[nycphp-talk] design question: user self-registration
David Mintz
david at davidmintz.org
Wed Sep 1 11:27:43 EDT 2010
On Tue, Aug 31, 2010 at 11:56 PM, John Campbell <jcampbell1 at gmail.com>wrote:
> > that sounds like a
> > poor idea, basically allowing anyone to run an update on anyone else's
> > record in the table.
>
> Are you using the email as the only "GET" parameter to do the
> confirmation? That is a mistake.
>
> Do something like:
>
> confirm.php?email=joe at example.com&checksum=abcdefg123
>
> where checksum is md5($email . 'a secret');
>
>
Totally planning to do it that way.
--
Support real health care reform:
http://phimg.org/
--
David Mintz
http://davidmintz.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20100901/85dbd34b/attachment.html>
More information about the talk
mailing list