php mail html format link remains inactive

Question

I wanted to make a mail function in php to let visitors create and activate a user account. For this I made a mail with a link which refers to the page that activates the account. Now the problem is that some people want to use characters that interfere with the code inside the email. for example: " " and ' '. I tried to escape these characters, but when such character appears, the link becomes inactive. The mail is sent, but the link is unclickable.

This is what the code looks like.

The variables are set in PHP

$New_user->Username = $db->real_escape_string($_POST['un']);
$RawUn = $_POST['un'];
$New_user->Password = $_POST['pw'];
$New_user->Email = $_POST['em'];
$CheckEmail = explode("@", $New_user->Email);
$New_user->Country = $_POST['cn'];
$New_user->City = $_POST['ct'];
//$NEW_USER IS AN OBJECT CREATED TO HOLD ACCOUNT INFORMATION SUCH AS USERNAME AND EMAIL
//$RAWUN IS A VARIABLE TO HAVE AN UNESCAPED VALUE OF THE USERNAME TO INSERT IN THE INPUT FIELD IF SOMETHING WENT WRONG

After checking the values, the mail is sent:

$message = array(   
    'Hello ' . $New_user->Username . ',<br/>',
    '<br/>',
    'Welcome to MakeAMemo.<br/>',
    'To start working with your account you will have to activate it.<br/>',
    'Just click on the <a href="localhost/makeamemo.com/ConfirmAccount.php?Un=' . str_replace(" ", "+", $New_user->Username) . '&Em=' . $db->real_escape_string($New_user->Email) . '&Action=Create">link</a> and you are ready to go.<br/>',
    'Log in and check if it works. If not, please contact us(E-mail is on the website).<br/>',
    'Your password: ' . $New_user->Password . '<br/>',
    '<br/>',
    'Kind regards,<br/>',
    '<br/>',
    'Administration');
$header =   array(
    'From: makeamemoofficial@gmail.com',
    'Reply-To: makeamemoofficial@gmail.com',
    'Content-type: text/html');
mail($New_user->Email,"MakeAMemo => New account",implode("\r\n", $message),implode("\r\n", $header));

I have made a connection to the datebase, so the escaping using $db->real_escape_string works fine. The location of the link will be changed when the website is finished. I checked if the code worked without the str_replace in the href. No succes. Neither I got succes trying to not escape the username. The tags are invisible in the mail, so it is recognised. The link is not blocked, because it does work when I don't use special characters. When changing the double quotation marks into single quotation marks, you reverse the effect, which means that instead of " ", ' ' don't work. I do not think the headers have something to do with it, because the link does work when using normal characters.

Any idea what the cause of my problem is? Every answer is appreciated.

adear11: here is the generated tag:

<a href="localhost/makeamemo.com/ConfirmAccount.php?Un=%22s+avonds&Em=dennis.heutinck%40gmail.com&Action=Create">link</a>

"s avonds is an incorrect dutch word that contains some of the characters that need to be tested.

Answer 1

Rather than using str_replace in your email, you should use urlencode http://php.net/urlencode

This function is specifically for encoding strings for use in urls

As for the link not always working when it is formed properly, would be that the user isn't using HTML email.

Also, while not specific to your problem, this script is crazy insecure. You never ever ever need to use user supplied input ($_POST in your case) without sanitizing the input first. At a minimum, all of those assignments need to be run through htmlspecialchars.

Update

Given the trouble that you are having, I would consider not passing the actual data around in the URL. Rather, I would save the data to the DB and then generate a token to put in the url. If you generate a token with uniqid you won't have any trouble with these special characters because the string will be alphanumeric. Once the user clicks the link, just grab the data associated with the token and proceed as you would if the data was in the URL.