Page 1 of 2 12 Last
  • Jump to page:
    #1
  1. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    2,653
    Rep Power
    171

    What is the proper way of showing user email address on screen?


    Hi;

    There is a profile page that members "want" their email address to be listed on screen.

    Is it proper to show user's email on screen like this?
    Code:
    <a href="mailto:<?php echo html_escape($value->email);?>"><?php echo html_escape($value->email);?></a>
    Just worrying about emails getting picked by spam robots.

    Thanks
  2. #2
  3. Did you steal it?
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2007
    Location
    Washington, USA
    Posts
    13,997
    Rep Power
    9397
    If you have to be logged in and can only see your own address, then no problem.

    If it's public then you should do something about it. Bots can read what you have. Images work well, assuming OCR isn't an issue. Javascript to obfuscate it is probably the next best thing.
    Does it really have to be linked? More Javascript.
  4. #3
  5. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    2,653
    Rep Power
    171
    Originally Posted by requinix
    If you have to be logged in and can only see your own address, then no problem.

    If it's public then you should do something about it. Bots can read what you have. Images work well, assuming OCR isn't an issue. Javascript to obfuscate it is probably the next best thing.
    Does it really have to be linked? More Javascript.
    They have to be logged in to see the details. So I assume all good.

    Thanks
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    I can only see my own address on my profile page? What exactly is that useful for?

    Or can I see everybody's email address if I'm logged in? Then what prevents some bad guy from registering on your site, collecting all addresses and selling them to the spam mafia?
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  8. #5
  9. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    2,653
    Rep Power
    171
    Originally Posted by Jacques1
    I can only see my own address on my profile page? What exactly is that useful for?

    Or can I see everybody's email address if I'm logged in? Then what prevents some bad guy from registering on your site, collecting all addresses and selling them to the spam mafia?
    How about phone numbers? Also a bad idea?

    These guys are more famouse than Google here. They show phone numbers to anyone regardsless of loggin situation.
  10. #6
  11. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    So you did the latter? You unaskedly published the email addresses amongst everybody who's registered on your site? That's indeed a terrible idea. If you did that with my address, I'd probably try to sue you.

    Whether or not you limit access to registered users is completely irrelevant. First of all, who allowed you to share my address with all your members? Secondly, anybody can become a member, right?

    If you wanna publish private data (names, email addresses, phone numbers, addresses, ...), you must ask your members for explicit permission. Something like a checkbox (unchecked by default) should be OK. You could also set up a "share with x" button so that people can publish their data for specific members.

    In addition to that, it might be a good idea to talk to a lawyer about what you can do and how to do it. Most countries have laws to protect private data, so make sure you don't make a mistake.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  12. #7
  13. Code Monkey V. 0.9
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Mar 2005
    Location
    A Land Down Under
    Posts
    2,101
    Rep Power
    1990
    Originally Posted by English Breakfast Tea
    They show phone numbers to anyone regardsless of loggin situation.
    Not directly. It requires user action to show the phone number. Look at the page:

    042436**** > show number
    That is the difference. The complete phone number doesn't appear anywhere in the source code so bots aren't able to scrape it. The same would apply to email addresses if you used them.

    I think what's missing here is context. WHY are the users displaying their phone/email on your site? If it's like Gumtree and it's because they are actively selling something and need to be contacted, then you can pretty much assume that it's OK because it's expected that their contact details will be available. But if it's just a general directory, then it needs more explicit privacy settings.
  14. #8
  15. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    2,653
    Rep Power
    171
    Originally Posted by Catacaustic
    Not directly. It requires user action to show the phone number.
    Would it be ok if I do it with Jquery? Something like:
    javascript Code:
    function show_phone()
    	{
    		$.post('reloads/number.php', { id: document.form.city.value},function(output){$('#number').html(output).show();});
    	}
    Originally Posted by Catacaustic
    WHY are the users displaying their phone/email on your site?
    Yes its like that, they need to be contacted asap.
  16. #9
  17. Code Monkey V. 0.9
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Mar 2005
    Location
    A Land Down Under
    Posts
    2,101
    Rep Power
    1990
    You can do that, but still don't have the complete phone number in one location. I haven't looked at how Gumtree do it in much detail, but it's easy to do it the way that they do.

