[nycphp-talk] MD5 + Flash
-sry Boston
sryboston at hotmail.com
Mon Aug 22 12:37:57 EDT 2005
Thanks for the explicit verification, Chris. You and Hans are both
right, I am definitely fuzzy on using MD5 hashing (how and why).
I also am not looking to do the serious user management Hans
points out is lacking from my algorith, just as you guys noted,
some quick little lookup verification.
Thanks for the help...time to drag out the 7-yr-old Dell again,
where my Apache/PHP/mySQL installation residies. Gonna be
hard after working on the Toshiba Satellite, but thank you for
the sanity check on this, guys! I'll just stick to PHP for the whole
shebang--it's such a great language and all I really need out of
Flash is the pretty picture part, not ActionScripting.
-sry
>From: csnyder <chsnyder at gmail.com>
>Reply-To: NYPHP Talk <talk at lists.nyphp.org>
>To: NYPHP Talk <talk at lists.nyphp.org>
>Subject: Re: [nycphp-talk] MD5 + Flash
>Date: Mon, 22 Aug 2005 08:35:30 -0400
>
>On 8/21/05, -sry Boston <sryboston at hotmail.com> wrote:
>
> > What I want to do:
> >
> > (1) user gives me email address
> >
> > (2) with a PHP script (free from http://www.allhype.co.uk/tools/md5/
> > and a very nice script actually!!) I MD5 their email address
> >
> > (3) I send user a message (to validate the address works) that has
> > their MD5'd address as a link for them to come back and get what
> > they want
> >
> > (4) user clicks unique query string in the email I've sent them
> >
> > (4) I validate the string .....how/from where is the ??? :)
> >
> > (5) if valid, give them the Flash file; if not, give them an error
>message
> >
> > Any help much appreciated!
>
>I think you have the purpose of the MD5 hash confused. In this case,
>you want it to be an *unguessable* token that the user can bring back
>to you to prove that they got they got your validation message, and
>that they own the mailbox associated with the provided email address.
>
>In other words, it should be random. If it's just the hash of their
>email address, then an impersonator could easily generate the right
>token and validate an address that isn't their own (as Hans pointed
>out).
>
>You will need some sort of DB -- MySQL or flat file or otherwise -- to
>store the email address and the random token in the same record, so
>that when the user clicks the link with the token in it, you can look
>up the email and mark it valid.
>
>--
>Chris Snyder
>http://chxo.com/
>_______________________________________________
>New York PHP Talk Mailing List
>AMP Technology
>Supporting Apache, MySQL and PHP
>http://lists.nyphp.org/mailman/listinfo/talk
>http://www.nyphp.org
_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today - it's FREE!
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
More information about the talk
mailing list