$_GET changing variable

Question

Zagga

14 Years Ago

Hi again folks.

I have a PHP member registration script that collects registration details from the user, encodes the password (with RIJNDAEL_256) and emails the user a URL containing all the variables so I can verify the email address is correct.
The user clicks on the URL, the correct page is opened, with all the GET variables how they should be.

The problem is that when I $_GET the variables from the URL, the plus signs (+) in the encoded password (that show correctly in the address bar) are being replaced with spaces, thus changing the password.

Any ideas why this is happening.
Everything had been working fine, but when I tested it with a new user, it was the first time the encoded password contained any plus signs.

Thanks
Zagga

php

4 Contributors
7 Replies
167 Views
19 Hours Discussion Span
Latest Post 14 Years Ago Latest Post by Zagga

Will Gresham 81 Master Poster

14 Years Ago

Instead of putting a password hash in the URL (Not a very good idea) why not generate a random string when the user is created and just put this (and possibly the username) in the URL.

Then, check that the string in the URL matches the one in the database when they visit the page.

Edited 14 Years Ago by Will Gresham because: n/a

Wraithmanilian 1 Junior Poster

14 Years Ago

Still curious about why the GET variables were being changed, but it's not an issue now.

The issue has to do with URL encoding techniques. PHP automatically decodes "+" to spaces, as well as other symbols that cannot be passed directly in the URL of the browser. An example would be doing a search for "P & G".

If you were to search for that, the string would look similar to "search.php?search=Y&query=P+%26+G". The spaces are replaced in the URL with + signs, and the ampersand replaced with "%26" because the ampersand is used by the urls to separate name/value pairs.

My 2¢. Hope this explains it a bit.

Reply to this topic

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.

JRM 107 Practically a Master Poster · Answer 1 · 2010-02-21T08:20:43+00:00

You shouldn't be using GET for that stuff anyway. All of it appears in the URL !
Use POST.

Zagga · Answer 2 · 2010-02-21T08:31:58+00:00

You shouldn't be using GET for that stuff anyway. All of it appears in the URL !

That's why the password is encrypted.

Use POST.

I need the user to confirm their email address and using GET was the only way I could think of to send all the required registration information.

Thanks for the advice, I will bear ir in mind, but that still leaves my problem unsolved.
:icon_confused:
Zagga

JRM 107 Practically a Master Poster · Answer 3 · 2010-02-21T08:42:10+00:00

I need the user to confirm their email address and using GET was the only way I could think of to send all the required registration information.
Thanks for the advice, I will bear ir in mind, but that still leaves my problem unsolved.

I don't understand what you mean.
Why won't post collect an email for you? works for me!

Zagga · Answer 4 · 2010-02-21T08:47:54+00:00

Ahh, thank you Will and JRM.
I see where I was going wrong now.
I was passing all the variables with GET and only adding the user to the database once they had confirmed their email address.
What I SHOULD have been doing, was adding all the details to the database as soon as they register and just pass a randon string with the URL, then check the string against the one in the database when the user confirms their email address.

All I need to do now is research how to remove un-confirmed registrations :)

Still curious about why the GET variables were being changed, but it's not an issue now.

Thanks again
Zagga

Zagga · Answer 5 · 2010-02-21T21:32:12+00:00

Thanks everyone. Problem solved, registration procedure re-written, happy Zagga :)