0

So I've created a form where users could send some requests. The request will be stored in the database and will be sent through the email as well.

Here's what the viewing page of the requests looks like:

View Requests

And this is what it looks like on email:

Request on email

(These are two different request, just wanted to show you guys what it would look like.)

Anyway, what I wanted to happen is to add a link on the email where it would show the viewing page of the requests. (1st pic)

But here's the thing, on the form, I have a log in page where users would have to log in before they can view the requests page.

Login Tab

So is it possible to add a link on the email where it would redirect the user to the viewing of the requests page, and of course it should automatically log in when clicked.

Here's the form to email code:

$email_from = "PC Request";//<== update the email address
$email_subject = "PC Request for $account";
$email_body = "Here are the specifications:\n\n".
  "Requested by: $reqname\n".
  "Start Date: $month/$day/$year\n".
  "Employee Name: $empname\n".
  "Position: $position\n".
  "Account: $account\n".
  "Platform: $platform\n".
  "Processor: $processor\n".
  "RAM: $ram\n".
  "Monitor: $monitor\n".
  "Phone: $phone\n".
  "Phone Type: $phonetype\n".
  "Headset: $headset\n".
  
    
$to = "email@email.com";//<== update the email address
$headers = "From: $email_from \r\n";
//$headers .= "Reply-To: $visitor_email \r\n";
//Send the email!
mail($to,$email_subject,$email_body, $headers);
//done. redirect to thank-you page.
//header('Location: index.php');

echo "<script>alert('Successfully sent!'); window.location='index.php'</script>";
}
}
?>
Wade Boar
  • 15
  • 6
  • It's certainly possible but likely wouldn't be very secure. – Nathan Jan 25 '19 at 17:21
  • @Nathan I understand that but that's alright, this is only for the testing stage :) Once I figure it out, I'd immediately work on security Thanks! – Wade Boar Jan 25 '19 at 17:22
  • With http basic auth you can do this: https://user:password@example.com, but I wouldn't recommend it as credentials are out in the open. Nowadays everyone uses tokens in the url like this: https://example.com?token=reallylongtokenhere, but these tokens need to be dynamicly added to the urls based on the intended user. If you initiate a user session and set cookies based on the token, it could work. – Peter Rakmanyi Jan 25 '19 at 17:38
  • @PeterRakmanyi So if the php link is `requests.php` should I do it like `username:password@website.com/request.php`? – Wade Boar Jan 25 '19 at 17:42
  • @WadeBoar Yes. `https://username:password@www.example.com/request.php?whatever` [basic auth wiki page](https://en.wikipedia.org/wiki/Basic_access_authentication). – Peter Rakmanyi Jan 25 '19 at 17:46
  • @WadeBoar Why not have the users log in before they can access the form. If this is internet facing it will get spammed by bots. If anyone can see the login credentials by scraping the form, you're gonna have a bad day. How is the user authentication set up anyway? – Peter Rakmanyi Jan 25 '19 at 17:51
  • @PeterRakmanyi Yeah I'm thinking about it lol. But there's only one text field and it's for password. The username is already predefined using `value=` – Wade Boar Jan 25 '19 at 18:02
  • @PeterRakmanyi Plus it'll be uploaded on an intranet server with 8 users lol. so I don't really mind :) – Wade Boar Jan 25 '19 at 18:06
  • @WadeBoar There are some questions: Who predefined the username? What type of auth is actually used? Why not let the users have to log in? If they are logged in, the url works; if not, they see the login page. – Peter Rakmanyi Jan 25 '19 at 18:18
  • @WadeBoar Also Nathan's answer is good, but you need to understand your own auth first. – Peter Rakmanyi Jan 25 '19 at 18:20

1 Answers1

3

This can be done by creating a table to store temporary tokens that are associated with a user id. When you send the email, you'd insert a record into the table with the generated token, user id, and timestamp. You can generate tokens with:

$token = bin2hex(random_bytes(16));

The link in the email would be something like http://yoursite.com/request.php?token=GENERATED_TOKEN

In the code for request.php, you would search the database for the given token (contained in $_GET['token']) and check if the timestamp is within the expiration period (say created within the last 2 hours or something). If it is valid, at that point you could authenticate the user id stored with that token. You'll also want to delete the entry from the table once they are authenticated so the token can't be used again.

Basic Auth isn't a good way to go since the username and password would have to be sent as plain text in the email (you shouldn't be storing passwords in a way that the plain text representation is recoverable).

Nathan
  • 11,814
  • 11
  • 50
  • 93
  • 1
    Just make sure not to trust the user input. Never eval() and don't use `$_GET['token']` in the sql query, or the system will be pwned in minutes. [SQL injection](https://www.owasp.org/index.php/SQL_Injection) – Peter Rakmanyi Jan 25 '19 at 17:55
  • 1
    @PeterRakmanyi Yep. Little [Bobby Tables](http://bobby-tables.com/) will get you. – Nathan Jan 25 '19 at 17:57
  • @Nathan Not sure how I would incorporate this with my codes, I'm still new to php but I''' found out, thanks! – Wade Boar Jan 25 '19 at 18:00
  • base64 encoding gives much shorter URLs than hex encoding. Also make sure that the token can only be used once, and only for a limited amount of time. – Peter Jan 25 '19 at 18:24
  • @Peter Good point about one-time use. I added that to my answer. – Nathan Jan 25 '19 at 18:34