In my website, I am passing the user input to a new page using get method. And I am having troubles when the user enters something with &. I am reading two inputs from user. Assume the user entered xxxyyzz for $_GET['input1'] and aaa&bbb for $_GET['input2']. Here is the page the user is directed to:
http://www.mywebsite.com/?input1=xxxyyzz&input2=aaa&bbb
In the directed page, I am getting the inputs using this code:
$input1 = $_GET['input1'];
$input2 = $_GET['input2'];
Obviously $input2 is not populated properly when the user enters an input with something &.
Is there any simple way to handle this other than replacing all &s with another string?
Related
I have two files, the first is a form (signup.php) that posts user inserted fields (first name, last name, user name, email..etc) into another file containing an error handlers (Signup.chk.php) using post method. in case of error in the inputs, i wanted signup.chk.php to send back all the fields inserted by the user to the signup.php file using GET method to re-display the form with the errors and the user's inputs.
i'm expecting a URL that looks like below:
localhost/signup?signup=error&firstname=Joe&lastname=Doe&user=Jdoe1&email=Jdoe#abc.com
it works fine if the user didnt insert special chars as inputs.
if the user inserts $ or & as part of the inputs it will mess up the _GET function on the other page.
what is the best way to encode/decode the URL values to prevent XSS and also allow the signup.inc file to properly receive the url values and display it correctly in the form fields again (Even if containing <>$&%..etc)
To do what you want, you can use urlencode() and urldecode().
// To form the URL
$url = "localhost/signup?signup=error&firstname=" . urlencode($firstname);
// To get the value from the URL and decode it.
$firstname = urldecode(isset($_GET['firstname']) ? $_GET['firstname'] : "");
However, there is a security issue, user may add some code on the url to attack your website, so you need to do something to avoid it, eg restrict input length or avoid unnecessary specific characters.
For example, I have a page called profile_page.php. This page is only functional if data is written after the ?u= in the URL, for example, data for Alice's profile page can only be seen when the URL reads http://localhost/profile_page/alice.
Loading http://localhost/profile_page will give me undefined variable errors as most of my variable's are depending on the URL to have a value after the ?u=. For example, the variable $firstname can only be gathered when I get her username in the URL.
In such a case, when http://localhost/profile_page, I would rather have it redirect the user to their own profile_page, but I don't know how I can test the URL and parse it through an if statement.
I understand you can use $u=$_GET['u']; to obtain the current page URL? but I don't think doing this, is the best way to go about it:
$u=$_GET['u'];
if ($u == "http://localhost/profile_page/"){
// redirect to logged in users page code here
}
First, if you are using some parameter for your page to build, the url would looks like httlp://localhost/profile_page.php?firstname=alice&lastname=brown, with $_GET['firstname'] you will get alice in this case. If you want to test if the parameter is set first and redirect to another page if it is not set, you could use
if(!isset($_GET['firstname'])
{
header('Location:redirected_page.php');
}
When a user submits any form, a $_GET['variable_name'] is sent by the webpage and will give a URL like the following: www.mywebsite.com/index.php?variable_name_here='yes'.
However people can just write the URL www.mywebsite.com/index.php?variable_name='yes' into the address bar of the website and gain access to this part of the script, without actually submitting the form!
This is a problem! It's breaking specific parts of the script linked to that form submission! This is because the part of the script relating to the $_GET['variable_name'] can't get the variables that should be sent by the form as it is never submitted!
How do I stop people getting to specific parts of a script when they manipulate the URL by sending them back to www.mywebsite.com/index.php?
P.S. : This is for user submitted data through a form which is then processed (no SQL or any alike software involved)
If you are worrying about people getting in to your site without logging in or not having correct params, you should first check to see if the correct $_GET variables exist using isset(). If all paramaters you are expecting exist allow them to pass, otherwise use header('Location: /index.php'); to force a redirect.
To redirect from www.mywebsite.com/index.php?variable_name='yes' to www.mywebsite.com/index.php you would need to include the following code below before you open a HTML header! This solution will work for any $_GET variables within your whole website if you place it within an includes("filename_here"), no need to change the code.
//if there are any $_GET variable(s) set (doesn't matter what the name of the variables are)
if (! empty($_GET))
{
//if there is no record of the previous page viewed on the server
if(! isset($_SERVER['HTTP_REFERER']))
{
//get requested URL by the user
$redir = $_SERVER['PHP_SELF'];
//split parts of the URL by the ?
$redir = explode('?', $redir);
//redirect to the URL before the first ? (this removes all $_GET variables)
header("Location: $redir[0]");
}
}
I've a very strange problem in my form and have no idea how to solve it. Tried a search but found nothing about it. I have a form which i receive the data with $get in a php page to process the data. Strangely, when i insert an # in a field like the email for example, the # is lost durring the process of sending data. I verified in the line before the redirection to the php page if the # was there and it was, so i don't know this character is lost in the next step of the process.
Any hints?
The redirection comes from a javascript function that i call when i click the submit form:
window.location.href = 'index.php?pagina=candidaturasB&'+ qstringA;
the "qstringA" contains all the data of my form, and if in some input i put an #, if i do alert(qstringA) before de redirection line, the # is there, after that, in the url, of the php page where i received the data there's no #.
ex: index.php?...&email="ren#something.com" appears on the url "index.php?...&email="rensomething.com".
Use urlencode() for each form data :
eg :
$url = "index.php?pagina=candidaturasB";
$url .= "&email=".urlencode($_GET['email']);
$url .= "&data="urlencode($_GET['data']);
And pass the result string to window.location.href
Basically, I have a search box. Once clicked, the value within the search box would be sanitize and then redirects as a Get Var rather than a Post.
I have one method of taking the User's Input value and redirecting to what they want to search (But it turns into a Post Method).
I want to achieve the following:
User Input Value: "I am Searching"
User/Web Client (Javascript) takes User Input Value, sanitize it for URL, and redirects.
User is taken to: example.com/search/i-am-searching
Rather than:
User Input Value: "I am Searching"
Server Side takes Post Value of "I am Searching" then redirects.
User is taken to: example.com/search/i-am-searching
A good idea could be to check how to use window.location Object.
You can check this tutorial:
How to get url parts in javascript
and you can learn:
How to obtaing the URL from the window.location object
How to change the current location using window.location.href and window.location.reload
How to split and rebuild URLs using an array and string splitting functions
In addition, you can check document.URL and document.referrer
With:
var value = document.getElementById('id_of_field').value;
you get the value of the field and with
window.location =
"http://example.com/search/" + value;