0

I want to use html form for submitting some data/info as email to specific(one) recipient with specific/unique generated link, so when the recipient get the email with the info and generated link, he could click the link and confirm this information by sending another email(email address filled in the html form) with some confirmation text.

So in short:

Form submit --> request email sent to the recipient with generated confirmation link --> if confirmation link is clicked, then send email to address from the Form submit.

Basically I know how to make a proper html form and send the email to specific recipient, but I don't how to generate a link(would this be enough: $generatedKey = sha1(mt_rand(10000,99999).time().$email);?), and how to send email to the address from HTML form when confirmation is approved?

Now, I've being thinking about this, and I came up with the following scenario, but I don't understand how to transfer the sender email(the one that filled in the HTML form):

Confirmation linked clicked --> landing on the page and request authorization --> proceed to inner PHP script with auto sending email to the email address from HTML form(how do I get it?!).

xoxacika
  • 3
  • 1
  • 1
    Generating unique values in PHP seems to be tricky. You could use an online GUID generator e.g. https://www.uuidgenerator.net/api to get unique IDs to use in your confirmation email. As for the rest of the question I'm confused as to where a HTML form submit comes into it? Surely the user just clicks on the confirmation link, which goes to the URL. The script verifies that the GUID is valid and not been used before, and sends an email. What would be the need for a form? If the user already completed their info in the first form, why would you make them re-confirm it? It will look like phishing – ADyson Nov 22 '17 at 14:52
  • @ADyson why is it tricky? – Martin Nov 22 '17 at 14:52
  • @Martin well, from a quick google is seems that generating GUIDs is not easy, especially if not hosting the app on windows (com_create_guid seems to be windows-only). uniqid() seems to be the nearest thing, but not technically unique necessarily. – ADyson Nov 22 '17 at 14:53
  • I feel you've missed some fundamentals here, or perhaps I have..... surely what OP is trying to do must involve some data recording (such as a database) and so must also therefore easily involve systems that can ensure unique nonce values? – Martin Nov 22 '17 at 14:56
  • @ADyson This all procedure is done to basically confirm the information submitted by the user. The confirmation is done by Admin, who recives the confirmation link and have the option to confirm it. When it confirms it, the user must get email with approved status. :) – xoxacika Nov 22 '17 at 14:56
  • There is no such thing as ***unique***, without somethng to compare it against. OP can generate strings as long as their arm, and while the statistical probabilities of any two being the same are minute, they're **not** *guarenteed*, because there's no comparison with any stored data to prevent repetition. – Martin Nov 22 '17 at 14:58
  • @Martin I actually trying to avoid DB, and this should work, except I don't know how to retrieve the email of the user(sent by HTML form to the admin). – xoxacika Nov 22 '17 at 14:59
  • 1
    why are you avoiding DB? You could use a file system but..... that's like a DB but without most the benefits – Martin Nov 22 '17 at 15:00
  • @Martin `time().$email);` can make it pretty unique, or am I missing something - please do tell – xoxacika Nov 22 '17 at 15:00
  • 1
    If I know your email address and have access to https://www.unixtimestamp.com/ then I can easily generate those 10k possible `sha1` outcomes (from your `mt_rand`) and can find one that works within minutes. Actual minutes. – Martin Nov 22 '17 at 15:04
  • @Martin I'm trying to avoid DB, because otherwise it will store useless data... there's no registration or anything like this for users, besides the fact it will take up some server resources(even if it won't be noticeable). But most importantly, why use DB if there's no need for it? :) – xoxacika Nov 22 '17 at 15:05
  • 1
    `why use DB if there's no need for it?` This question raises an absolutely perfect need for it. – Martin Nov 22 '17 at 15:05
  • " is done to basically confirm the information submitted by the user." As I said before, if you've already got the info, why make the user re-confirm it? Just trust the user to type it properly the first time. it's their responsibility. Users hate anything which takes more of their time. You can always add a feature where they can amend it another time if it changes. And if you aren't using a DB to store anything, what are you actually collecting this for? Just to send back to the user? Aren't you storing it anywhere at all? That makes no sense to me. – ADyson Nov 22 '17 at 15:06
  • @Martin OMFG. Thanks for informing me about this. One thing more to be careful with :) – xoxacika Nov 22 '17 at 15:07
  • @ADyson I see, but this isn't this kind of case. The information provided by the user must be confirmed by Admin. – xoxacika Nov 22 '17 at 15:10
  • @Martin `This question raises an absolutely perfect need for it.` :) So you're saying this situation would need DB, in your opinion? – xoxacika Nov 22 '17 at 15:12
  • In my opinion, yes, absolutely. There are other methods (filesystem / cookies / sessions) but they suffer significant shortcomings such as security, reliability and/or practicality. – Martin Nov 22 '17 at 15:13
  • so the person responding to the confirm email isn't the person who originally completed the form, I see. I still don't know what use all of this is if you don't store the data, though. Or how you would prevent the same thing being confirmed over and over again. – ADyson Nov 22 '17 at 15:19

1 Answers1

2

This is longer than a comment so I set as an answer summarising our extensive comments below the question.

Due to the OP stating they wont be using Databases to track data then it seems fairly impractical [for me] to provide a solution that doesn't use databases. There are other methods (filesystem / cookies / sessions) but these suffer significant shortcomings such as security, reliability and/or practicality.

Recommended reading:

Martin
  • 22,212
  • 11
  • 70
  • 132
  • 1
    "You may like to know that in the UK nonce can also refer to someone of a lower than average intelligence." I don't know if the meaning has evolved over time but these days it usually refers to a paedophile. – ADyson Nov 22 '17 at 15:16
  • @Martin thanks, but since you say it would be a good thing to use DB for this case, could you please share you knowledge and recommendations of how to make this correct(just a short-scenario)? – xoxacika Nov 22 '17 at 15:19
  • @xoxacika I'm sure there are many questions on SO already for this. It's a big topic if you're brand new to databases... `:-/` – Martin Nov 22 '17 at 15:20
  • @Martin I've heard it used that way in plenty of other settings. Maybe it's only gained that meaning since the advent of Brass Eye, I don't know (was too young to know about that kind of stuff then!). Urban dictionary et al seem to have that definition as well. – ADyson Nov 22 '17 at 15:21
  • @ADyson Im not disagreeing with you, It's just not the meaning that I know it as.... Anyhow, you've given me a great excuse to reference Brass Eye which is always a pleasure `:-)`. I re-learn something new every day! – Martin Nov 22 '17 at 15:22
  • 1
    @Martin Absolutely, it could well have more than one meaning. Brass Eye is always worth mentioning. Extra points for shoehorning it into a tech site. – ADyson Nov 22 '17 at 15:24
  • @xoxacika it is helpful to take a blank sheet of paper and break down into parts what you're trying to do, and then research each part such as "how to store use data into MySQL", etc. Good luck `:-)` – Martin Nov 22 '17 at 15:24