I think I’ll mod my script and pass just the e-mail which works great, then make the invited user fill out the form saying who referred them. It would be more secure and makes sure people aren’t messing around with the names.
I think you are making this too complicated.
If you have two scripts called one.php and two.php you probably have one.php calling two.php with a url that contains the parms that you are passing.
With this assumption,
$my_url= str_replace(" “,”??",“https://firstname.lastname@example.org&user=Frank Bob”);
$my_parms= str_replace("??"," ",$_SERVER[‘QUERY_STRING’];
Then let two.php deal with the $my_parms variable in the same way that you have been handling it.
Also, I normally do not pass data using the GET functions. That can be hacked with ease.
I usually pass them using the SESSION variables which are less easy to be hacked. Also, when using them, you can pass full strings and not worry about quotes or spaces. Just pass the string.
Sorry if this just adds more to your thoughts about this…
I see what you are saying. Someone could easily change the passed variables?
It is true that passing variables on the tail of a URL is not secure. From your original post, I assumed that you were doing it that way and felt that the application didn’t require much security. If you were passing the variables as a SESSION variable, the blanks wouldn’t have been an issue.
If you don’t have control over the calling module (one.php in my example), the called module (two.php) could simply translate the QUERY_STRING in a similar manner. If the URL tail contains blanks, they are generally translated to %20 (the hex representation for an ASCII blank). So you could simply use:
$my_parms= str_replace("%20"," ",$_SERVER[‘QUERY_STRING’];
If this application is dealing with data that must be protected, it would make sense to put it in a session variable so:
I don’t know if sessions would work as one.php sends an e-mail to the user who then, later, clicks a link in that e-mail which then goes to two.php
In any case, I gave up the project. Maybe I’ll look at it again some other day.
Zoldos, I do verification emails all the time. Like if you change your password on my football pool, it sends a verification to you to ask if it was really you who changed the password. The owner clicks the link in the email and it sends the results back to a secret page that does the actually change of the password.
This is not done with sessions as they only work if you are still on the site. Emails drop out of the site.
But, that can be done. Sorry you are putting it aside. It can be done… But, cya in the next post…
I saved all the source, so may take another look down the road. I’ve just launched a co-owned forum so I’m busy ATM! hehe Thanks!
This is an XY Problem. You are still describing HOW you are trying to accomplish something. I want to know WHAT you are trying to accomplish. What is the overall summary of this project?
Why are you sending the data in the URL to begin with?
My suggestion to this, could actually be two different ways really.
encode the entire string then parse them on receipt.
It’s a custom coded invite system I wrote for one of my sites. First, an existing member refers someone via e-mail on the first php page. This sends an e-mail to the invitee, providing a link. They click the link and this then goes to the second php page passing their e-mail via the link. On the second page, it asks them to provide certain site info, automatically filling in the e-mail that was passed. Then when complete, I get a message and then setup the account.
@astonecipher This should answer your question as well as to why I’m passing data via URL.
And I would still encode the string. How you do that is up to you, but the link should be directing with something not as specific.
Then on the receiving side,
should produce something like this:
[name] => John Smith
[email] => email@example.com
Looks cool. If I ever work on it again, I’ll look more into this! Thanks!
Okay, I’m taking another look at this. I want to pass a submitted e-mail, and a submitted username via a link, then when the invitee clicks the link, the passed values are inserted on the second php page. Can you help?
Well, Zoldos, I will throw out another idea…
I have one site that does a sort of system that might be what you want. It allows for a reset of the password by sending an email to the user with an encoded link like Astonecipher showed you. Basically, what he was saying is that you can use the base64_encode() function to create a more hidden value for the link that you send to the user in the email. In other words, he showed you if you decode the link, it shows you an array or in this case a json_decode array with [name] and [email] as the outputs. To create the inputs, you basically just do the opposite. base64_encode(json_encode(“your full link string”)) and it will create a link like Astone showed you. Then, you pass that as the link inside the user’s email. Hackers can not duplicate that and you can validate it in several ways so hackers can not send fake data. The user will get an email with a link that is like Astone showed you, but, of course they would see “Click-Here” or something like that.
Not sure if all that makes sense. Just trying to explain what he meant in more detail.
Astonecypher, perhaps you can give him the ENCODE part so he can understand it better…
Yes, I see what you are saying. I have no idea how to do it tho. hehe And the encode/decode works in PHP?
$email = "firstname.lastname@example.org"; $username = "astonecipher"; $link = base64_encode(json_encode(["email"=> $email, "username" => $username])); $message = "https://xxxxx.net/index.php?link=$link"; echo $message;
I see what you did there and raise you one snippet.
$email = "email@example.com"; $username = "astonecipher"; $link = "email2=$email&user=$username"; echo $str= bin2hex($link); echo '<br>'; echo hex2bin($str);
Zoldos, what these great programmers are explaining is that you can “encode” your email and username combo which is basically just a string. There are many ways to encode this data so the general user can not see the plain text. Either of the ways just shown will work well for you and hide the data in an encoded way. Since general users are not hackers, it is safe to send the data this way.
Hope that helps clear up what they are telling you…
Hmmm…looks interesting, but I decided to use my code as is. It works great for my purposes, and is secure IMO. Thanks so much!