I'm trying to write somthing to verify a users email address before setting the 'active' column in a database. I've been looking at the tutorial here 'http://net.tutsplus.com/tutorials/php/how-to-implement-email-verification-for-new-members/' but my problem is that when I get the email and hash from the url it looks like this:
so when I compare it to my database email it doesn't match - since the database email is:
but it doesn't.. I tried using one equals sign but it just returns 1 for any email address in the database :S
I also tried just looking at mysql_num_rows like this:
$check = mysql_query("SELECT email, hash, active FROM users WHERE email='".$_REQUEST['email']."' AND hash = '".$_REQUEST['hash']."' AND active = '0'") or die('Sorry, a mysql error occured');
$result = mysql_num_rows($check);
but it still doesn't work... In the tutorial I notice he calls variables from the url just by using $email and not $_GET['email'] or $_REQUEST['email'] but when I tried that it returns blank.. wtf?
Please help me, I feel like I'm ready to stab someone.
You are correct to be using $_POST or $_GET, as the old-fashioned use of the register_globals option (which created the global variables) is now deprecated due to its limited potential for bugs and security issues. (And I'd be reluctant to use any tutorial that depends on register_globals being in effect, as that indicates either it is quite dated material, or not provided by someone conversant with current best practices.)
As far as your problem, you need to find out where/why the "\'" characters are getting into the URL string and remove it. If not, the kludgy work-around would be to strip them out, maybe with something like:
$email = trim($_GET['email'], "\\'");
"Please give us a simple answer, so that we don't have to think, because if we think, we might find answers that don't fit the way we want the world to be."
~ Terry Pratchett in Nation
maybe it is the % symbolys? But then how to I change the above code to not escape or change the email and hash in any way?
Oh also when I was comparing the hash from the url with the database one I got around the same problem by adding \' to the start and end of the database hash (so it matched the link variable one) but it doesn't seem to work with email address..
The backslash is showing up because your PHP configuration has the dreaded magic_quotes_gpc enabled. See this blog post for a way to avoid its effects.
As far as $_GET or $_REQUEST, I would recommend using $_GET, since you know the value is coming to the page via the URL. $_REQUEST is for when you don't know if the data is going to come to the page via a GET request or a POST request. (I can't actually think of a situation where I actually needed/wanted to use $_REQUEST.)