1

Hi again folks.

I have a PHP member registration script that collects registration details from the user, encodes the password (with RIJNDAEL_256) and emails the user a URL containing all the variables so I can verify the email address is correct.
The user clicks on the URL, the correct page is opened, with all the GET variables how they should be.

The problem is that when I $_GET the variables from the URL, the plus signs (+) in the encoded password (that show correctly in the address bar) are being replaced with spaces, thus changing the password.

Any ideas why this is happening.
Everything had been working fine, but when I tested it with a new user, it was the first time the encoded password contained any plus signs.

Thanks
Zagga

4
Contributors
7
Replies
9
Views
7 Years
Discussion Span
Last Post by Zagga
0

You shouldn't be using GET for that stuff anyway. All of it appears in the URL !
Use POST.

1

Instead of putting a password hash in the URL (Not a very good idea) why not generate a random string when the user is created and just put this (and possibly the username) in the URL.

Then, check that the string in the URL matches the one in the database when they visit the page.

Edited by Will Gresham: n/a

0

You shouldn't be using GET for that stuff anyway. All of it appears in the URL !

That's why the password is encrypted.

Use POST.

I need the user to confirm their email address and using GET was the only way I could think of to send all the required registration information.

Thanks for the advice, I will bear ir in mind, but that still leaves my problem unsolved.
:icon_confused:
Zagga

0

I need the user to confirm their email address and using GET was the only way I could think of to send all the required registration information.

Thanks for the advice, I will bear ir in mind, but that still leaves my problem unsolved.

I don't understand what you mean.
Why won't post collect an email for you? works for me!

0

Ahh, thank you Will and JRM.
I see where I was going wrong now.
I was passing all the variables with GET and only adding the user to the database once they had confirmed their email address.
What I SHOULD have been doing, was adding all the details to the database as soon as they register and just pass a randon string with the URL, then check the string against the one in the database when the user confirms their email address.

All I need to do now is research how to remove un-confirmed registrations :)

Still curious about why the GET variables were being changed, but it's not an issue now.

Thanks again
Zagga

2

Still curious about why the GET variables were being changed, but it's not an issue now.

The issue has to do with URL encoding techniques. PHP automatically decodes "+" to spaces, as well as other symbols that cannot be passed directly in the URL of the browser. An example would be doing a search for "P & G".

If you were to search for that, the string would look similar to "search.php?search=Y&query=P+%26+G". The spaces are replaced in the URL with + signs, and the ampersand replaced with "%26" because the ampersand is used by the urls to separate name/value pairs.

My 2ยข. Hope this explains it a bit.

0

Thanks everyone. Problem solved, registration procedure re-written, happy Zagga :)

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.