I am sending an HTTP GET request with urlencoded value from a client application and on the server side I am using $_GET["Value"] to grab the value.
this is what the request looks like on the client side https://example.com/validate.php?Value=+MqZjrRvtvFdcC3GCRRnnQ== but on the server side the result of $_GET["Value"] is MqZjrRvtvFdcC3GCRRnnQ== without + in the beginning of MqZjrRvtvFdcC3GCRRnnQ== How can I grab the value as it is including all the special characters(if any)
I tried htmlspecialchars($_GET["Value"]) but this didnt work either.
You can't inject any random character in a URL, you need to use proper escaping functions. In PHP you have rawurlencode():
$encoded = 'https://example.com/validate.php?Value=' . rawurlencode('+MqZjrRvtvFdcC3GCRRnnQ==');
https://example.com/validate.php?Value=%2BMqZjrRvtvFdcC3GCRRnnQ%3D%3D
(Demo)
In particular, + is some old encoding for whitespace character (U+0020) and = is often used to separate argument name from argument value.
The + is a special char which will be escaped by parse_str().
You need to parse the query string by yourself.
Note: If there are multiple values you need to split by & first.
Calling
http://localhost:4000/?Value=+MqZjrRvtvFdcC3GCRRnnQ==
[$key, $value] = explode('=', $_SERVER['QUERY_STRING']);
will give a $value of
+MqZjrRvtvFdcC3GCRRnnQ==
Related
I have a webapp created using C# and asp.net. I placed a parameter value in the querystring with a plus(+) sign. But the plus sign disappear.
How can I include the plus sign(+) in the query string without disappearing?
Please advise.
Thanks.
Edit: added code with UrlEncode
string str = Server.UrlEncode(Requery.QueryString["new"]);
+ sign has a semantic meaning in the query string. It is used to represent a space. Another character that has semantic importance in the query string is & which is used to separate the various var=value pairs in the query string.
Most server side scripts would decode the query parameters before using them, so that a + gets properly converted to a space. Now, if you want a literal + to be present in the query string, you need to specify %2B instead.
+ sign in the query string is URL-decoded to a space. %2B in the query string is URL-decoded to a + sign.
See the difference between
http://www.google.com/search?q=foo+bar
and
http://www.google.com/search?q=foo%2Bbar
In the above examples, Google's server script is URL-decoding the query parameters and then using them to do the search.
URL-encoding is nothing but % sign followed by the hex-code of the special character. For example, we know that the hex code of A is 0x41 (decimal: 65). Try this:
http://www.google.com/search?q=%41
Hope this makes URL-encoding clear.
So, if you want the + sign to be preserved when a JavaScript is fetching a URL with + signs in its query parameters and a server side script would process the query parameters after URL-decoding it, you should URL-encode the query parameters in the URL before using issuing the HTTP get request so that all + signs are converted to %2B's when the request reaches the server side script. Now when the server side script URL-decodes the query string, all %2B's gets converted back to + signs which is what you want.
See Encode URL in JavaScript? to learn how to URL-encode the parameters using JavaScript. Short answer from the discussion there:
var encodedURL = "http://example.com/foo.php?var=" + encodeURIComponent(param);
You should URLEncode your query string values to make sure any special characters are not lost.
Look at HTML URL Encoding Reference
You need to Encode the + sign - It's value should be %2B
I alter my previous statement so no one gets confused!
Create your url using the Server.UrlEncode.
e.g.
string myUrl = "http://myurl?param1=" + Server.UrlEncode("my+param+1");
For the solution, I have applied:
Step 1:Use Server.UrlEncode method for encoding the URL parameter.
Response.Redirect("YourURL?parameter=Server.UrlEncode(parameterValue.ToString().Trim()");
step 2: on another side, you get a string with a plus(+) sign.
var parameter = Request.QueryString["parameterValue"].ToString().Trim();
This is the result: %2beH8 --> +eH8
Other simple way is, Request.Url.ToString().Substring(Request.Url.ToString().IndexOf("=") + 1) assuming that my URL is, http://localhost/MyApp/Activate.aspx?ActivationCode=cHbtqH9P2dDZkx/mYUgFFo7nrNqSFgqdPisAzzu5/nwlEYDOHI+CQw==
before send you parameter, you need check if the parameter contains plus sign, if have you need replace to one flag, for example:
the parameter is: klasjdlkasd+djid3223
can you replace: klasjdlkasdFLAGdjid3223
and when you go convert, you need replace angain
klasjdlkasd+djid3223
Try this, it works for me:
Request.QueryString["new"].Trim();
The solution is to ALWAYS include .Replace(" ", "+") when you request querystring
string s = Request.QueryString["id"].Trim().Replace(" ", "+");
source: http://www.webmasterworld.com/forum47/3238.htm
Add this line in Decrypt Funcation:
strText = strText.Replace(" ", "+");
I am doing a post HTTP request in swift 4.2 and in one of my Strings I put in the parameters contain "&" but apparently the requests gets cut off after this symbol. I thought about replacing every "&" symbol with a unique placeholder and convert it back in PHP.
