Member Avatar for Zagga

Hi again folks.

I have a PHP member registration script that collects registration details from the user, encodes the password (with RIJNDAEL_256) and emails the user a URL containing all the variables so I can verify the email address is correct.
The user clicks on the URL, the correct page is opened, with all the GET variables how they should be.

The problem is that when I $_GET the variables from the URL, the plus signs (+) in the encoded password (that show correctly in the address bar) are being replaced with spaces, thus changing the password.

Any ideas why this is happening.
Everything had been working fine, but when I tested it with a new user, it was the first time the encoded password contained any plus signs.

Thanks
Zagga

  • 4 Contributors
  • 7 Replies
  • 166 Views
  • 19 Hours Discussion Span
  • Latest Post Latest Post by Zagga

Recommended Answers

All 7 Replies

Member Avatar for JRM

You shouldn't be using GET for that stuff anyway. All of it appears in the URL !
Use POST.

Member Avatar for Will Gresham

Instead of putting a password hash in the URL (Not a very good idea) why not generate a random string when the user is created and just put this (and possibly the username) in the URL.

Then, check that the string in the URL matches the one in the database when they visit the page.

Edited by Will Gresham because: n/a
Member Avatar for Zagga

You shouldn't be using GET for that stuff anyway. All of it appears in the URL !

That's why the password is encrypted.

Use POST.

I need the user to confirm their email address and using GET was the only way I could think of to send all the required registration information.

Thanks for the advice, I will bear ir in mind, but that still leaves my problem unsolved.
:icon_confused:
Zagga

Member Avatar for JRM

I need the user to confirm their email address and using GET was the only way I could think of to send all the required registration information.

Thanks for the advice, I will bear ir in mind, but that still leaves my problem unsolved.

I don't understand what you mean.
Why won't post collect an email for you? works for me!

Member Avatar for Zagga

Ahh, thank you Will and JRM.
I see where I was going wrong now.
I was passing all the variables with GET and only adding the user to the database once they had confirmed their email address.
What I SHOULD have been doing, was adding all the details to the database as soon as they register and just pass a randon string with the URL, then check the string against the one in the database when the user confirms their email address.

All I need to do now is research how to remove un-confirmed registrations :)

Still curious about why the GET variables were being changed, but it's not an issue now.

Thanks again
Zagga

Member Avatar for Wraithmanilian

Still curious about why the GET variables were being changed, but it's not an issue now.

The issue has to do with URL encoding techniques. PHP automatically decodes "+" to spaces, as well as other symbols that cannot be passed directly in the URL of the browser. An example would be doing a search for "P & G".

If you were to search for that, the string would look similar to "search.php?search=Y&query=P+%26+G". The spaces are replaced in the URL with + signs, and the ampersand replaced with "%26" because the ampersand is used by the urls to separate name/value pairs.

My 2¢. Hope this explains it a bit.

Member Avatar for Zagga

Thanks everyone. Problem solved, registration procedure re-written, happy Zagga :)

Be a part of the DaniWeb community

We're a friendly, industry-focused community of developers, IT pros, digital marketers, and technology enthusiasts meeting, networking, learning, and sharing knowledge.