Email validation of membership changes

I compromised by sending the member an email that contained a link to a new confirm page, named C.asp. The user has to click on the link (if their email client supports that), or cut/paste the link into their browser.

The email I send to confirm a new user was created with this code:

// send Email with our generic function var sBody = 'Dear ' + sName + '\n\n'; sBody += 'To complete the registration of your CoverYourASP membership account please click on the link below, or copy and paste the entire URL into your browser.\n\n'; sBody += 'http://CoverYourASP.com/C.asp?a=a&e=' + sEmail + '&i=' + nID + '\n\n'; sBody += 'Regards,\n'; sBody += '[email protected]\n'; sBody += 'http://CoverYourASP.com/'; SendEmail ( 'MemberServices@' + sHostDomain, sEmail, '', 'New membership', sBody );

This generates an email that contains this line:

http://CoverYourASP.com/C.asp?a=a&e;[email protected]&i;=7

(Note: Many email clients will suffer from a "wrap" problem, meaning the hyperlink they show will only include the part of the URL on the first line. In this case the user must use the cut/paste method to use the entire URL)

C.asp in turn has the following code to decode that URL and perform the task of setting the Confirmed flag in the member record.

var sAction = '' + Request.QueryString ( 'a' ); var sEmail = '' + Request.QueryString ( 'e' ); var nID = Request.QueryString ( 'i' ) - 0; switch ( sAction ) { case 'a':    DBInitConnection ( );    // set the confirmed status on the membership    oConnection.Execute ( 'UPDATE Members SET Confirmed=1 WHERE MemberID=' + nID + ' AND Email="' + sEmail + '"' );    DBReleaseConnection ( );

One last note - C.asp doesn't bother reporting if the parameters given were invalid. If the Email doesn't match the given ID then the database won't be modified thanks to the SQL statement used.

Part 3: Signing in and out...