But is there are more elegant or easy way of doing this?
URL encode your data (and decode it when you need to use it), that will make the ampersand into %26 which will stop it cutting off in your GET request.
You could replace the "&" with "%26" and then it's have to work :)
All Precent-encoding characters:
https://en.wikipedia.org/wiki/Percent-encoding#Percent-encoding_reserved_characters
You should probably minimize how much manual percent escaping you do. You might, for example, use URLComponents to build your URL and percent escape it for you:
guard var components = URLComponents(string: "http://example.com") else { return }
components.queryItems = [URLQueryItem(name: "foo", value: "bar&baz")]
let url = components.url
That will result in:
http://example.com?foo=bar%26baz
The ampersand, as well as a few other characters, need to be encoded if they are within a query parameter otherwise they could be recognized as a delimiter of some sort.
You can encode a string for a query param in Swift like this:
let value = string.addingPercentEncoding(withAllowedCharacters: .urlQueryAllowed)
let urlString = "https://example.com/?query=\(value)"
On the other side, your server will receive the encode param value but will need to decode it.
PHP includes the urlencode() and urldecode() functions, and stift includes the .addingPercentEncoding function.
This means you can replace with the encoded version of the '&' symbol which is '%26', or you can use swift's function
Then when you recieve this value you can use urldecode( $escapedString ), or just replace '%26' with '&', or just pull the values stright from the request with $_GET.
I have the problem, that PHP replaces all spaces with underscores in POST and GET variables.
For example if I have the URL: http://localhost/proxy.php?user name=Max
the browser will convert it to http://localhost/proxy.php?user%20name=Max.
But if I give the $_GET parameters out, the key is not user name but user_name (note the underscore)!
Is there any possibility to change this behaviour?
From the PHP manual:
Dots in incoming variable names
Typically, PHP does not alter the
names of variables when they are
passed into a script. However, it
should be noted that the dot (period,
full stop) is not a valid character in
a PHP variable name. For the reason,
look at it:
<?php $varname.ext; /* invalid variable name */ ?>
Now, what
the parser sees is a variable named
$varname, followed by the string
concatenation operator, followed by
the barestring (i.e. unquoted string
which doesn't match any known key or
reserved words) 'ext'. Obviously, this
doesn't have the intended result.
For this reason, it is important to
note that PHP will automatically
replace any dots in incoming variable
names with underscores.
And a comment on the page:
The full list of field-name characters that PHP converts to _ (underscore) is the following (not just dot):
chr(32) ( ) (space)
chr(46) (.) (dot)
chr(91) ([) (open square bracket)
chr(128) - chr(159) (various)
PHP irreversibly modifies field names containing these characters in an attempt to maintain compatibility with the deprecated register_globals feature.
I think the only possibility to get the wanted parameters, is to parse them on your own using $_SERVER['QUERY_STRING']:
$a_pairs = explode('&', $_SERVER['QUERY_STRING']);
foreach($a_pairs AS $s_pair){
$a_pair = explode('=', $s_pair);
if(count($a_pair) == 1) $a_pair[1] = '';
$a_pair[0] = urldecode($a_pair[0]);
$a_pair[1] = urldecode($a_pair[1]);
$GLOBALS['_GET'][$a_pair[0]] = $a_pair[1];
$_GET[$a_pair[0]] = $a_pair[1];
}
In the old crazy times of register_globals query string was unpacked by PHP into global variables, but the format of variable identifiers is constrained, so obviously spaces couldn't work. This limitation remained, and honestly I believe it's a good idea to keep it this way.
If you really cannot change spaces into underscores in your URLs, just mangle the $_GET array when you process the request and substitute every underscore by a space.
As far as i can remember, i've never seen spaces in URL parameter names...
I think, it would be better to convert all spaces of parameter names into "_".
I am trying to send a GET message that contains strings with ampersands and can't figure how to escape the ampersand in the URL.
Example:
http://www.example.com?candy_name=M&M
result => candy_name = M
I also tried:
http://www.example.com?candy_name=M\&M
result => candy_name = M\\
I am using URLs manually, so I just need the correct characters.
I can't use any libraries. How can it be done?
