I want people to request invites to use my app, they fill in their email address, but how can generate an url for them to go to register? Presumably only to be used once! I was thinking some sort of md6 code using php!
P.S. If there is a tutorial for this, please give a the link. Thanks.
In the email you use a random code, for example (a part of) the session-id of the user
<?php
$code = session_id();
You save this code somewhere in your database and when the user hits your register page (for example, http://mydomain.tld/register?code=here-register-code), you do something like this:
<?php
$code = $_GET['code'];
if (my_code_is_valid($code) {
echo 'Hey, you are able to register now!';
} else {
echo 'Sorry friend, you need an invite first!';
}
You need to define your my_code_is_valid() function, but that's depending on your own code (framework, database system etc).
Related
For a simple mailinglist, i use flat-file (.txt) files for storing the date from subscribers.
The name of the .txt files is the same as the id i assign to a subscriber.
A .txt file with the data inside (name and email) looks so something like this:
id-8759874589.txt
In every email i send, i send an unsubscribe link so that the subscriber can unsubscribe from receiving mails. I encode the unsubscribe link with base64_encode. Only for the mask of the eye.
An unsubscribe-link looks something like this:
http://example.com/unsubscribe.php?id=aWQtMjAxOTEyMjMNDUyMTQ%3D&email=amNtZy5tYWVzc2VuQGdtYWlsLmNvbQ%3D%3D
For unsubscribing, i use this code:
<?php
$id = $_GET['id'];
$email = $_GET['email'];
// decode the id and email string
$id_decode = base64_decode($id);
$email_decode = base64_decode($email);
if( isset($id_decode) ) {
$filename = 'subscribers/'.$id_decode.'.txt';
// delete subscribers entry
if(file_exists($filename)) {
unlink($filename);
echo '<div class="alert alert-success"><b>'.$email_decode.'</b> is successfully removed from our mailinglist!</div>';
}
else {
echo '<div class="alert alert-danger">Email not found or you already have unsubscribed from our mailinglist!</div>';
}
}
?>
As you can see: the id, which is assigned to the .txt file, will be unlinked. The subscriber is deleted from the mailinglist.
My worries:
Lets say: you were a subscriber and you did unsubscribe, then you know how the url is created.
You can start guessing: How will the subscriber be unsubscribed? Lets say: you know that every subscriber has his data in a .txt file with the name of the id. You can let a robot guess the identities in the url string and execute this url. In worse case scenario, he found an id that really exists and the file will be deleted. A random subscriber is removed from the list without doing itself.
How can i protect this better?
Create a unique code and store this code in the file, also provide this code in unsubscribe url:
http://example.com/unsubscribe.php?id=aWQtMjAxOTEyMjMNDUyMTQ%3D&email=amNtZy5tYWVzc2VuQGdtYWlsLmNvbQ%3D%3D&token=WHATEVER
In this case you can also get a token from url as $_GET['token'] and check if it is the same as one in the file. If it is the same (and no one except you knows the algorithm with which token is created) - you can unsubscribe the user. In case of failure you can consider that someone is cheating)
You should worry when you only encode your parameters.
As you already expected gives Base64 no security, also the fact that you expect an Id and a email gives information to hack you.
The third risk is your response, there you als give information away, just inform your that the request is processed.
You should use encryption see to be safe.
I've looked at so many stack overflow questions to find my solution, but none of the questions I try are what I am looking for (so if you know of one that fits my question, please tell me). What I have is a php page that processes a form. It looks like this:
<?php
$var1 = htmlentities($_POST['var1']);
$var2 = htmlentities($_POST['var2']);
$conn = mysqli_connect('localhost','user','pass','db');
$query = "INSERT INTO table (var1,var2) VALUES ('$var2','$var2)";
$doQuery = mysqli_query($conn,$query);
if($doQuery) {
// this is where script should go (i think) to send the variables to the email page
header("Location: /path/to/next/page"); // this just sends the user to the next page. NOT PART OF EMAIL PAGE
}
else {
header("Location: /path/to/back/page");
}
mysqli_close($conn);
?>
so its a basic form handler that sends you to the next page if all goes well.
I have another page that is sends an email notification to someone when they successfully go through the first page. It also processes all of the other email notification worthy forms as well. that's the reason I can't just take the script and put it into the top page.
So, what I am trying to do is figure out a way to send the $var1 and $var2 to the email file without completely redirecting the user. I don't need a response back from the email file.
I hope that made sense.
thanks in advance
Quite simple, really:
// your code above
require 'send-email.php';
And your send-email.php would reference $var1 and $var2.
