How should I fix this? Symbols in $_GET

Question

For my email confirmation script, I generate a token by running the user's email address through my existing one-way encryption function and then grabbing 20 characters from the middle of it. I get the token back from the user as a $_GET variable or a $_POST variable. I ran into a "bug" where When an email address is entered that has a plus sign (+) in it, and then that token is retrieved back from the user as a $_GET variable, the plus sign gets converted to a space and the hash changes, therefor the token doesn't match anymore.

So, I'm wondering what the best way to work around this would be? Escape the plus sign? Convert the plus sign? URL encode it? What other characters will this happen to when I use $_GET?

Here is the pertinent code, in case it's helpful:

<?php
if (isset ($_GET['email'], $_GET['token'])) {
    $email = strtolower (mysql_real_escape_string($_GET['email']));
    $token = mysql_real_escape_string($_GET['token']);
    $correctToken = substr (doEncrypt ($email), -26, -6);
}elseif (isset ($_POST['submit'])) {
    $email = strtolower (mysql_real_escape_string($_POST['email']));
    $token = mysql_real_escape_string($_POST['token']);
    $correctToken = substr (doEncrypt ($email), -26, -6);
}

if (isset ($email, $token, $correctToken)){    
    if ($token == $correctToken) {
        // Confirm user's email!
    }
}
?>

Thank you very much! Billy

EDIT: OK, so the biggest question at this point is, is the plus sign the only character that's converted to a space when retrieved through $_GET? If it is, then it seems I could just add this within the $_GET section: $email = str_replace(' ', '+', $email); There is no other reason for a space to be within an email address, right?

Thanks again, Billy

Yes, [`urlencode`](http://php.net/urlencode) would be most appropriate (before you send that url per email). — mario, Jan 15 '12 at 04:57
possible duplicate of [PHP - Plus sign with GET query](http://stackoverflow.com/questions/2671840/php-plus-sign-with-get-query) — mario, Jan 15 '12 at 05:00
possible duplicate of [In PHP when submitting strings to the database should I take care of illegal characters using htmlspecialchars() or use a regular expression?](http://stackoverflow.com/questions/2993027/in-php-when-submitting-strings-to-the-database-should-i-take-care-of-illegal-cha) — , Jan 15 '12 at 05:32

njbair · Accepted Answer · 2012-01-15T20:36:05.613

0

If it were me, I would do a str_replace() to convert plus signs to spaces before hashing. Put the str_replace() within the hashing function; that way the user's email address is only modified within the function's scope, and remains unaltered for the rest of the script.

function hash_email($email)
{
  $email = str_replace('+', ' ', $email);

  ...hashing stuff happens here...

  return $token;
}

$token = hash_email($_GET['email']);

edited Jan 15 '12 at 20:36

answered Jan 15 '12 at 05:01

njbair

1,982
16
14

The only problem with that is that I would have to do it in several places and then also worry about using the incorrect email for the user at some point. What about converting spaces to plus signs before calculating the correct token? I could do this within the `if (isset ($_GET['email']))` section only? See my edit. Thanks for the response @njbair! – JeepFreak Jan 15 '12 at 14:39

How should I fix this? Symbols in $_GET

1 Answers1