I have this kind fo redirects now
Redirect::to(htmlspecialchars('home.php'));
but when I type this on my home.php: /%22%3E%3Cscript%3Ealert('hacked')%3C/script%3E
it results like this:
but why ? they said that it will converted so the exploit attempt will be a failure, but why in mine it is not ?
htmlspecialchars encodes special characters to their HTML equivalent in a string which is passed by argument.
Your Code
Redirect::to(htmlspecialchars('home.php'));
only encodes the string home.phpand pass it to the Redirect::To-Function and does not use htmlspecialchars on the output of the whole page.
To solve this, you have to use it on every output in home.php like this:
<?php
$new = htmlspecialchars("<a href='test'>Test</a>", ENT_QUOTES);
echo $new; // <a href='test'>Test</a>
?>
(Example from: http://php.net/htmlspecialchars)
Related
I get a string in PHP from an external database which looks like this:
$myStr = '&amp;amp;amp;amp;amp;lt;br&amp;amp;amp;amp;amp;gt;To send a note'
As you can see this string is encoded too many times, is there is a way to decode it all the way back using PHP?
What happened that your str passed lots of times through htmlentities().
The original string probably was <br>To send a note, then, the 1st time it become <br>To send a note, the secong it replace all & with & and so on.
In order to put it inside text area you should to decode it using:
<textarea><?php echo html_entity_decode($myStr); ?></textarea>
The code bellow will pass as many times it's necessary to solve your issue:
$modStr = $myStr = '&amp;amp;amp;amp;amp;lt;br&amp;amp;amp;amp;amp;gt;To send a note';
do {
$myStr = $modStr;
$modStr = html_entity_decode($myStr);
} while( $modStr != $myStr );
[]s Andrei
I have the function:
function after_char($char, $var) {
$get = explode($char, $var);
$text= $get[1];
echo $text;
}
I have the html link:
Potwierdź aktywację konta w <?php after_char('#', htmlspecialchars($post_email, ENT_QUOTES)); ?>.
How should be variables in both started functions encoded?
Do I really need to write second the same function? First for urlencode, second for htmlspecialchars and encode it inside the function build and not within started function?
You have reversed the order of operations. It is better to first prepare your data in your function, return it, then encode it for a particular context and echo out.
Use rawurlencode() to encode the URL which will go into href=.
Use htmlspecialchars to encode any other text displayed in HTML context.
Example:
<?php
function after_char($char, $var): string {
$get = explode($char, $var, 2);
return $get[1]; // returns the part after the $char
}
$result_of_after_char = after_char('#', $post_email);
?>
<a href="http://<?= urlencode($result_of_after_char); ?>" target="_blank"
>Potwierdź aktywację konta w <?= htmlspecialchars($result_of_after_char , ENT_QUOTES); ?>.</a>
On a side note the function after_char does not do anything more than the explode() does anyway. You could get rid of that function altogether:
$result_of_after_char = explode('#', $post_email, 2)[1];
I want to encode like what browser did,
For example. https://www.google.com.hk/search?q=%2520你好
Should be encoded as https://www.google.com.hk/search?q=%2520%E4%BD%A0%E5%A5%BD
I am using the following regex to encode URI without like rawurlencode encode ~!##$&*()=:/,;?+'
$url = 'https://www.google.com.hk/search?q=%2520你好';
echo preg_replace_callback("{[^0-9a-z_.!~*'();,/?:#&=+$#]}i", function ($m) {
return sprintf('%%%02X', ord($m[0]));
}, $url);
But this will return https://www.google.com.hk/search?q=%252520%E4%BD%A0%E5%A5%BD which has an extra 25.
How can I correctly encode the URL that user inputed without modifying original address?
You can simply use urlencode for this purpose. It will encode %2520你好 into %252520%E4%BD%A0%E5%A5%BD . Use the code below.
<?php
$url = 'https://www.google.com.hk/search?q=%2520'.urlencode("你好").'';
echo $url;
?>
I think this will give you your desired url
I tried to display the output returned from htmlentities() function. But, it display nothing in browser. Here is my code..
$advertisement = "Coffee at 'Cafè Française' costs $2.25.";
echo htmlentities($advertisement);
The result should like this:
Coffee at 'Cafè Française' costs $2.25.
But, there is nothing displaying in browser.
