Skip to content
Advertisement

Query string keeps appending but it shouldn’t

So my problem is when i send an email with a link to reset the password the query string gets appended each time. For example:

99cb65f44c7acf7f80610e92358ca7ce006b852fb9d7be716154c0fe5a954867b87a4b281a7b42f5208dbbbac0a6d3de7444575b41b6a307a2fdd00e3b6d2cae <= First query string as i want to have it

Then when i send a new email with a new token the variable will append the old value to the new one like this:

350527f600af41b3333ac73b0cab8592ad36d6cf57556e6e8dfe8d7f1640345503c98ce691651d1b8e7c85ab9fd963efda1a0b5c754abc2855f43e5d11ffd2ab99cb65f44c7acf7f80610e92358ca7ce006b852fb9d7be716154c0fe5a954867b87a4b281a7b42f5208dbbbac0a6d3de7444575b41b6a307a2fdd00e3b6d2cae <= Second query string that is wrong and shouldnt get appended

And this continues all the time.

So here is my html form:

<form method="POST" action="php/PasswordReset.php" id="form1" class>
    <div>
        <div class="d-flex justify-content-center wow fadeIn" style="padding-top: 50px">
            <label>Enter your Username</label>
        </div>
        <div class="d-flex justify-content-center wow fadeIn">
            <input ID="CheckTBox" class="col-md-2 form-control" type="text"/>
        </div>
        <div class="d-flex justify-content-center wow fadeIn">
            <button ID="CheckBtn" type="button" class="btn btn-outline-primary">Search</button>
        </div>
        <div class="d-flex justify-content-center wow fadeIn" style="padding-top: 10px">
            <label ID="ErrorLbl"></label>
        </div>
        <div>
            <footer class="fixed-bottom bg-light wow fadeIn">
                <div class="container">
                    <div class="d-flex justify-content-center pt-3 pb-3">
                        <?php $year = date("Y") ?>
                        <label ID="CurrentYear" class="text-dark"></label>
                    </div>
                </div>
            </footer>
        </div>
    </div>
</form>

Now when I press the search button it will get through an ajax. Thats the ajax code:

$(document).ready(function () {
    $("#CheckBtn").on("click", function () {
        var username = $("#CheckTBox").val();
        if (username != "") {
            $.ajax({
                url: "./php/PasswordReset.php",
                method: "POST",
                data: {
                    reset: 1,
                    username: username,
                },
                success: function (response) {
                    $("#ErrorLbl").html(response);
                },
                dataType: "text"
            });
        } else {
            $("#ErrorLbl").html("<font color='red'>Input is empty!</font>")
        }
    })
})

After that it will go to the php file with this code:

$conn = DB();

$guid = new GlobalClass();
$sender = $guid->sender;
$f_location = "../Emails/PasswordReset.html";
$hashed = hash("sha512", $guid->GUID());

if (isset($_POST["reset"])) {
    $sql = $conn->prepare("SELECT * FROM users WHERE username = :user ");
    $sql->bindParam(":user", $_POST["username"]);
    $sql->execute();
    $row = $sql->fetch();
    if ($row) {
        $email = $row["email"];
        $acc_guid = $row["guid"];
        $id = $row["id"];
        $old_str = "some text in file that should be find";
        $new_str = "link of the website" . $hashed;
        $f = file_get_contents($f_location);
        $f = str_replace($old_str, $new_str, $f);
        file_put_contents($f_location, $f);
        $r = file_get_contents($f_location);
        if (SendEmail($sender, "Admin", $email, "Reset Password", $r, true)){
            echo "<font color='green'>Email has been sent!</font>";
            $insert = $conn->prepare("INSERT INTO sha_codes (id, code, guid, email) VALUES (:id, :code, :guid, :email)");
            $insert->bindParam(":id", $id);
            $insert->bindParam(":code", $hashed);
            $insert->bindParam(":guid", $acc_guid);
            $insert->bindParam(":email", $email);
            $insert->execute();
        }
    } else echo "<font color='red'>No user has been found!</font>";
}

So now you see there the $hashed variable. When i echo it, it gives me right optut that i want to have (example at the top). But when i send again an email the variable will append the previous value to the new one and the query string will get longer and longer and becouse of the appending i cant find the value in my mysql database. I checked also my PasswordReset.html file but there is nothing wrong with it.

Advertisement

Answer

So what’s happening is you’ve got PasswordReset.html that presumably has some HTML like

<a>some text in file that should be find</a>

You’re then overwriting that to include a link so it ends up something like

<a href="link of the website?99cb65f...">some text in file that should be find</a>

And then next time you do this, you then do the same replace, and rewrite the file, so each time you’re going to be adding the hash, and possibly duplicating the link (without seeing exactly what PasswordReset.html is, and what you’re inserting for the link, it’s hard to diagnose exactly).

Stop rewriting the file each time, you’ve already got the content you need in your variable $f. Instead of

file_put_contents($f_location, $f);
$r = file_get_contents($f_location);
if (SendEmail($sender, "Admin", $email, "Reset Password", $r, true)){

do

if (SendEmail($sender, "Admin", $email, "Reset Password", $f, true)){
User contributions licensed under: CC BY-SA
9 People found this is helpful
Advertisement