www.webdeveloper.com
Results 1 to 5 of 5

Thread: passing url variables cannot compare

  1. #1
    Join Date
    Nov 2010
    Posts
    57

    passing url variables cannot compare

    Hi,

    I'm trying to write somthing to verify a users email address before setting the 'active' column in a database. I've been looking at the tutorial here 'http://net.tutsplus.com/tutorials/php/how-to-implement-email-verification-for-new-members/' but my problem is that when I get the email and hash from the url it looks like this:
    Code:
    \'emailaddress@domain.com\'
    so when I compare it to my database email it doesn't match - since the database email is:
    Code:
    emailaddress@domain.com
    I would've thought this would still match using
    PHP Code:
    while($row=mysql_fetch_array('$query'))
    {
        if(
    $_REQUEST['email'] == $row['email'])
         {
            
    #run code
         
    }

    but it doesn't.. I tried using one equals sign but it just returns 1 for any email address in the database :S

    I also tried just looking at mysql_num_rows like this:
    PHP Code:
    $check mysql_query("SELECT email, hash, active FROM users WHERE email='".$_REQUEST['email']."' AND hash = '".$_REQUEST['hash']."' AND active = '0'") or die('Sorry, a mysql error occured');
    $result mysql_num_rows($check); 
    but it still doesn't work... In the tutorial I notice he calls variables from the url just by using $email and not $_GET['email'] or $_REQUEST['email'] but when I tried that it returns blank.. wtf?

    Please help me, I feel like I'm ready to stab someone.

    Thanks,

    bob

  2. #2
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,407
    You are correct to be using $_POST or $_GET, as the old-fashioned use of the register_globals option (which created the global variables) is now deprecated due to its limited potential for bugs and security issues. (And I'd be reluctant to use any tutorial that depends on register_globals being in effect, as that indicates either it is quite dated material, or not provided by someone conversant with current best practices.)

    As far as your problem, you need to find out where/why the "\'" characters are getting into the URL string and remove it. If not, the kludgy work-around would be to strip them out, maybe with something like:
    PHP Code:
    $email trim($_GET['email'], "\\'"); 
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  3. #3
    Join Date
    Nov 2010
    Posts
    57
    Thanks for the reply! I'm not sure I know what the register_globals option is.. but is there any benifit to using $_GET over $_REQUEST is request more for submitted forms or something?

    Also I have tried to find where the / is coming from but I can't see it.. my code is this:
    PHP Code:
    $email_message "Hi " $_REQUEST['name'] . ",  \r\nYou have been subscribed to our email subxcription.\r\nPlease
                    <a href=\"http://website.com/email_updates/sign_up/verify.php?email='" 
    $_REQUEST['email'] . "'&hash='" $hash "'\">click here</a> to activate your account."
    The link in my email goes to:
    http://website/email_updates/sign_up...b90c14222fb%27

    maybe it is the % symbolys? But then how to I change the above code to not escape or change the email and hash in any way?
    Oh also when I was comparing the hash from the url with the database one I got around the same problem by adding \' to the start and end of the database hash (so it matched the link variable one) but it doesn't seem to work with email address..


    thanks again,

    bob

  4. #4
    Join Date
    Aug 2004
    Location
    Ankh-Morpork
    Posts
    19,407
    You need to get rid of the single quotes around the value.
    PHP Code:
    "...verify.php?email=" $_REQUEST['email'] . "&hash=" $hash "\">..." 
    The backslash is showing up because your PHP configuration has the dreaded magic_quotes_gpc enabled. See this blog post for a way to avoid its effects.

    As far as $_GET or $_REQUEST, I would recommend using $_GET, since you know the value is coming to the page via the URL. $_REQUEST is for when you don't know if the data is going to come to the page via a GET request or a POST request. (I can't actually think of a situation where I actually needed/wanted to use $_REQUEST.)

    See http://www.php.net/manual/en/security.globals.php for more info on the (deprecated) register_globals feature.
    "Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
    ~ Terry Pratchett in Nation

    eBookworm.us

  5. #5
    Join Date
    Nov 2010
    Posts
    57
    I've got it working now, the single quotes did the trick. Thanks so much for the help I really do appreciate it

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles