Hi

I am using a mail() command to send an e-mail which contains a link to a PHP page with a ?variable. I am using an HTML header so that the email contains an <A> link which takes the user to the relevant page. The code looks like this:


$headers = "MIME-Version: 1.0\r\nContent-type: text/html;
charset=iso-8859-1\r\nFrom:".$emailfrom."\r\n";
$mailmessage = $namefrom;
$mailmessage .= ' has sent you a picture! To see the
picture they have drawn for you please click on this link <a
href="http://www.netcartoon.net/draw/drawer.php?
drawnum='.$drawnum.'">Your Pic</a>';
$subject= $namefrom." has sent you a picture";


mail($emailto, $subject, $mailmessage, $headers);



The problem is, the variable shows up in the browser when the user clicks the link, like this

http://www.website.com/page.php?variable=123

Since this is for messages people can send each other, that's not very cool, because someone could easily adjust the variable and read other people's messages.

Is there a way I can hide the variable which is passed in when the user clicks on the link? What would I need to change in my code?

Thanks.

Assuming that the site does not require login so you can't protect the items that way your best bet would be to create a random unique id string (perhaps using a hash algorithm) , store that with the drawing and use it on the email link

e.g.

http://www.website.com/page.php?variable=x7Ty56HPX3A

that way one user cannot (easily) guess what string would be used for a different user's messages.

HTH,

Dai

Thanks DaiWelsh :)

If there's no way of actually hiding it, that would work for me so thanks for the idea. The only problem is, I don't actually know what an algorithm is really (blush) or how I could go about making one to generate a unique id. Do you know any links which might help me? Is it quite straightforward?

Thanks a lot.

The only way to 'semi' hide it would be to create an HTML format mail rather than plain text and use a form to submit to the website rather than a link. However this does not hide the id from anyone vaguely technical as they can just view the source of the message.

An algorithm is just a fancy way of saying a formula or set of rules for performing a task. You could create a unique id just by looping ten times and selecting a random letter each time. Stick the ten letters together and you have a simple id string. The advantage of using an existing algorithm might be that it generates a guaranteed unique id (otherwise you might need to check you have not already used the id before to avoid duplicates).

A quick google for "PHP random unique ID" got some useful results e.g.

http://www.phpfreaks.com/quickcode/code/91.php

which uses a uniqid function.

HTH,

Dai

That's great - thanks. I am using HTML for the email, so I will have a go at trying it that way. I'm not sure how but I will have fun trying! If not, I will use the uniqie id method. Thanks for that link - looks really useful for lots of stuff! :)