I don't think it's a good idea to expose email addresses like that. In between the user who clicks on the url and the server that hosts your application the request can pass through many other servers. You don't know what they log and what they do with those logs. So probably best to avoid doing that.I don't know the details of your application, so I can't say if a MySQL database would be best for you or not, but no matter the storage of your application you can avoid exposing email addresses in your email confirmation URLs. One solution is to keep an is_verified flag on your user entity. The user is created with that flag set to 0 (in the registration step). You can then generate your confirmation email url by generating a signature by hashing the combination user id and email. You put both the user id and the signature in the url (something like https://your.application.com/userId=1&signature=a012b345c678d9010123456789). Then when this request hits your application, retrieve the user by its id, generate the signature from id and email and compare with the signature in the url. If they match, update the user is_verified flag to 1 and save the user to storage.
On Sun, Apr 24, 2022 at 5:21 AM <gordonisnz@xxxxxxxxx> wrote:
Hello. I'm wondering if you can assist with advice regarding
a) a user enters their email address
b) I generate a code for login and generate an email.
c) the email contains the URL to log in
When the person clicks on it, I separate the email address - and
generate a new code - if it matches, they are logged in.
MAIN CONCERN - is if I have an email address in the actual URL, it may
be easier for spammers to pick it up & start spamming the user.. (I'm
not doing the spamming)..
Is that a real or imaginary concern? would the ISPs be spamming folk &
scanning for URLs that pass through their servers for email addresses?
Would a MySQL database be best - to store email addresses & assign a
user number for each email? Then use the user number in the URL?