I’m working on a
php newsletter script. I’ve got a
MySQL table of subscribers where each user has a
UUID assigned and wondered if using it in the unsubscribe link would be secure enough.
I build it by replacing the
href attribute together with the
query and the
UUID that matches the user’s email:
// Get UUID based on submitted email $link = "href='https://example.com/unsubscribe.php?id=$uuid'>unsubscribe</a>)"; $html_message = file_get_contents('welcome_template.html'); $html_message = str_replace('href="">unsubscribe</a>', $link, $html_message); // Headers and stuff mail($email, $respond_subject, $html_message, $headers, '-email@example.com');
By secure enough I mean if it is considered a bad practice and if it’s easy to predict the
UUID after some queries.