I'm working on an application that has a public registration form that sends an account activation link via email. This link includes a hash signature and an email address, like so:
https://example.com/activate.php?email=example%40example.com&signature=a74131ac929229f5803999510a5f4a2a
This link is included in the body of an html email template. The hyperlink is built like this:
$encoded_email = url_encode($email);
$url = "https://example.com/activate.php?email={$encoded_email}&signature={$signature}";
$body .= <<<HTML
<p>Use this link to activate your account</p>
<p><a href="{$url}">{$url}</a></p>
HTML;
When the url is hit, it looks up the registration details and key it needs to verify the signature based on the email address. It works most of the time, but sometimes, the query returns no registration details. The email parameter in the link is somehow not always matching the one stored in mysql.
dal::query(
"select
secret,
email
from
registration_details
where
email = ?", $_GET["email"]
);
Are email clients messing with the email parameter in my link? Any help would be appreciated.
I realize more logging may help me troubleshoot this, but I'm not there yet.