Function explode not working with "+" character

Question

I'm creating form in PHP for reset User password. When user send request for reset it send link to the Mail for reset password. In the link is domain.com/index.php?link=reset-password&code=1_Xzpq+/F64xwZ/oQ/U4TkTQ==

1 = User_id
Xzpq.. = User password hash (Salted)

I need explode UserID and PasswordHash to the variables

My code:

function isValidPasswordResetToken($string) {
    global $sqlConnect;
    //$string_exp = explode('_', $string);
    list($user_id, $password) = explode('_', $string);
    //$user_id    = $string_exp[0];
    //$password   = $string_exp[1];
    if (empty($user_id) or !is_numeric($user_id) or $user_id < 1) {
        return false;
    }
    if (empty($password)) {
        return false;
    }
    $query = mysqli_query($sqlConnect, " SELECT COUNT(`user_id`) FROM " . USERS . " WHERE `user_id` = {$user_id} AND `password` = '{$password}' AND `active` = '1' ");
    return (Sql_Result($query, 0) == 1) ? true : false;
}

It works good, BUT.. When PasswordHash is like Xzpq+/F64xwZ/oQ/U4TkTQ== (in Hash is '+' character) it not working.. When PasswordHash is m7c7Tn67QpI2eI1jLdqOEg== it works without problem..

It is a chance to do this some other way, which would support all the characters? Or what am I doing wrong?

Thank you for every answer.

you're open to SQL injection and should address this immediately — treyBake, Oct 26 '18 at 14:01
Am I the only one thinking that exposing passwords (regardless of whether they are hashed or not) is bad? — maio290, Oct 26 '18 at 14:06
I think [How to use password_hash](https://stackoverflow.com/questions/30279321/how-to-use-password-hash) is worth a read. — Nigel Ren, Oct 26 '18 at 14:08
@maio290 This is not script for Encrypt password. This is only script for pick ID+Password_hash from DB for identify user for password reset. — Pavel Madera, Oct 26 '18 at 14:15

score 5 · Accepted Answer · answered Oct 26 '18 at 14:04

5

A + is used by browsers to replace spaces in the URL.

You just need to encode it first, and decode when you want to process it.

<?php

$x = urlencode('Xzpq+/F64xwZ/oQ/U4TkTQ==');
echo $x . "\n";
echo urldecode($x);

Output:

Xzpq%2B%2FF64xwZ%2FoQ%2FU4TkTQ%3D%3D 
Xzpq+/F64xwZ/oQ/U4TkTQ==

See it here https://3v4l.org/QUeXT

answered Oct 26 '18 at 14:04

delboy1978uk

12,118
2
21
39

1

Thanks for fast solution! :) Finally. It works! Thank you very much. – Pavel Madera Oct 26 '18 at 14:21
Glad I could help! – delboy1978uk Oct 26 '18 at 14:24
Of course decoding is done by the server for values passed in via $_GET, so there's rarely a need for `urldecode()` – miken32 Oct 26 '18 at 15:25

Function explode not working with "+" character

1 Answers1