I have a php page which is set to update an SQL record. This part works okay. The code has been written to redirect to page
watch_process.php?username='".$_POST['Username']."'
Which works fine and i can see the url has been amended correctly on the watch_process.php page when it loads. However, when I try to call it and print it on my php webpage, I get nothing.
<?php echo $_GET['username'] ?>
url looks like this: http://netfox-social.co.uk/watch_process.php?username=%27sysadmin%27&
Have you any special intention in doing this?
watch_process.php?username='". $_POST['Username']."'
Why not just do like so:
// REMEMBER TO urlencode() THE $_POST['username'] VARIABLE
$url = "watch_process.php?username=". urlencode($_POST['Username']);
// AND THEN GET BACK YOUR QUERY STRING NORMALLY WITHOUT ANY TRIMMING LIKE SO:
<?php echo $_GET['username']; ?>
// AND IF YOU NEED SINGLE QUOTES AROUND THE $_GET['username'] VARIABLE
// YOU CAN EASILY ADD IT ONCE YOU'VE RETRIEVED IT LIKE SO:
$username = "'" . $_GET['username'] . "'";
But it is assumable that You most likely don't need the single-quotes except if you really otherwise do....
You could try $_REQUEST['username'] Request works for both, get and post. And I think the some of the quotes on the row watch_process.php?username='".$_POST['Username']."' are unneccessary
Answer by AirPett (See comments)
Related
I am trying to hit a URL after generating the data to be filled for the parameters that are passed in URL using Python in back end. So the flow is:
User lands on a page with a form having some drop downs.
Python code in the backend reads the content from a file and returns single output based on some conditions for each of the dropdown.
User hits the submit button with the data.
The data gets generated correctly but when I hit submit button, I get %0D%0A characters at the end of the parameter values in the URL
E.g., sample.php?param1=20%0D%0A¶m2=50%0D%0A
How do I get rid of these values as this is causing trouble with the other code where I am using these values?
I take it you read the data from a file, so probably reading the file causes the line endings to be read as well.
In any case, try using strip() or rstrip() in your Python code to remove all/trailing whitespace before your assemble the target URL.
I understand that it's actually a PHP script that assembles the URL. In that case, use PHP's trim() function on the variables you use to assemble the URL.
For example: Assume that $val1 and $val2 are read from a file or some other place. Then the following line assembles above URL stripping whitespace from $val1 and $val2.
$url = "sample.php?param1=" . trim($val1) . "¶m2=" . trim($val2);
Some browsers do that automatically, you can try decoding it back using urldecode()
http://php.net/manual/en/function.urldecode.php
Try this :
<?Php
$str = "Your Inputed Value or string"
$url = str_replace(" ","-", $str);
?>
Link Menu
I am using wampserver for php and mysql database.
in my php file, after executing some code to insert in mysql database, I want to redirect browser to another html page that has php code in it. This page needs value of the variable id to fetch data from my sql database. So I send value of id by below code in the end of php code.
header('Location: lostItem.php?id=$id');
The recieving file has below code to get value of id.
$id= $_GET['id'];
But, it turns out that there is no value of id passed i.e. the receiving file shows url :
http://localhost/Lost%20and%20Found/lostItem.php?id=$id
instead of showing
http://localhost/Lost%20and%20Found/lostItem.php?id=11
I already have another page that sends same data (value of id) to receiving file. It has below code in it for that.
echo "<a class='listOfItems' href='lostItem.php?id=$id'>";
echo $item;
echo "</a>";
And that works fine. But when I try to do same thing by using header, it doesn't work. Before using header, I have made sure that variable $id has right integer value. But it doesn't send that value by using header.
Is it that data can't be sent by this method using header? If so, please suggest an alternative method.
basic php notation, in single quotes variables are not interpreted
header("Location: lostItem.php?id=$id");
to be strict, location should use a full URI not a relative one
header("Location: http://www.example.com/lostItem.php?id=$id");
use curly bracket upon variable when you used variable value in string, Please try this
header("Location: lostItem.php?id={$id}");
Single quotes does not process variables, PHP ignores all your variables so you need to concatenate variable using concatenate operator (.)
header('Location: lostItem.php?id='.$id); // fast than double quotes
or
header("Location: lostItem.php?id=$id");
I have a little static function so that I can easily build html valid urls on my local website, it is below;
public static function url($path = false) {
// Build return url with special html characters escaped
return 'http://127.0.0.1/' . htmlspecialchars($path);
}
I have two urls one inside an anchor and another is inside a form action, they are below;
Root::url('test?category=' . $category . '&index=' . $index) // Href
Root::url('test?category=' . $_GET['category'] . '&index=' . $_GET['index']) // Form
GET === $, you can see inside my static function that I use htmlspecialchars to escape special html characters from my url.
The anchor one returns a valid link and works as expected. The form one however returns the following, as in when I click on the form submit, my url in my browser is as follows.
http://127.0.0.1/test?category=innate&index=0
Why is this? My website breaks because it is dependant on the GET parameters being valid.
Thanks for your time, hope this made sense.
EDIT
I insert the return value of the function call straight into my form action,
<form
action="<?= Root::url('test?category=' . $_GET['category'] . '&index=' . $_GET['index']); ?>"
method="post">
EDIT
The form html is as follows;
<form action="http://example.com/test?category=innate&index=0" method="post">
The anchor html is as follows
<a href="http://example.com/test?category=innate&index=0">
Could it be something to do with the server sending a POST request even though I have GET parameters?
