For my email confirmation script, I generate a token by running the user’s email address through my existing one-way encryption function and then grabbing 20 characters from the middle of it. I get the token back from the user as a $_GET variable or a $_POST variable. I ran into a “bug” where When an email address is entered that has a plus sign (+) in it, and then that token is retrieved back from the user as a $_GET variable, the plus sign gets converted to a space and the hash changes, therefor the token doesn’t match anymore.
So, I’m wondering what the best way to work around this would be? Escape the plus sign? Convert the plus sign? URL encode it? What other characters will this happen to when I use $_GET?
Here is the pertinent code, in case it’s helpful:
<?php
if (isset ($_GET['email'], $_GET['token'])) {
$email = strtolower (mysql_real_escape_string($_GET['email']));
$token = mysql_real_escape_string($_GET['token']);
$correctToken = substr (doEncrypt ($email), -26, -6);
}elseif (isset ($_POST['submit'])) {
$email = strtolower (mysql_real_escape_string($_POST['email']));
$token = mysql_real_escape_string($_POST['token']);
$correctToken = substr (doEncrypt ($email), -26, -6);
}
if (isset ($email, $token, $correctToken)){
if ($token == $correctToken) {
// Confirm user's email!
}
}
?>
Thank you very much!
Billy
EDIT: OK, so the biggest question at this point is, is the plus sign the only character that’s converted to a space when retrieved through $_GET? If it is, then it seems I could just add this within the $_GET section: $email = str_replace(' ', '+', $email); There is no other reason for a space to be within an email address, right?
Thanks again,
Billy
If it were me, I would do a
str_replace()to convert plus signs to spaces before hashing. Put thestr_replace()within the hashing function; that way the user’s email address is only modified within the function’s scope, and remains unaltered for the rest of the script.