I have already checked quite a few other answers but to no avail.
I have been hired to fix bugs for a job that some other developer ran away from.
The application has a add comment and delete comment functionality.
The problem comes in the delete comment part. He designed the database such that all comments are simply entered into a single cell separated by pipe characters. So while deleting a comment, the entire comment needs to be placed in the url as a parameter which is then passed to the model and removed from the database.
I do know this is bad, but I cannot recode the entire functionality.
Now, when a user enters a comment such as "What's Up?", the delete comment url throws the "Codeigniter: The URI you submitted has disallowed characters." error.
I tried converting the quotes to HTML character entities but they again contain disallowed characters.
Can anybody please suggest a possible workaround for this problem?
Redesigning the database is not a viable option as I'll then have to change the extensive php code used for handling the different delimiters.
Messing with the disallowed characters list also seems to be a bad idea.
Thank you.
Open your config file and find this parameter:
$config['permitted_uri_chars'] = 'a-z 0-9~%.:_()#&-!=?';
You can change it according to your requirement or you can leave it blank.
Read the comment section in config file.
It says that: Leave blank to allow all characters -- but only if you are insane.
I am not sure if htmlentities will help.
Did you first call urlencode on just the parameters?
<?php
$query_string = 'foo=' . urlencode("What's Up?");
echo '<a href="mycgi?' . htmlentities($query_string) . '">';
?>
<a href="mycgi?foo=What%27s+Up%3F">
Also check if you need to add escape characters to any of these if they are treated as special characters by the database.
e.g. If % is treated as special character, then you may need to add a \ before it.
Related
My MySQL database has some fields that sometimes include an apostrophe, so I take care to encode html entities. For example "Cote d'Or" is stored in the database as "Cote d&039;Or".
When a MySQL query populates an href I get something like this in my source code.
Text link
However when I click on the link I get a 403 "Forbidden" error. On checking, hovering on the link says it is reading &039; as an apostrophe. That seems to be the cause of the page error as putting an apostrophe in the database produces the same error and having nothing in there works correctly.
My question now is, how can I have the html entity in the database and still get the link to work correctly?
For URLs, you don't want to use htmlentities() as that's for displaying HTML.
Instead, you'll want to use urlencode():
$link = '/page.php?location=' . urlencode($location);
If your data is already HTML encoded, you'll need to decode it before passing it through urlencode(). A good function for this is html_entity_decode():
$location = html_entity_decode($row['location']);
$link = '/page.php?location=' . urlencode($location);
You might be better using filter_var($var, FILTER_SANITIZE_URL)
http://php.net/manual/en/filter.filters.sanitize.php
While not the best approach, since you are using htmlentities() you can use html_entity_decode()
From: http://php.net/html_entity_decode
html_entity_decode() is the opposite of htmlentities() in that it converts all HTML entities in the string to their applicable characters.
Well, it turns out the real problem wasn't the html entities. It was some of the security stuff written into Apache. A quiet word with my hosting company and they did something that made everything work (presumably removed a mod_security rule).
Moral of the story: if you get a 403 error, suspect Apache security first.
Thanks to the guys wh provided answers.
my code is not working ? and i dont want to use str_replace , for there maybe more slashes than 3 to be replaced. how can i do the job using preg_replace?
my code here like this:
<?php
$str='<li>
<span class=\"highlight\">Color</span>
Can\\\'t find the exact color shown on the model pictures? Just leave a message (eg: color as shown in the first picture...) when you place order.
Please note that colors on your computer monitor may differ slightly from actual product colors depending on your monitor settings.
</li>';
$str=preg_replace("#\\+#","\\",$str);
echo $str;
There is merit in the other answers, but to me it looks like what you're actually trying to accomplish is something very different. In the php code \\\' is not three slashes followed by an apostrophe, it's one escaped slash followed by an escaped apostrophe, and in the rendered output, that's exactly what you see—a slash followed by an apostrophe (with no need to escape them in the rendered html). It's important to realize that the escape character is not actually part of the string; it's merely a way to help you represent a character that normally has very different meaning in within php—in this case, an apostrophe normally terminates a string literal. What looks like 4 characters in php is actually only 2 characters in the string.
If this is the extent of your code, there's no need for string manipulation or regular expressions. What you actually need is just this:
<?php
$str='<li>
<span class="highlight">Color</span>
Can\'t find the exact color shown on the model pictures? Just leave a message (eg: color as shown in the first picture...) when you place order.
Please note that colors on your computer monitor may differ slightly from actual product colors depending on your monitor settings.
</li>';
echo $str;
?>
Only one escape character is needed here for the apostrophe, and in the rendered HTML you will see no slashes at all.
Further Reading:
Escape sequences
The root of this problem is actually in how it was written into your database and likely to be caused by magic_quotes_gpc; this was used in older versions and a really bad idea.
The best fix
This requires a few steps:
Fix the script that puts the HTML inside your database by disabling magic_quotes_gpc.
Write a script that reads all existing database entries, applies stripslashes() and saves the changes.
Fix the presentation part (though, that may need no changes at all.
Alternative patch
Use stripslashes() before you present the HTML.
use this pattern
preg_replace('#\\+#', '\\', $text);
This replaces two or more \ symbols preceding an ' symbol with \'
$theConvertedString = preg_replace("/\\{2,}'/", "\'", $theSourceString);
Ideally, you shouldn't have code causing this issue in the first place so I would have a look at why you have \\' in your code to begin with. If you've manually put it in your variables, take it out. Often, this also happens with multiple calls to addslashes() or mysql_real_escape_string() or a cheap hosting providers' automatic transformation of all POST request variables to escape slashes, combined with your server side PHP code to do the same.
