Re[2]: encrypt and decrypt

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello Merlin,

Wednesday, November 3, 2004, 2:50:48 PM, you wrote:

M> The system will send out emails to customers with a link where they can change
M> their details. To identify the record, the link has to carry the client id. But
M> if it is obvious that this is the id, manipulation of the id can lead to change
M> any record they like. I don't want to get as far as passwords, in order to keep
M> it simple for the customer.

You could always not rely on the auto inc'd ID for this.

Have an ID column, sure, but you could also have a "LinkID" column (or
similar) which can hold a short random hash of characters. For example
the first 8 characters of an MD5. You send this to the user in their
emails, etc. Then a simple look-up in the DB to see what real ID
matches the Link ID would suffice and you can continue as normal.

Someone could still possibly guess a Link ID, but the longer it is,
the harder it'll be to guess successfully.

This is a technique I use currently and haven't encountered any
problems with it. I have a "UserID" which is the auto-inc MySQL value
for the user, and a "SiteUserID" which is a 32-char MD5 and that is
what I use everywhere on the site - in emails, links, view/profile
pages, etc.

Best regards,

Richard Davey
-- 
 http://www.launchcode.co.uk - PHP Development Services
 "I am not young enough to know everything." - Oscar Wilde

-- 
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php


[Index of Archives]     [PHP Home]     [Apache Users]     [PHP on Windows]     [Kernel Newbies]     [PHP Install]     [PHP Classes]     [Pear]     [Postgresql]     [Postgresql PHP]     [PHP on Windows]     [PHP Database Programming]     [PHP SOAP]

  Powered by Linux