Page 1 of 1

need help please..

Posted: Wed Jul 21, 2004 12:29 pm
by iwanas
hi.. i'm new here. i leant alot by reading your posting. anyway i need some help from all of you..

the scenario:
I run an ezine that need the subscriber to confirm their subscription. i'm planning to put a one-time offer (discount) to my confirmed subscriber. so the process will be like this:

1) people subscribe -> 2)i send them a confirmation email -> 3) if they confirmed the subscription using the link inside the email, they'll be directed to my one-time offer page

now, the question is how to make the one-time offer page is really a one-time ie. they cannot access it again?

currently i'm using this code in the offer page:

Code: Select all

<?php
	   
	   
$referrer = $HTTP_REFERER; 
if ($referrer != 'http://www.confirm) 
{ 
    print "Access Denied"; 
    exit; 
} ?>
however, i realised that the confirmation link might me different since it is generated by the autoresponder.

Then i tried to make a "jump" page so that the "jump" page will redirect to the offer page (using header). but offer page return 'access denied' maybe be'coz the offer page doesn't recognise the referer.

is there any way that i can use to make this thing happen? your help really much appreciated. by the way i don't know much about php

Posted: Wed Jul 21, 2004 12:45 pm
by feyd
I'd store the unique id code (for the one-time) in a database. So you know which id's you've sent out, then mark that id as used when the person visits the link. If they, or anyone else tries to pass data using a used unique id, it's denied.

I would avoid using referer as it's subject to not existing, depending on the user's browser/proxy set up...

Posted: Wed Jul 21, 2004 12:59 pm
by iwanas
thnx feyd for the reply..but i'm not quite sure how to do that. do i need to set up mysql and what code should i put in the one time page?

Posted: Wed Jul 21, 2004 1:13 pm
by feyd
ok.. they get a link like so in their email:

http://www.foo.org/offer.php?Zasd8572zhaZSDH9171

you look at your request string on that page and find they passed "Zasd8572zhaZSDH9171". Running a check against your database

Code: Select all

SELECT * FROM `onetimers` WHERE `id` = 'Zasd8572zhaZSDH9171'
you find that the id has not been used. You then update the entry as used. Maybe you add the current time it was used too. Then proceed to print out your offer.

If anyone attempts to access that specific code, you print an error saying that offer has been rescinded, either on that page, or redirect to your main page with an error added.

Posted: Wed Jul 21, 2004 1:24 pm
by iwanas
correct me if i'm wrong..from what i understand, i need to know the id before hand and i put them in database. the code will check with this database to see if it has been used or not. but the autoresponder generate a random id if i'm not mistaken. so i cannot compiled them for checking purposes.

Posted: Wed Jul 21, 2004 1:31 pm
by feyd
you should be able to get the autoresponder to add the unique to the table..

Posted: Wed Jul 21, 2004 5:39 pm
by JAM
feyd wrote:I'd store the unique id code (for the one-time) in a database. So you know which id's you've sent out, then mark that id as used when the person visits the link. If they, or anyone else tries to pass data using a used unique id, it's denied.

I would avoid using referer as it's subject to not existing, depending on the user's browser/proxy set up...
Can't something similiar be used? I mean, is using their email unique enough? depending of the value of the one-time offer it migt not be, but if it's something like magazine subscriptions or similiar that he/she wont benefit of getting twice...

Code: Select all

<?php
    $email = 'user@email.com';
    $encoded = base64_encode($email);
    // send mail
    mail($email, 'Subject', 'Visit: http://example.com/sub?whatever='.$encoded);
    // insert $encoded to database, with status '0', 'waiting' or whatever
?>
When the user then clicks the url provided in their mail, you use $_GET to fetch it, base64_decode to get the mailaddy (if wanted), update the database field 'status' mentioned in the above snippet to '1' or 'viewed' and proceed from there.
If the 'status' allready is '1'/'viewed' the user cannot get the offer once more...

Just ideas, just ideas...

Posted: Wed Jul 21, 2004 5:45 pm
by feyd
I didn't want to speculate as to what the unique id should be generated from.. I just wanted to avoid someone trying to "script kiddie" it by registering the id the autoresponder sends out, so it knows to expect it.

You are correct though, the unique id could be their email addy encoded some how.. or something..

Posted: Wed Jul 21, 2004 11:40 pm
by iwanas
thanx feyd and jam. it's and excellent idea jam even though i don't how to do it :). if supposed i'm using jam's idea so the email must be the subscriber email, right? i'm using arp3 system so autoresponder will send this kind of link for them to click on it:

http://mysite/cgi-bin/arp3.pl=xxxxxxxxxxxx

where x is unique id generated by arp3. once they click this link, they will be directed to a page that has been predefined in the system control panel, and in this case the page will be the one time offer page.

for me the whole process is pretty easy if they subscribed through form, but most of them comes from the co-reg list so they'll automatically be plug into my subscribing email add. that's it's so complex.