Clarence's Wicked Mind

Received an e-card from a friend today. The URL for picking up the card is something like this:

http://www.whateversite.com/pickupcard?read=1&id=123456

The "read=1" part caught my attention. So instead of reading the e-card immediately, I did a little experiment first.

I went through the trouble of opening an account on that site and sent myself several e-cards with the "Send me an email when the card is being retrieved" option checked. And when opening my own e-cards, I removed the "read=1" part... and BINGO! The site won't send the notification email if the part is removed from the URL!

This proves:

• The site will update the record on the first retrieval of the card and only send out the email at that time. Because even if I added back the "read=1" part later, the site still won't send out the notification email.
• The programmers for that site made a stupid and fundamental mistake. Never ever trust any input from users, especially if it is via the Internet. As the logic is to send a notification when the card is retrieved, there is no need to use a parameter for that... at least not that obvious on the URL! Just store sender's selection in DB and check it when the card is first retrieved.
• I have too much time! Because after the experiment I decided to make a stupid joke on my friend. When I eventually read my friend's e-card, I removed the "read=1" part so that he/she won't get the notification email (that is, if he/she indeed checked that option :P)!