On Wednesday 03 November 2004 14:50, Merlin wrote: > Here is a short explanation: > The system will send out emails to customers with a link where they can > change their details. To identify the record, the link has to carry the > client id. But if it is obvious that this is the id, manipulation of the id > can lead to change any record they like. I don't want to get as far as > passwords, in order to keep it simple for the customer. > > This is why I think encrypting the ID might be the easiest solution. > I cant understand that this is such a hard thing to do. Have a table with 3 columns holding: userid random hash (see manual for uniqid()) expiry time NB the random hash does not need to be (and should not be) based on the userid. This is for security reasons -- to prevent 'dictionary' based attacks. NB the expiry time is for extra security. -- Jason Wong -> Gremlins Associates -> www.gremlins.biz Open Source Software Systems Integrators * Web Design & Hosting * Internet & Intranet Applications Development * ------------------------------------------ Search the list archives before you post http://marc.theaimsgroup.com/?l=php-general ------------------------------------------ /* Atlanta: An entire city surrounded by an airport. */ -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
