Jump to content

[SOLVED] Subscription removal


zVirx

Recommended Posts

Hello, i have an issue with the design of a news subscription script..

well here is the problem...

 

It a news teller subscription script and its for anyone not necessary a user .. so it takes only the email:

- Validate it .

- Check if its already in the database.

- Add it to the database.

 

The issue if the one who subscribed wants to remove his subscription...

that's another script that also takes only the email:

- Validate it.

- Check if its in the database.

- Remove it from the database.

 

Now anyone can remove any email form the database, by just typing a correct email that exist in the database in the un-subscription script.

 

I can't find a proper way of validating the integrity of the input email.

I was thinking maybe i could send him an email with an ID key, which he must use to un-subscribe his email ! .. but i don't know if that's the right way to go.

 

What do you guys think, Thanks.

Link to comment
Share on other sites

Oh i was thinking of giving the unsubscribe script its own form... but that's actually better.

One question though, there is no security issues with using the ID of the email instead of the token , is there ?

 

so the link would look like:

http://example.com/unsubscribe.php?email=john@doe.com&id=1

 

its just i don't want to overflow the database with hashes like this.

Link to comment
Share on other sites

 

Again, if someone knows a valid email address and really wants to piss someone off it wouldn't be to hard to write some javascript to push out a load of links with that email address and an incrementing id.

 

Daniel's original suggestion of a token would be a better option IMO. The only person that will ever see the token is the receiver of the email. Nice and simple, easy to do.

Link to comment
Share on other sites

Unless you can somehow predict the order in which people subscribed, I suppose not.

 

I was thinking the same thing :S

But thought no one would go through it.

 

Again, if someone knows a valid email address and really wants to piss someone off it wouldn't be to hard to write some javascript to push out a load of links with that email address and an incrementing id.

 

Daniel's original suggestion of a token would be a better option IMO. The only person that will ever see the token is the receiver of the email. Nice and simple, easy to do.

 

Umm thats true... Ok i'll go with the tokens instead. i was just concerned about the performance but i guess that wouldn't affect it that much.

 

Thanks guys.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.