When I assign the output in a variable, it's value is not NULL. The testing code is:
$temp = htmlentities($advertisement);
if($temp === NULL)
echo "Null";
else
echo "Not null";
Then, the result is "Not null";
I also try this code as testing:
$str = "A 'quote' is `<b>`bold`</b>`";
//Outputs: A 'quote' is <b>bold</b>
echo htmlentities($str);
But, the output in browser is not I expected. I mean in browser it's not replaced <b> with <b>
What am I missing? Do I need to change any setting in php.ini file?
That is what htmlentities is supposed to do. Just echo the string out and it should implement the HTML automatically.
$str = "A quote is <b>bold</b>";
echo $str;
It's to do with the default UTF-8 encoding and the French language. You'll have to change the encoding to ISO-8859-15 for the code, avec Française, to work:
$advertisement = "Coffee at 'Cafè Française' costs $2.25.";
echo htmlentities($advertisement, ENT_QUOTES, "ISO-8859-15");
When you view it in a browser, it will remain unchanged. This is what htmlentities is meant to do. If you right click the browser and look at the source, you will see the expected conversion:
Coffee at 'Cafè Française' costs $2.25.
I would like to know if it's possible to execute the php code in a string. I mean if I have:
$string = If i say <?php echo 'lala';?> I wanna get "<?php echo 'dada'; ?>";
Does anybody knows how?
[EDIT] It looks like nobody understood. I wanna save a string like
$string = If i say <?php count(array('lala'));?>
in a database and then render it. I can do it using
function render_php($string){
ob_start();
eval('?>' . $string);
$string = ob_get_contents();
ob_end_clean();
return $string;
}
The problem is that I does not reconize php code into "" (quotes) like
I say "<?php echo 'dada'; ?>"
$string = ($test === TRUE) ? 'lala' : 'falala';
There are lots of ways to do what it looks like you're trying to do (if I'm reading what you wrote correctly). The above is a ternary. If the condition evaluates to true then $string will be set to 'lala' else set to 'falala'.
If you're literally asking what you wrote, then use the eval() function. It takes a passed string and executes it as if it were php code. Don't include the <?php ?> tags.
function dropAllTables() {
// drop all tables in db
}
$string = 'dropAllTables();';
eval($string); // will execute the dropAllTables() function
[edit]
You can use the following regular expression to find all the php code:
preg_match_all('/(<\?php )(.+?)( \?>)/', $string, $php_code, PREG_OFFSET_CAPTURE);
$php_code will be an array where $php_code[0] will return an array of all the matches with the code + <?php ?> tags. $php_code[2] will be an array with just the code to execute.
So,
$string = "array has <?php count(array('lala')); ?> 1 member <?php count(array('falala')); ?>";
preg_match_all('/(<\?php )(.+?)( \?>)/', $string, $php_code, PREG_OFFSET_CAPTURE);
echo $php_code[0][0][0]; // <?php count(array('lala')); ?>
echo $php_code[2][0][0]; // count(array('lala'));
This should be helpful for what you want to do.
Looks like you are trying to concatenate. Use the concatenation operator "."
$string = "if i say " . $lala . " I wanna get " . $dada;
or
$string = "if i say {$lala} I wanna get {$dada}.";
That is what I get since your string looks to be a php variable.
EDIT:
<?php ?> is used when you want to tell the PHP interpreter that the code in those brackets should be interpreted as PHP. When working within those PHP brackets you do not need to include them again. So as you would just do this:
// You create a string:
$myString = "This is my string.";
// You decide you want to add something to it.
$myString .= getMyNameFunction(); // not $myString .= <?php getMyNameFunction() ?>;
The string is created, then the results of getMyNameFunction() are appended to it. Now if you declared the $myString variable at the top of your page, and wanted to use it later you would do this:
<span id="myString"><?php echo $myString; ?></span>
This would tell the interpreter to add the contents of the $myString variable between the tags.
Use token_get_all() on the string, then look for a T_OPEN_TAG token, start copying from there, look for a T_CLOSE_TAG token and stop there. The string between the token next to T_OPEN_TAG and until the token right before T_CLOSE_TAG is your PHP code.
This is fast and cannot fail, since it uses PHP's tokenizer to parse the string. You will always find the bits of PHP code inside the string, even if the string contains comments or other strings which might contain ?> or any other related substrings that will confuse regular expressions or a hand-written, slow, pure PHP parser.
I would consider not storing your PHP code blocks in a database and evaluating them using eval. There is usually a better solution. Read about Design Pattern, OOP, Polymorphism.
You could use the eval() function.