http://www.whateversite.com/pickupcard?read=1&id=123456
The "read=1" part caught my attention. So instead of reading the e-card immediately, I did a little experiment first.
I went through the trouble of opening an account on that site and sent myself several e-cards with the "Send me an email when the card is being retrieved" option checked. And when opening my own e-cards, I removed the "read=1" part... and BINGO! The site won't send the notification email if the part is removed from the URL!
This proves:
- The site will update the record on the first retrieval of the card and only send out the email at that time. Because even if I added back the "read=1" part later, the site still won't send out the notification email.
- The programmers for that site made a stupid and fundamental mistake. Never ever trust any input from users, especially if it is via the Internet. As the logic is to send a notification when the card is retrieved, there is no need to use a parameter for that... at least not that obvious on the URL! Just store sender's selection in DB and check it when the card is first retrieved.
- I have too much time! Because after the experiment I decided to make a stupid joke on my friend. When I eventually read my friend's e-card, I removed the "read=1" part so that he/she won't get the notification email (that is, if he/she indeed checked that option :P)!
i think it's ok to work in normal case for such casual app. it's not critical app. the programmer may have fixed deadline and lack of resource........
ReplyDelete你咁講,有 D 野喎…
ReplyDelete=___________________________=||||
ReplyDelete