What's the Risk in Removing encodeURIComponent in Forgot Password SCript?
Posted: Sun Jun 28, 2015 8:12 pm
In my database, usernames must be email addresses, so in following the instructions for implementing the Password Recovery feature, I have modified the sendEmail script by removing encodeURIComponent from the query trying to find user by username. Without this, I was getting a "User not found" error every time.
My question is am I risking anything by removing encodeURIComponent from the query? Why was it included in the first place? Must I now add some additional validation to prevent users adding some characters to the username?