EDIT #3
Ok so it has something to do with my function or what I am passing in, I hard typed in the url in the form submit and it worked, no problems, which means it can only be what my function is returning.
I myself cannot see what I may be!
ANSWER
After the form was being submitted, I was redirecting to the same page using header to counter form resubmission. The string for the header was being generated by Root::url().
Two hours this took me to figure out, but boy does it feel good!
Normally you wouldn't add a query string to a POST URL. It's not forbidden, though, it may only be somewhat confusing, especially if you use $_REQUEST (which you don't, it seems).
I don't know why your browser shows an uninterpreted &, it should interpret it.
Your problems are likely due to one of these:
a bad browser - try another one
bad content of the form input fields
other
This is quite logic.
I assume your url() method looks like this:
url($string){
echo htmlspecialchars($string);
}
Let's have a look at the $string you are passing:
'test?category=' . $_GET['category'] . '&index=' . $_GET['index'];
As I see in your output, replacing the values, the final string before htmlspecialchars() occur would be:
'test?category=innate&index=0' and after it: test?category=innate&index=0
What happened here? you first concatenated the string, and then htmlspecialchars()'ed the & used to separate the parameters. And to not break the url, you don't want to convert THAT '&'.
Also to sanitize the url you shouldn't use htmlspecialchars() because most html entities would convert to somthing like & + somename + ; for example the Euro symbol would convert to € and you don't want the actual & symbol in your url, the browsers will interpret it as you have another new parameter awaiting.
You should use urlencode(), which will convert your & into: %26 , also, the function's name is self-explanatory, it's encoding a string to use on a URL.
Still, you want the & to separate the parameters, but not in the $GET values. What should we do? to urlencode the values before concatenating the string. I would suggest a method like this one:
function url($page, $get){
$parameters = array();
foreach($get as $k => $v) $parameters[] = urlencode($k)."=".urlencode($v);
//We are concatenating with ? and & the urlencoded() values in the next line:
echo urlencode($page).'?'.implode('&', $parameters);
}
url('test', $_GET); // outputs: test?category=innate&index=0
This would get rid of the special chars from a form's field names and values.
I noticed you will use 2 fixed parameters, category and index, so the method could be like this:
function url($page, $get){
$page = urlencode($page);
$category = urlencode($get['category']);
$index = urlencode($get['index']);
echo "$page?category=$category&index=$index";
}
Hope this is what you needed
I think I have seen this question before but I don't think it's answered good enough yet because I can't get it to work.
The case:
I want to insert an URL into my MySQL database like so:
$url = $_POST["url"]; //$_POST["url"] = "http://example.com/?foo=1&bar=2& ...";
$sql = mysql_query("INSERT INTO table(url) values('$url')") or die ("Error: " . mysql_error());
Now, the URL is inserted into the database properly but when I look at it, it looks like this:
http://example.com/?foo=1
It's like the URL is cut right at the "&" character. I have tried: mysql_real_escape_string, htmlspecialchars, escaping by doing "\" etc. Nothing seems to work.
I have read that you might be able to do it with "SQL Plus" or something like that.
Thanks in advance.
Regards, VG
Chances are the problem here is nothing to do with the database query, and more to do with how the url is passed to the page. I suspect you'll find that the URL used to load the page is something like:
http://mydomain.com/?url=http://example.com/?foo=1&bar=2
This will result in a $_GET that looks like this:
array (
'url' => 'http://example.com/?foo=1',
'bar' => '2'
)
What you need is to call page with a URL that looks more like this:
http://mydomain.com/?url=http://example.com/?foo=1%26bar=2
Note that the & has been encoded to %26. Now $_GET will look like this:
array (
'url' => 'http://example.com/?foo=1&bar=2'
)
...and the query will work as expected.
EDIT I've just noticed you're using $_POST, but the same rules apply to the body of the request and I still think this is your problem. If you are, as I suspect, using Javascript/AJAX to call the page, you need to pass the URL string through encodeURIComponent().
It is likely the querystring is not being passed. It looks like you are receiving it from a FORM post. Remember that form posts that use a method of GET append a querystring to pass all of the form variables, so any querystring in the action is typically ignored.
So, the first thing to do is echo the URL before you try to INSERT it to make sure you are getting the data you think you are.
If there are variables you need to pass with the URL, use hidden inputs for that, and a method of GET on the form tag, and they will get magically appended as querystring parameters.
Right !! The problem here is nothing to do with the database query has DaveRandom said.
Just use the javascript function "encodeURIComponent()".
Depending on what you want to do with the stored value, you also urlencode() the string: http://php.net/manual/de/function.urlencode.php
Cheers,
Max
P.S.: SQL*Plus is for Oracle Databases.
maybe escape the url with urlencode then you can decode it if you want to pull it out of the db
i am using rawurlencode($url_variable) while passing to a script..
when i receive the variable in the script ,before passing this variable to mysql ,i was doing mysql_real_escape_string . now the problem is like when there is a variable like
$url_variable = "Off-St.Mark's-Road" ...after i do mysql_real_escape_string it become slike
Off-St.Mark\\'s-Road .
which is creating a problem in mysql query ...
how i get over this...rawurlencode is necessary to pass variables to the script and i want to do mysql_real_escape_string to make the data safe...
Looks like magic_quotes_gpc is turned on on your server, try this:
if (get_magic_quotes_gpc())
{
$text = stripslashes($your_var);
}
$text = mysql_real_escape_string($text);