hello. i'm currently working on a mailing list app for my company to have one central place to manage our mailing list(s). at first it was going to purely be a place for our staff to manage our list. but then i got to thinking that it would be very convenient to take a lot of the management overhead out of the system by giving some control to the users. i.e. giving them the ability to change their subscription from plain text to html, or to unsubscribe themself altogether.
so then i started to think about how the subscriber could identify their account while at the same time prevent a malicious user from exploiting the system. using the auto-number id for each user is out of the question since anyone could easily go in sequential order till another record was populated. so what i came up with is a unique identifier that is created by combining three of the users fields and then running that through md5(). i figure at this point i can easily and securely include a link at the bottom of each email that's directed at each subscriber. like so: To unsubscribe yourself or change your subscription settings please follow the following link: http://domain.com/mysubscription.php?uid=a7b8f8a7c8a7d8a9d8b8ga7d8a9d8b8 g so my question is the following: how does this stack up? i'd like to avoid passwords for each subscriber and i figure it will be next to impossible for a malicious person to figure out the combination used to create the hash and subsequently construct their own hashes, especially considering the fields i've chosen. one of them being the date the record was created. which by itself is already impossible to determine (hacking aside) for any random record. THE END chris. -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php