NYCPHP Meetup

NYPHP.org

[nycphp-talk] MD5 + Flash

Hans Zaunere lists at zaunere.com
Sun Aug 21 17:45:41 EDT 2005 


talk-bounces at lists.nyphp.org wrote on Sunday, August 21, 2005 2:24 PM:
> Hiya,
> 
> If you're over on WWWAC you've already seen this but I'm asking here
> from another slant. I have no idea what I can or can't do withOUT
> having to create/manage a mySQL db...my server will let me do this
> easily enough but it's been over a year since I've thought of PHP or
> mySQL and I don't want to get so distracted by the programming
> mindset that I forget what I was doing in the first place (trying to
> do some marketing). 
> 
> Below is the process I'm trying to implement - step 5 is where I'm
> fuzzy...I know I could definitely have the URL come back to a
> PHP page that looks up the string in a db (and a very simple one,
> I'm sure, since it's just a list) but I'd rather just have
> the URL come
> back to the Flash file and do the checking from within the .swf,
> with ActionScript - is that easier or harder? Since you guys all love
> PHP and probably only half of you even like AS, I know it's a biased
> answer I'll get :-) but try to be objective and not play favorites on
> the languages here. 
> 
> What I want to do:
> 
> (1) user gives me email address
> 
> (2) with a PHP script (free from http://www.allhype.co.uk/tools/md5/
> and a very nice script actually!!) I MD5 their email address
> 
> (3) I send user a message (to validate the address works) that has
> their MD5'd address as a link for them to come back and get what they
> want 
> 
> (4) user clicks unique query string in the email I've sent them
> 
> (4) I validate the string .....how/from where is the ??? :)
> 
> (5) if valid, give them the Flash file; if not, give them an
> error message

You could do all of this with just Flash, etc. assuming Flash has MD5, as
I'm sure it does, but you'll be limited.  If you want to track who has
downloaded what files, the browser they're using, etc. you won't be able to
do so without a DB.

There's also a security concern here.  There's no way to know that the email
address you've gotten originally, is the same as the one that's coming from
the link.  Since you're not storing anything anywhere, you have no way to
keep persistent data.  If I know that you're checking that an MD5 matches
the MD5 of the email address, I can pass you any MD5 I want, and it'll
validate.

H

More information about the talk mailing list