I have a textarea, which I need to be able to take characters including / and ' as well as special characters in ASCII. It does this fine, and sends the data to a php page by the POST method.
Then I repopulate the text area simply by putting
<?php echo isset($F_Text) ? $F_Text : '' ?>
between the textarea tags ($F_Name = $_POST["F_Name"]), with the intention that the user can then alter what they typed in and resubmit.
But each time the form is repopulated two issues arise. A forward slash is added before characters such as ' and the ASCII characters are printed out as the symbol rather than the code. This basically breaks the rest of the page (the submission goes on to be processed by some javascript).
I can't think of any way to keep the ASCII codes as just that, codes, not symbols.
Also, I've just noticed that all $ signs are lost too, which I can understand, but I need them to stay!
I need the form to display EXACTLY what the user typed in originally. Any ideas?
Can you try with :
<?php echo isset($F_Text) ? htmlentities(stripslashes($F_Text)) : '' ?>
Hope this helps you :)
My guess would be that you first have to turn of magic quotes, then use htmlspecialchars to avoid that your variable messes up your html and then make sure everything is in utf8 so that all special characters are retained (depending on what you consider ASCII characters...).
Your php echo statement would be:
<?php echo isset($F_Text) ? htmlspecialchars($F_Text) : '' ?>
I have code that takes the name of a term and pulls in a post of a custom post type of the same name. This works well. Except when a £ character is in the title.
e.g. pseudocode
$q = new WP_Query (array( 'name' => "Insurance Rating £1K"));
if($q->have_posts()){
// expected path of logic flow
} else {
// nothing was found =s
}
This post does indeed exist, yet it is not found, and this problem only affects cases with a '£' character in the title. Since Wordpress already sanitizes the titles etc, what is happening? Why does this not work?
edit:
This is a general case, not specific to any codebase of mine. I want to know why this happens and how to avoid it, the codebase this first arose in is irrelevant. So I dont need an alternative solution, as I'm looking for Why it happened
edit 2:
The database tables are using utf8_general_ci encoding.
The £ character is also being saved as is, not as a html entity, here's a screenshot from phpmyadmin:
What encoding is your PHP file in, and does it match the encoding of the database? They need to match for this to work. (Check your IDE or this link provided by #Tom)
Failing that, make sure that the character isn't a £ entity instead of the literal character.
I have made one form in which there is rich text editor. and i m trying to store the data to database.
now i have mainly two problem..
1) As soon as the string which contents "#"(basically when i try to change the color of the font) character, then it does not store characters after "#". and it also not store "#" character also.
2) although i had tried....in javascript
html.replace("\"","'");
but it does not replace the double quotes to single quotes.
We'll need to see some code. My feeling is you're missing some essential escaping step somewhere. In particular:
As soon as the string which contents "#"(basically when i try to change the color of the font) character
Implies to me that you might be sticking strings together into a URL like this:
var url= '/something.php?content='+html;
Naturally if the html contains a # symbol, you've got problems, because in:
http://www.example.com/something.php?content=<div style="color:#123456">
the # begins a fragment identifier called #123456">, like when you put #section on the end of a URL to go to the anchor called section in the HTML file. Fragment identifiers are purely client-side and are not sent to the server, which would see:
http://www.example.com/something.php?content=<div style="color:
However this is far from the only problem with the above. Space, < and = are simly invalid in URLs, and other characters like & will also mess up parameter parsing. To encode an arbitrary string into a query parameter you must use encodeURIComponent:
var url= '/something.php?content='+encodeURIComponent(html);
which will replace # with %35 and similarly for the other out-of-band characters.
However if this is indeed what you're doing, you should in any case you should not be storing anything to the database in response to a GET request, nor relying on a GET to pass potentially-large content. Use a POST request instead.
It seems that you are doing something very strange with your database code. Can you show the actual code you use for storing the string to database?
# - character is a common way to create a comment. That is everything starting from # to end of line is discarded. However if your code to store to database is correct, that should not matter.
Javascript is not the correct place to handle quote character conversions. The right place for that is on server side.
As you have requested....
I try to replay you... I try to mention exact what I had done...
1) on the client side on the html form page I had written like this..
html = html.trim(); // in html, the data of the rich text editor will come.
document.RTEDemo.action = "submit.php?method='"+ html.replace("\"","'") + "'";
\\ i had done replace bcz i think that was some problem with double quotes.
now on submit.php , my browser url is like this...
http://localhost/nc/submit.php?method='This is very simple recipe.<br><strong style='background-color: #111111; color: #80ff00; font-size: 20px;">To make Bread Buttor you will need</strong><br><br><blockquote><ol><li>bread</li><li>buttor</li></ol></li></blockquote><span style="background-color: #00ff80;">GOOD.</span><br><br><br><blockquote><br></blockquote><br>'
2) on submit.php ........I just write simply this
echo "METHOD : ".$_GET['method'] . "<br><br>";
$method = $_GET['method'];
now my answer of upper part is like this...
METHOD : 'This is very simple recipe.
now i want to store the full detail of URL....but its only storing...
This is very simple recipe.