They need to be percent-encoded:
> encodeURIComponent('&')
"%26"
So in your case, the URL would look like:
http://www.mysite.com?candy_name=M%26M
This does not only apply to the ampersand in URLs, but to all reserved characters. Some of which include:
# $ & + , / : ; = ? # [ ]
The idea is the same as encoding an &in an HTML document, but the context has changed to be within the URI, in addition to being within the HTML document. So, the percent-encoding prevents issues with parsing inside of both contexts.
The place where this comes in handy a lot is when you need to put a URL inside of another URL. For example, if you want to post a status on Twitter:
http://www.twitter.com/intent/tweet?status=What%27s%20up%2C%20StackOverflow%3F(http%3A%2F%2Fwww.stackoverflow.com)
There's lots of reserved characters in my Tweet, namely ?'():/, so I encoded the whole value of the status URL parameter. This also is helpful when using mailto: links that have a message body or subject, because you need to encode the body and subject parameters to keep line breaks, ampersands, etc. intact.
When a character from the reserved set (a "reserved character") has
special meaning (a "reserved purpose") in a certain context, and a URI
scheme says that it is necessary to use that character for some other
purpose, then the character must be percent-encoded. Percent-encoding
a reserved character involves converting the character to its
corresponding byte value in ASCII and then representing that value as
a pair of hexadecimal digits. The digits, preceded by a percent sign
("%") which is used as an escape character, are then used in the URI
in place of the reserved character. (For a non-ASCII character, it is
typically converted to its byte sequence in UTF-8, and then each byte
value is represented as above.) The reserved character "/", for
example, if used in the "path" component of a URI, has the special
meaning of being a delimiter between path segments. If, according to a
given URI scheme, "/" needs to be in a path segment, then the three
characters "%2F" or "%2f" must be used in the segment instead of a raw
"/".
http://en.wikipedia.org/wiki/Percent-encoding#Percent-encoding_reserved_characters
Try using http://www.example.org?candy_name=M%26M.
See also this reference and some more information on Wikipedia.
I would like to add a minor comment to Blender's solution.
You can do the following:
var link = 'http://example.com?candy_name=' + encodeURIComponent('M&M');
That outputs:
http://example.com?candy_name=M%26M
The great thing about this it does not only work for &, but for any especial character.
For instance:
var link = 'http://example.com?candy_name=' + encodeURIComponent('M&M?><')
Outputs:
"http://example.com?candy_name=M%26M%3F%3E%3C"
You can use the % character to 'escape' characters that aren't allowed in URLs. See RFC 1738.
A table of ASCII values is given on the Wikipedia page.
You can see & is 26 in hexadecimal - so you need M%26M.
This may help if someone want it in PHP
$variable ="candy_name=M&M";
$variable = str_replace("&", "%26", $variable);
If you can't use any libraries to encode the value,
http://www.urlencoder.org/ or http://www.urlencode-urldecode.com/ or ...
Just enter your value "M&M", not the full URL ;-)
You can rather pass your arguments using this encodeURIComponent function so you don't have to worry about passing any special characters.
data: "param1=getAccNos¶m2="+encodeURIComponent('Dolce & Gabbana') OR
var someValue = 'Dolce & Gabbana';
data : "param1=getAccNos¶m2="+encodeURIComponent(someValue)
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURIComponent
I have a variable which consists of
// The First Page (hello.php)
$a = 'goto.php?a_56=63525588000&url=http://www.example.com/site/DISC+cUSTOMc+Studio+24+- +Windows/1142766.p?
id=1218224802931&usi=1142766&cmp=RMX&
ky=2crslw0k9ZOM0ciu2rqi4NsYY7eQnnEyP';
// The Second Page (goto.php)
$r = $_GET['url'];
echo $r;
//http://www.example.com/site/Disc cCustomc Studio 8 - Windows/1142766.p?id=1218224802931
Why is it getting cut off?
This isn't a length issue, it's because you want one of your GET parameters (url in this case) to contain the & character. You need to urlencode this character otherwise it will be interpreted as another GET parameter in the request, rather than as part of the url parameter.
When urlencoding, & will become %26 and your query string will become this,
goto.php?a_56=63525588000&url=http://www.example.com/site/DISC+cUSTOMc+Studio+24+-+Windows/1142766.p?id=1218224802931%26usi=1142766%26cmp=RMX%26ky=2crslw0k9ZOM0ciu2rqi4NsYY7eQnnEyP
It's getting cut off because it's treating the & in your url parameter as an actual GET parameter divider, when it's not.
You need to use urlencode() to encode your URL.
The ampersand is used to separate parameters in the outside query string. You will need to URL-encode it if you want to use it within a GET parameter.
Because & indicates the end of a key/value pair in a query string.
Use urlencode to prepare data for inclusion in a query string.