    Break the phone number into two or more parts, show the first part, and hide the rest (Gumtree uses ***). Then have the second part as part of the JavaScript so that it's slightly less obvious to scrapers. When the user clicks the "show" button, substitute the second part for the ***. All pretty easy. There's more ways to make it more secure, like using dynamic variable names in the JS and even more obfuscation if you really feel like it.
  18. #10
  19. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    2,653
    Rep Power
    171
    Originally Posted by Catacaustic
    You can do that, but still don't have the complete phone number in one location.
    That is really smart. I can sub string and show first 4 characters in 1 place and the remaining on reload.

    In terms of use I have mentioned "your contact details will be visible to public. If you don't want your details to be visible to public please uncheck this."

    That way other members ONLY see a text box for sending message to poster.

    I am VERY tempted to remove the email all together and rely only on site's message system and phone number. That gets me more traffic too because they have to log back in to see messages you know?

    I am definitly gonna break the phone number to pieces.

    Thanks
  20. #11
  21. Wiser? Not exactly.
    Devshed God 1st Plane (5500 - 5999 posts)

    Join Date
    May 2001
    Location
    Bonita Springs, FL
    Posts
    5,938
    Rep Power
    4033
    Originally Posted by English Breakfast Tea
    In terms of use I have mentioned "your contact details will be visible to public. If you don't want your details to be visible to public please uncheck this."
    I would reverse that, something like:
    "All contacts will be managed through the site. If you would like people to contact you directly, check here [ ]"

    With the box unchecked. Your policy should be to keep things private by default, and only open things up with explicit user permission.
    Recycle your old CD's, don't just trash them



    If I helped you out, show some love with some reputation, or tip with Bitcoins to 1N645HfYf63UbcvxajLKiSKpYHAq2Zxud
  22. #12
  23. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,957
    Rep Power
    1046
    Originally Posted by kicken
    With the box unchecked. Your policy should be to keep things private by default, and only open things up with explicit user permission.
    ... which is what I already suggested 12 hours ago.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  24. #13
  25. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    2,653
    Rep Power
    171
    What am I doing wrong? What when I click on view number it shows a whole new page??????

    Link
  26. #14
  27. Code Monkey V. 0.9
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Mar 2005
    Location
    A Land Down Under
    Posts
    2,101
    Rep Power
    1990
    Looks like JavaScript errors to me. Unless you're server is really sending back those error messages through AJAX? If it is, then that's what you need to troubleshoot.
  28. #15
  29. A Change of Season
    Devshed Frequenter (2500 - 2999 posts)

    Join Date
    Mar 2004
    Location
    Next Door
    Posts
    2,653
    Rep Power
    171
    Originally Posted by Catacaustic
    Looks like JavaScript errors to me. Unless you're server is really sending back those error messages through AJAX? If it is, then that's what you need to troubleshoot.
    I blame it on PHP. That makes more sense.




    This is phone_number controller. You can directlry check it here
    PHP Code:
    class Phone_number extends CI_Controller {

        
        public function 
    index($id)
            {
                
                if(!
    is_numeric($id))
                    {
                        exit();
                    }    
                    
                
    $this->load->model('model_ads');
                
    print_r($this->model_ads->have_phone($id));
            }
         

    And of course this is the Jquery code:
    javascript Code:
    function view_phone_number(id)
    			{
    				$.post('http://test.goldcoast-flatmates.com/phone_number/'.id, { id: id, <?php echo $this->security->get_csrf_token_name();?>: '<?php echo $this->security->get_csrf_hash();?>'},function(output){$('#phone_number').html(output).show();});
    			}
Page 1 of 2 12 Last
  • Jump to page:

IMN logo majestic logo threadwatch logo seochat tools logo