I have this bit of code here which is part of a php login form which take a user's first and last name and a password.
$first_name = SANITIZE(trim(strtolower(#$_POST["f_name"])));
$last_name = SANITIZE(trim(strtolower(#$_POST["l_name"])));
These work fine on desktop for any kind of name but on mobile there seems to be an issue with names that have either a ' or a - in them. So for example Shaquille O'Neal can log in just fine on desktop with his first and last name, but if he tries to log in with mobile something happens with the apostrophe in his name and it says the user doesn't exist. Any ideas why this might happen? Has been tested on both iphone and android phones with the same result.
Try testing this with htmlspecialchars(). Sometimes special characters don’t play nice when entering data into forms or displaying it from a database.
Try getting the character codes and comparing with the database.
Although ASCII only has one code for single quote (not counting back quote) UTF character sets have multiple ones. Similar for '-'. Mobile devices with "smart" keyboards may susbstitute what they think is a more grammatically correct letter.
Previously I wrote this which is wrong:
If this is the case you fix this by specifying that your webserver (at least for the login page) only wants ASCII with the header:
Accept: text/html;charset=US-ASCII, text/plain;charset=US-ASCII
Related
I am building a web application which will run in electron with angular as a frontend framework and laravel as a backend framework. In the application it's possible to login with a smartcard (thanks to node-pcsclite), it reads the bytes on the smartcard and then I convert them.
The smartcard contains a code which is linked to the staff table in my MSSQL database. I can retrieve the code from the smartcard and I can log into the application when it uses mysql as database server.
Now when I'm trying to do the same but with mssql, I get an error which should be viewed in html mode instead of the error page itself.
(The code can be alphanumeric)
So it adds all these strange characters (probably non-existing characters), not that much of a problem right? At least, that's what I thought. So I tried to fix it by using this code inside my laravel controller:
preg_replace('/[^A-Za-z0-9\-]/', '', $string);
This didn't solve anything. Then I thought I might have a problem with the query, so I ran SQL Profiler, the problem is that (probably because of the special characters) the query is broken.
select top 1 * from [Staff] where [CodeInit] = '
go
So does anyone know how to really remove the strange characters?
If you need more information feel free to ask.
I had this problem and landed to this question when searching for a solution. I was unable to find any fix.
The string with non-printable characters retrieved from mdecrypt_generic() so I wanted a way to remove those characters. When I copy and paste the retrieved value from browser to Brackets text editor, it show these red dots.
I just pasted it to google and then it was encoded to %10. Nothing helped till now, so as a temporary solution I just used rtrim() to remove those dots.
Copy the dot in brackets and replace with "DOT_HERE".
rtrim(rtrim($pvp, "DOT_HERE"), "\0\4");
"\0\4" will remove only nulls and EOT but not that dot character(%10).
Further here is a screenshot with that red dot. You can use Brackets text editor to see this.
Note that $pvp is the decrypted text.
I've an issue I've just encountered (once the web app is already up and running for a week!) and I can't seem to solve it, and I'm sort of rushing through it in order to fix it before it continues malfunctioning.
I've coded a neat little Christmas card for a business and the user inputs his/her name and the name of someone else and then sends it, so the card says TO: JOHN, FROM: PAUL, basically.
This info is sent via URL vars and then, of course, I use GET to retrieve it and output the message.
Of course, it's a card one can use from anyone and to anyone... but I tested it only in English (my bad). So when the first Martín or Sören comes around and uses the card, they get From: Martãn, From: Sã¶ren...
Obviously, that doesn't work.
So I'm guessing I need to find a way either to transform the special character from the input field into the URL or from the URL to the output message. (While we're on the subject: which would you recommend?)
However, I can't get it to work. I've tried finding which character codes work when sent through the URL.
I've noticed URLs usually substitute certain characters and especially white spaces with a % and something else (a coding method whose name I don't know; can anyone enlighten me on that, please?). But when I try %C3%AD, which, according to a website I found, is the code for í, as in my example Martín, I continue to get the ã, as these codes in the URL are automatically changed to their special character.
I've also tried í, í but to no avail!
You can try using rawurlencode, check out the examples there. Hope this helps.
http://www.php.net/rawurlencode
http://www.php.net/manual/en/function.rawurldecode.php
I got a strange issue.
We're using transaction-IDs to our customers bank bookings in the following format: U123C123P123B123.
