Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 4 of 4
  1. #1
    Super Moderator JohnDubya's Avatar
    Join Date
    Nov 2006
    Location
    Missouri
    Posts
    634
    Thanks
    12
    Thanked 18 Times in 18 Posts

    Newsletter unsubscribe security

    I've designed a newsletter feature for my application, and I need to build in an unsubscribe link. What I'm trying to figure out is how to make it secure; in other words, I don't want someone to be able to copy the link and be able to change it to unsubscribe people other than themselves. Every person's e-mail address is pulled from a mySQL database and sent through phpMailer.

    So how would you do this? Would you do a hash of their e-mail address and match it somehow? I just need some suggestions to get my mind-wheels turning. Thanks.

  • #2
    Supreme Master coder! abduraooft's Avatar
    Join Date
    Mar 2007
    Location
    N/A
    Posts
    14,854
    Thanks
    160
    Thanked 2,223 Times in 2,210 Posts
    Blog Entries
    1
    How about sending another link(when some one click to unsubscribe) to the same mail id (which contains a copy of random number stored in table along with the user id) to confirm the removal of subscription?
    The Dream is not what you see in sleep; Dream is the thing which doesn't let you sleep. --(Dr. APJ. Abdul Kalam)

  • #3
    Super Moderator JohnDubya's Avatar
    Join Date
    Nov 2006
    Location
    Missouri
    Posts
    634
    Thanks
    12
    Thanked 18 Times in 18 Posts
    Thanks for the suggestion, ab.

    FYI, I brainstormed, and I think I came up with a good way of doing this. In the unsubscribe link, I put the client_id (the client who is sending the newsletter), the person_id (of the person the client is sending the e-mail to), and a hash (of the person's e-mail address). On the unsubscribe page, it grabs the client's database, finds the person_id's e-mail address, and attempts to match the e-mail address hash in the link to the hash of the e-mail address in the database. If it matches, it sets that person_id's unsubscribe boolean to 1.

    Does anyone see any holes in this method?

  • #4
    Super Moderator Inigoesdr's Avatar
    Join Date
    Mar 2007
    Location
    Florida, USA
    Posts
    3,647
    Thanks
    2
    Thanked 406 Times in 398 Posts
    Just use a hash of the e-mail, id, person_id, etc. and store it in the database.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •