My question is related to this one. except that my question is more sepcific as it is about whether a hyphen can be used in a query string parameter value.
I am parsing $_SERVER['QUERY_STRING'] with PHP. I would like to know whether it is syntactically correct to use hyphens in query string values such as in the following case, or whether hyphens must be escaped in the browser URL. What about underscores?
http://example.com/?q1=query-string-value-one&q2=query-string-value-two
According to this document hyphens should be OK in all standards-compliant browsers, but I wanted to double check.
Thanks.
You are talking about query string parameters which must be encoded using urlencode function:
This function is convenient when encoding a string to be used in a
query part of a URL, as a convenient way to pass variables to the next
page.
According to the documentation - does not require encoding.
Yes
Hyphens can be used for query string parameter names
Related
I've made some regex to test for a YouTube embedded video:
/^(http:\/\/www\.youtube\.com\/embed\/)[^\/\s\\]+$/
It works for what I expect when I test it, but the problem though is that I need to pass that regex as a string to some function. Particularly I'm using htmlawed, where I pass a following string to a function:
func('iframe=-*,src(match="/^(http:\/\/www\.youtube\.com\/embed\/)[^\/\s\\]+$/")');
The problem is that the above regex sort of works, but it just ignores the slashes, and accepts anything in place of them.
That is why I suspect that there is a problem with escaping.
I would appreciate if you could advice some alternative ways of escaping these slashes and backslashes... there must be some way?
If you have a string, you will need to escape the backslashes (and quotes) for the string literal. Or, depending on how the function builds the regex from the string, you might not need to escape slashes at all (I don't think so here).
"iframe=-*,src(match=\"/^(http:\\/\\/www\\.youtube\\.com\\/embed\\/)[^\\/\\s\\\\]+$/\")"
In PHP, you can also use a different regex delimiter:
~^(http://www\.youtube\.com/embed/)[^/\s\\\\]+$~
I have the problem, that PHP replaces all spaces with underscores in POST and GET variables.
For example if I have the URL: http://localhost/proxy.php?user name=Max
the browser will convert it to http://localhost/proxy.php?user%20name=Max.
But if I give the $_GET parameters out, the key is not user name but user_name (note the underscore)!
Is there any possibility to change this behaviour?
From the PHP manual:
Dots in incoming variable names
Typically, PHP does not alter the
names of variables when they are
passed into a script. However, it
should be noted that the dot (period,
full stop) is not a valid character in
a PHP variable name. For the reason,
look at it:
<?php $varname.ext; /* invalid variable name */ ?>
Now, what
the parser sees is a variable named
$varname, followed by the string
concatenation operator, followed by
the barestring (i.e. unquoted string
which doesn't match any known key or
reserved words) 'ext'. Obviously, this
doesn't have the intended result.
For this reason, it is important to
note that PHP will automatically
replace any dots in incoming variable
names with underscores.
And a comment on the page:
The full list of field-name characters that PHP converts to _ (underscore) is the following (not just dot):
chr(32) ( ) (space)
chr(46) (.) (dot)
chr(91) ([) (open square bracket)
chr(128) - chr(159) (various)
PHP irreversibly modifies field names containing these characters in an attempt to maintain compatibility with the deprecated register_globals feature.
I think the only possibility to get the wanted parameters, is to parse them on your own using $_SERVER['QUERY_STRING']:
$a_pairs = explode('&', $_SERVER['QUERY_STRING']);
foreach($a_pairs AS $s_pair){
$a_pair = explode('=', $s_pair);
if(count($a_pair) == 1) $a_pair[1] = '';
$a_pair[0] = urldecode($a_pair[0]);
$a_pair[1] = urldecode($a_pair[1]);
$GLOBALS['_GET'][$a_pair[0]] = $a_pair[1];
$_GET[$a_pair[0]] = $a_pair[1];
}
In the old crazy times of register_globals query string was unpacked by PHP into global variables, but the format of variable identifiers is constrained, so obviously spaces couldn't work. This limitation remained, and honestly I believe it's a good idea to keep it this way.
If you really cannot change spaces into underscores in your URLs, just mangle the $_GET array when you process the request and substitute every underscore by a space.
As far as i can remember, i've never seen spaces in URL parameter names...
I think, it would be better to convert all spaces of parameter names into "_".
I am trying to send a GET message that contains strings with ampersands and can't figure how to escape the ampersand in the URL.
Example:
http://www.example.com?candy_name=M&M
result => candy_name = M
I also tried:
http://www.example.com?candy_name=M\&M
result => candy_name = M\\
I am using URLs manually, so I just need the correct characters.
I can't use any libraries. How can it be done?
They need to be percent-encoded:
> encodeURIComponent('&')
"%26"
So in your case, the URL would look like:
http://www.mysite.com?candy_name=M%26M
This does not only apply to the ampersand in URLs, but to all reserved characters. Some of which include:
# $ & + , / : ; = ? # [ ]
The idea is the same as encoding an &in an HTML document, but the context has changed to be within the URI, in addition to being within the HTML document. So, the percent-encoding prevents issues with parsing inside of both contexts.
The place where this comes in handy a lot is when you need to put a URL inside of another URL. For example, if you want to post a status on Twitter:
http://www.twitter.com/intent/tweet?status=What%27s%20up%2C%20StackOverflow%3F(http%3A%2F%2Fwww.stackoverflow.com)
There's lots of reserved characters in my Tweet, namely ?'():/, so I encoded the whole value of the status URL parameter. This also is helpful when using mailto: links that have a message body or subject, because you need to encode the body and subject parameters to keep line breaks, ampersands, etc. intact.
When a character from the reserved set (a "reserved character") has
special meaning (a "reserved purpose") in a certain context, and a URI
scheme says that it is necessary to use that character for some other
purpose, then the character must be percent-encoded. Percent-encoding
a reserved character involves converting the character to its
corresponding byte value in ASCII and then representing that value as
a pair of hexadecimal digits. The digits, preceded by a percent sign
("%") which is used as an escape character, are then used in the URI
in place of the reserved character. (For a non-ASCII character, it is
typically converted to its byte sequence in UTF-8, and then each byte
value is represented as above.) The reserved character "/", for
example, if used in the "path" component of a URI, has the special
meaning of being a delimiter between path segments. If, according to a
given URI scheme, "/" needs to be in a path segment, then the three
characters "%2F" or "%2f" must be used in the segment instead of a raw
"/".
http://en.wikipedia.org/wiki/Percent-encoding#Percent-encoding_reserved_characters
Try using http://www.example.org?candy_name=M%26M.
See also this reference and some more information on Wikipedia.
I would like to add a minor comment to Blender's solution.
You can do the following:
var link = 'http://example.com?candy_name=' + encodeURIComponent('M&M');
That outputs:
http://example.com?candy_name=M%26M
The great thing about this it does not only work for &, but for any especial character.
For instance:
var link = 'http://example.com?candy_name=' + encodeURIComponent('M&M?><')
Outputs:
"http://example.com?candy_name=M%26M%3F%3E%3C"
You can use the % character to 'escape' characters that aren't allowed in URLs. See RFC 1738.
A table of ASCII values is given on the Wikipedia page.
You can see & is 26 in hexadecimal - so you need M%26M.
This may help if someone want it in PHP
$variable ="candy_name=M&M";
$variable = str_replace("&", "%26", $variable);
If you can't use any libraries to encode the value,
http://www.urlencoder.org/ or http://www.urlencode-urldecode.com/ or ...
Just enter your value "M&M", not the full URL ;-)
You can rather pass your arguments using this encodeURIComponent function so you don't have to worry about passing any special characters.
data: "param1=getAccNos¶m2="+encodeURIComponent('Dolce & Gabbana') OR
var someValue = 'Dolce & Gabbana';
data : "param1=getAccNos¶m2="+encodeURIComponent(someValue)
https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/encodeURIComponent
I'm wondering if it's possible to parse a string containing an URL as GET parameter using Mod-Rewrite through CakePHP. Do I have to pass this via $this->request->data (POST)?
Is it common to set Routes for such cases or would you either recommend splitting the URL into separate parameters?
A slash in $_GET? Woudn't that just be a query string containing such a slash?
See http://book.cakephp.org/2.0/en/controllers/request-response.html#accessing-querystring-parameters
By default those query strings are properly escaped, so all is well without any hacks on your end.
You can use rawurlencode() to esacpe special characters.
I am trying to do a query string in html.
String that I want to pass is "Book Cover".
But I only managed to get Book.
How should I go about doing it?
Below is my code:
<a href=book.php?category=Book Cover>Book Cover</a>
You need to encode all your query string vars, For example with rawurlencode / rawurldecode
Book Cover
And in PHP:
$category = rawurldecode($_POST['category']);
In HTML the value stops at the space:
<a href=book.php?category=Book Cover>Book Cover</a>
^
If you want to include a space inside a value in HTML you need to add quotes:
Book Cover
^ ^
In HTML both single and double quotes are allowed.
Now the value itself has a problem, too:
book.php?category=Book Cover
`- URL stops here.
This is a relative HTTP URL and as for any HTTP URL the space character is a special value. It can normally not be part of the URL, therefore you need to encode it. This can be done as with any other special character in a HTTP URL with triplet encoding / percentage-encoding replacing the binary value of the character(s) with their hexadecimal number:
book.php?category=Book%20Cover
For the space you have, historically it is even a special-case, you can also encode it with the plus sign.
The later problem is often dealt with by the user agents, but the quotes in HTML are needed otherwise the value gets cut.
And it is generally good practice to place attribute values in HTML inside (double) quotes. So I suggest you to do that.
Why not convert to UTF-8 before encoding?
urlencode(utf8_encode($string));
Looks like you are missing double quotes
Book Cover