After a test booking, we copied the transaction-ID (correctly displayed) text from our online-banking output with "ctrl+c". This text, entered into our system again (by pasting strg+v) could not be processed, because:
When pasting, "<wbr>" turns into a minus sign. The minus sign is not displayed in the form field. But it will pass. MySQL can not process the request with that strange minus sign.
The source code of the bank output is as follows: "U123C123P123<wbr>B123".
Most Software (firefox, thunderbird, ...) shows the correct T-ID after pasting. Some Editors, like notepad++, Dreamweaver are showing the pasted T-ID including the minus sign. Like: "U123C123P123-B123"
How can I remove this dimwitted minus sign? I have already tried with str_replace and strip_tags.
Sorry about my english.
My best guess is that somehow the particular character ends up in your output before the B123.
Check the online banking system. Go to the page that shows the transaction id and save it on your hard drive. Open it with an editor that can show non printable characters (vi for instance in Linux) and check the area where the particular string appears. If the string appears with the <wbr> character then you can change the online banking system software so as it doesn't output that character there.
However (as I suspect) if you don't have access to that system in terms of modifying it and you are in need of fixing things in your end, you can attach a filter in the form field or filter the data yourself prior to the database call.
$field = strtoupper($_POST['transaction_id']);
$sanitized = str_replace('<WBR>', '', $field);
$sanitized = str_replace(chr(173), '', $sanitized);
173 is the soft hyphen ­ so that is most likely what is coming in. You can always do a var_dump on the posted data and check the actual ASCII code of what is coming in.
HTH
I am having this really annoying problem on a php-site I am programming and hoping to tap into the well of knowledge that is stackoverflow to help overcome it.
The logic of the login verification is like this.
You register and a mail is sendt to you. The mail contains an url with your username and an id that will be matched up to an id stored under your user name in a table. (Via $_GET)
If the function finds 1 row with matching id and user name it will change verified to "yes" for that user.
This all works fine, until you use names with æ ø or å in them. Like Jørgen. The mail verification function was altered to accomodate for this, turning the url into something like
www.myphppage.com/index.php?login=j%F8rgen&id=62185505683314306498
I've made the php-function that checks sql print login and it prints correctly as Jørgen on the html-page. In the program mysql workbench, the name also displays correctly in the table.
If i try to select * from database.user_reg WHERE login='{$login}' however, it doesn't match and mysql_num_rows returns 0. If i try the same with just the id though, it matches and returns 1 like it should. I think the fault must lie in the query somewhere.
My index-page uses charset=iso-8859-1
and my Database uses Latin-1_general ci
Help is appreciated
-Johann
Use base64_encode() function.
$url='www.myphppage.com/index.php?ver='.base64_encode($login.'|'.$id);
and then ...
$data=explode('|',base64_decode($_GET['ver']));
$login=$data[0];
$id=$data[1];
The problem is that those characters are not automatically url-decoded by PHP's Magic Quotes, but other URL encoded parts have been decoded, thus using rawurldecode could potentially corrupt the message. But if you had access to the original name value passed over (fully encoded), you could use rawurlencode() to get your characters.
But magic quotes can only be disabled at the system level, so this is an all or nothing deal (which sucks).
What is the char-set used to tlak to your mysql server?
I had a similar problem, php script in utf-8, generated page in utf-8, database in utf-8, but connexion between script and mysql in latin_1 (iso-8859-1).
I solved it using the SET character_set_connection command after initialising my PDO object. charset-connection
I have customer details , have lastname column ,
Some of records contain white space in the name front and back ,
i want to do the alphabetical order , but not working properly,
plz chk this screen shot , i cant able to guess wha tis the exact reason ,
space is considered as character, then it will taken into account when you sort the data.
you might want to trim() data before inserting into database.
leonardys is right, you should trim all your inputs before they even go into the database. However, this alone will not solve your problems with people putting punctuation characters and the such in front of their name.
Assuming this database reflects user input, you should do a more thorough input validation. Allowing only alphabetical input (with accents as well if needed) is for example a good solution (given that you expect real names only). Instead of trying to eliminate the unwanted characters, restrict the input to only the allowed ones. Space however, should not be restricted as many valid names contain spaces (e.g. Ann Mary), and therefore you should trim your input after it has been entered.
As for updating the database, that would be tricky. Trimming will only solve the spaces problem. If this is user based data, try asking the ones with illegal characters to update their profile and not let them access the site until they do so. You could excuse it as a database upgrade or some other technical issue.
Hope I helped.