-subscription-removal/#findComment-903168 Share on other sites More sharing options...
zVirx Posted August 21, 2009 Author Share Posted August 21, 2009 Unless you can somehow predict the order in which people subscribed, I suppose not. I was thinking the same thing :S But thought no one would go through it. Again, if someone knows a valid email address and really wants to piss someone off it wouldn't be to hard to write some javascript to push out a load of links with that email address and an incrementing id. Daniel's original suggestion of a token would be a better option IMO. The only person that will ever see the token is the receiver of the email. Nice and simple, easy to do. Umm thats true... Ok i'll go with the tokens instead. i was just concerned about the performance but i guess that wouldn't affect it that much. Thanks guys. Quote Link to comment https://forums.phpfreaks.com/topic/171257-solved-subscription-removal/#findComment-903186 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.