passing url variables cannot compare
I'm trying to write somthing to verify a users email address before setting the 'active' column in a database. I've been looking at the tutorial here 'http://net.tutsplus.com/tutorials/php/how-to-implement-email-verification-for-new-members/' but my problem is that when I get the email and hash from the url it looks like this:
so when I compare it to my database email it doesn't match - since the database email is:
I would've thought this would still match using
but it doesn't.. I tried using one equals sign but it just returns 1 for any email address in the database :S
if($_REQUEST['email'] == $row['email'])
I also tried just looking at mysql_num_rows like this:
but it still doesn't work... In the tutorial I notice he calls variables from the url just by using $email and not $_GET['email'] or $_REQUEST['email'] but when I tried that it returns blank.. wtf?
$check = mysql_query("SELECT email, hash, active FROM users WHERE email='".$_REQUEST['email']."' AND hash = '".$_REQUEST['hash']."' AND active = '0'") or die('Sorry, a mysql error occured');
$result = mysql_num_rows($check);
Please help me, I feel like I'm ready to stab someone.
You are correct to be using $_POST or $_GET, as the old-fashioned use of the register_globals option (which created the global variables) is now deprecated due to its limited potential for bugs and security issues. (And I'd be reluctant to use any tutorial that depends on register_globals being in effect, as that indicates either it is quite dated material, or not provided by someone conversant with current best practices.)
As far as your problem, you need to find out where/why the "\'" characters are getting into the URL string and remove it. If not, the kludgy work-around would be to strip them out, maybe with something like:
$email = trim($_GET['email'], "\\'");
Thanks for the reply! I'm not sure I know what the register_globals option is.. but is there any benifit to using $_GET over $_REQUEST is request more for submitted forms or something?
Also I have tried to find where the / is coming from but I can't see it.. my code is this:
The link in my email goes to:
$email_message = "Hi " . $_REQUEST['name'] . ", \r\nYou have been subscribed to our email subxcription.\r\nPlease
<a href=\"http://website.com/email_updates/sign_up/verify.php?email='" . $_REQUEST['email'] . "'&hash='" . $hash . "'\">click here</a> to activate your account.";
maybe it is the % symbolys? But then how to I change the above code to not escape or change the email and hash in any way?
Oh also when I was comparing the hash from the url with the database one I got around the same problem by adding \' to the start and end of the database hash (so it matched the link variable one) but it doesn't seem to work with email address..
You need to get rid of the single quotes around the value.
The backslash is showing up because your PHP configuration has the dreaded magic_quotes_gpc enabled. See this blog post for a way to avoid its effects.
"...verify.php?email=" . $_REQUEST['email'] . "&hash=" . $hash . "\">..."
As far as $_GET or $_REQUEST, I would recommend using $_GET, since you know the value is coming to the page via the URL. $_REQUEST is for when you don't know if the data is going to come to the page via a GET request or a POST request. (I can't actually think of a situation where I actually needed/wanted to use $_REQUEST.)
See http://www.php.net/manual/en/security.globals.php for more info on the (deprecated) register_globals feature.
I've got it working now, the single quotes did the trick. Thanks so much for the help I really do appreciate it
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Tags for this Thread