Encrypting query string containing users email to unsubscribe in a Stored Proc (SS 2008R2) ?
We are trying to encrypt the users email in a stored proc in SQL Server **2008R2 using cdosysmail** to allow them to unsubscribe using encrypted query string to prevent hacking, etc. And also in the stored procedure to DEcrypt the query string back to validate and/or update the record to unsubscribe. SET @unsubfooter = '
sp_send_dbmail should be used in place of the sp_oa* methods for sending emails. What is the concern with using plain text for the email - that a hacker might randomly submit email addresses to the page and forcibly unsubscribe your users? Of the methods you have outlined, I would lean towards the GUID approach. If you choose to encrypt the email, you should reconsider and choose a 1 way hash with salt ([
http://www.troyhunt.com/2013/03/should-websites-be-required-to-publicly.html]). Use the hash just like you would have used the GUID (pre-hash the salted email addresses in the table then use those values to match against the hash that is being unsubscribed). Will your unsubscribe page be using https? :