NYCPHP Meetup

NYPHP.org

[nycphp-talk] NEW PHundamentals Question

Christopher R. Merlo cmerlo at ncc.edu
Tue Feb 10 00:37:50 EST 2004


On 2004-02-09 21:19 -0500, Jeff Siegel <jsiegel1 at optonline.net> wrote:

> The question for this month's PHundamentals article is: What
> method(s) do you use to assure that no one has 'spoofed', i.e.,
> 'forged', a form submission?"

I should probably preface this by mentioning that my site isn't
exactly at the top of anyone's bookmark list.  Also, my primary
concern is that a student types his/her e-mail address correctly,
because I use e-mail as the primary method of communication outside of
the classroom and office hours.

What I do is ask the student to enter first and last names and an
e-mail address, and choose his/her course from a drop-down.  I then
generate a random string of 16 letters and digits, and throw it into a
table with the student's name and address.  I send this 16-byte code
in an e-mail, attached to the end of a URL, as so:

"Please click here: http://turing.../new.php?random-string-here"

new.php then looks up that $_GET string in the DB.  If it's there, the
e-mail address is obviously valid, and the student can continue
creating an account.  This record is deleted from the table when
account creation is done.  If the address wasn't valid, for whatever
reason (lots of AOL users forget the '@aol.com'), the mail never gets
there, and I delete that record at the end of the semester.

Maybe not the most secure thing in the world, but it ain't
britneyspears.com, either.

-- 
  cmerlo at ncc.edu             http://turing.matcmp.ncc.edu/~cmerlo

Oh!  They have the Internet on computers now!
 - Homer Simpson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
URL: <http://lists.nyphp.org/pipermail/talk/attachments/20040210/beb501ae/attachment.sig>


More information about the talk mailing list