I Learning a framework Kohana.
What is difference between Kohana::message and Kohana::config?
They perform the same function.
Maybe if there is a difference between the concept?
Kohana:message
These are generally used to store messages that will be displayed to the user. For example if you have a method that tries to create a user and it fails, you can get the relevant you can you may have the following in a User Controller:
$create = $this->create_user($user);
if($create)
{
// user created
$message = Kohana::message('user', 'create_success');
}
else
{
// failed to create user
$message = Kohana::message('user', 'create_error');
}
Kohana:config
This is used for configuration information such as the hash_method used in auth module and you can access it using Kohana::$config->load('auth.hash_method')
One is for configuration information. The other is for reusable text: Kohana::message('registration.error.email') could say something like "There is already an account using the email address you entered, an email with instruction on how to reset you password has been sent in case you forgot it.".
I am relatively new to CodeIgniter, so I'm not sure if this is just bad coding, or if it is a problem with how I'm using CodeIgniter's flash data. For context: the user submits a phrase in a simple HTML form. The phrase is compared against what should be typed in (pretty simple, right?). This correct phrase changes based upon what step in the activity they are on. When they get the text wrong, I am attempting to use flashdata to show the error message. Here are the controller portions, followed by the view:
//Get step number
$step = $this->input->post('step');
$correct_text = array(
1 => 'TESTPHRASE',...
...
//If user enters the correct text
$entered_text = strtoupper($this->input->post('entered_text'));
if ($entered_text == $correct_text[$step])
{
...
}
//If user enters the incorrect text
else
{
$data['step'] = $step;
$this->session->set_flashdata('entry_error', '<b>Sorry!</b>Your entry was incorrect. Be sure to carefully read the instructions!');
$this->load->view('template', $data);
}
Here is the view that only runs every other time.
<?php
if ($this->session->flashdata('entry_error'))
{ ?>
<div id="game_error">
<?php echo $this->session->flashdata('entry_error'); ?>
</div>
<?php } ?>
From the docs: CodeIgniter supports "flashdata", or session data that will only be available for the next server request, and are then automatically cleared.
You are setting the flashdata and then trying to access it during the same request. It's not available until the next request which is why it seems like it's only working every other time.
I'm trying to issue a Facebook Graphp API search call for groups with a specific search term. The important fact is to search for groups not only beginning with the term but also to search for the term within the group name. So something like that.
FQL => SELECT * FROM groups WHERE groupname LIKE '%term%'
As far as i know this isn't possible in FQL. Therefore I have to use the Graph API search.
http://developers.facebook.com/docs/api#search
But I have to issue th call even if the user isn't logged in. Is this possible
or is there a possibility to log in a default user with some curl calls without user interaction (without displaying a form)?
If there is a simplier solution (for instance with FQL) please tell me.
I work with the graph API and not with the FQL so I'm not 100% sure on the differences etc etc... however a way I'd try is using the cURL script at http://developers.facebook.com/docs/authentication/#authenticating-users-in-a-web-application to get an auth token, then you must add the received auth token to the graph parameters as you can see on the site (a good way to test in the graph api is to click on the example likes or queries given while logged into facebook then copying the api code and breaking up the process like that [testing that you can get results you want from the query, testing that you can get your auth token then combining] so that you know what parts are 'problem' parts).
If that fails, scroll down to the "single sign-on with java-script" and have a look at the code they use to get the auth token from the facebook cookie, I notced you may be able to access that cookie from FQL.
I hope this was of some help! Please tell me if those ideas didn't work.
Jon
Using PHP-SDK 3.1.1, no auth or access_token needed. This sample assumes you have PHP-SDK installed on the page.
Use a form post the question to the page, arguments for get and post
are included. This will return the array from search https://graph.facebook.com/search?q=facebook&type=group
<?php
$q = urlencode($_GET['qs']);
if(!$_GET['qs']){
$q = urlencode($_POST['qs']);
if(!$_POST['qs']){
$q = "facebook";
}
}
$MEsearch = $facebook->api('/search?q='.$q.'&type=group');
foreach ($MEsearch as $key=>$value) {
$i=1;
foreach ($value as $fkey=>$fvalue) {
$i++;
if($fvalue[id]=="h"){
}else{
$groupname = $fvalue[name];
$groupid = $fvalue[id];
$groupversion = $fvalue[version];
echo $groupname. '<br />';
echo $groupid. '<br />';
echo $groupversion. '<br /><hr />';
}
};
};
?>
Sample Usage http://shawnsspace.com/plugins/photofeed.php Click Get Plugin at the bottom and use the search box to see this sample in action.