I have a url request like this:
http://localhost/pro/api/index/update_profile?data={"id":"51","name":"abc","address":"stffu fsagu asfhgui fsahgiu3#$#^^##%^3 6\"\"wkgforqf\";rqgjrg..,,,rqwgtr''qwrgtrw'trwqt'rqwtqwr trqt\n"}
I am trying to json decode of this url.I use following code to decode url.It is working perfect if url not contain special character. but how to decode it if it contains special character.
$string = htmlspecialchars($_REQUEST['data'], ENT_QUOTES);
$jsonFix = urldecode($string);
$string = htmlentities($jsonFix, ENT_QUOTES | ENT_IGNORE, "UTF-8");
$json = json_decode($string, true);
print_r($json);exit;
I tried this code but it is not working.when i am try following:
print_r($_REQUEST['data']);exit;
output is:
{"id":"51","name":"ds"","address":"stffu fsagu asfhgui fsahgiu3
means it is bracking from # character.
(sidenote: i am working on api for iphone so request came from iphone,framework:CI)
so how to get url which contain special character and how to decode it?
The # character marks the beginning of the fragment part of the URL.
You need to properly URL-encode the URL for this to work.
For example, your JSON, when correctly URL-encoded, becomes:
%7B%22id%22%3A%2251%22%2C%22name%22%3A%22abc%22%2C%22address%22%3A%22stffu%20fsagu%20asfhgui%20fsahgiu3%23%24%40%5E%5E%40%23%25%5E3%206%5C%22%5C%22wkgforqf%5C%22%3Brqgjrg..%2C%2C%2Crqwgtr%27%27qwrgtrw%27trwqt%27rqwtqwr%20trqt%5Cn%22%7D
The entire URL becomes:
http://localhost/pro/api/index/update_profile?data=%7B%22id%22%3A%2251%22%2C%22name%22%3A%22abc%22%2C%22address%22%3A%22stffu%20fsagu%20asfhgui%20fsahgiu3%23%24%40%5E%5E%40%23%25%5E3%206%5C%22%5C%22wkgforqf%5C%22%3Brqgjrg..%2C%2C%2Crqwgtr%27%27qwrgtrw%27trwqt%27rqwtqwr%20trqt%5Cn%22%7D
Check the documentation of your language of choice to find the correct method for URL-encoding characters.
For example, in PHP, this is rawurlencode and in JavaScript this is encodeURIComponent.
If necessary, there are also plenty of URL coders online, such as this website.
You are manipulating the $data in some ways that aren't really necessary. htmlspecialchars() and htmlentities() make sense if applied to specific values - not the whole JSON. The danger is that they mess up the JSON, it is only important here to urldecode()!
$jsonFix = urldecode($data);
$json = json_decode($jsonFix, true);
This already works and doesn't leave any character out.
If you plan to post something of that and want to escape it, you can do it like so
htmlspecialchars($json['address'], ENT_QUOTES)
Can't you just replace the "#" character with something like "&hashtagChar;" before you process, and put it back afterwards?
Related
So when I use PHP's urlencode on the following string, there seems to be a technicality coming up which I think is on a reserved PHP word "¬".
The original string:
cancel_url=https://example.com/payment_cancelled¬ify_url=https://example.com/order_notify
I get the following result using urlencode:
cancel_url=https%3A%2F%2Fexample.com%2Fpayment_cancelled¬ify_url=https%3A%2F%2Fexample.com%2Forder_notify
As you notice above, the '¬' special character it creates (just after the word 'cancelled'). So to me it seems the "¬" portion of "¬ify_url" is an operator reserved operator word ("¬" in PHP?).
I have tried PHP's str_replace function after url encoding as follows:
$paramUrlString = str_replace('¬', '¬', $paramUrlString);
$paramUrlString = str_replace('ª', '¬', $paramUrlString);
(trying the ASCII code for that special character too)
I've run out of ideas now. Please assist, thank you.
urlencode does not usually replace ¬ at all, but does replace & with %26. See example here: http://sandbox.onlinephpfunctions.com/code/e9d62797d01f8162170e5ad5181e14fc339faa52
You could try replacing & with %26 before urlencode.
$urlString = str_replace('&', '%26', $urlString);
It's not that anything in PHP is replacting the string ¬ with ¬, it's that whatever you're using to view/display the data is doing that.
Given that the closing ; on the entity is not required, I would wager that you're putting the URL into XML without properly escaping the entities. While & is the entity that conflicts between URLs and XML, there are more than that.
The simplest solution is if you're embedding a raw string in an XML document you need to call:
$string = htmlspecialchars($string, ENT_XML1 | ENT_COMPAT);
The best solution, on the other hand, is to not create XML documents by hand at all. Use a library like DOMDocument or XMLWriter. This handles not only the escaping/encoding of your data, but all of the other subtle complexities of creatings proper XML documents.
I have an application that posts content to a MySQL DB via PHP. The PHP uses $_GET to pull the content from the URL and then inserts it into the DB.
This works great, but I have discovered an issue. If the user enters certain characters (", &, and others), the $_GET method does not properly separate the content from the URL.
Let's say the user posts this content:
I love blue & green
In this situation, the & symbol cuts the string after the word blue.
Is there any way for me to edit my PHP file to ignore the & symbol and to actually treat it as part of the variable it is supposed to $_GET? Any help would be great!
You can URLencode data before sending it to the PHP. It's a better solution.
Specials chars must not be used in a query string if those chars are in data.
In Javascript, you can use the escape function : escape(&ee) will give %26ee
The correct method is to urlencode the "&" caracter by the client : pass "%26" instead of "&"
you can use $_SERVER['QUERY_STRING']
from http://php.net/manual/en/reserved.variables.server.php
You could send the request as a base64 encoded string:
$string = base64_encode("This is my long string with &ersands and 'quotes'");
print base64_decode($string);
Note that base64-encoded data takes about 33% more space than the original data.
From the manual:
http://php.net/manual/en/function.base64-encode.php
You also have urlencode
try to urlencode your string:
&
becomes
%26
it's a PHP function :
http://php.net/manual/fr/function.urlencode.php
What about, before creating Query string, encode it ?
$str = "I love blue & green ?=&˙Đ[]";
$str = urlencode($str);
echo $str;
Will return:
I%20love%20blue%20%26%20green%20%3F%3D%26%CB%99%C4%90%5B%5D
You have to URL encode the string before you pass it as a GET parameter. In this particular case you have to replace & symbol with %26.
This can be done for example using javascript right before you send the form.
I am using the following code to encode a URL for basic hiding of the URL
/lbs_map.php?msisdn=27827910118
This is what I do not want my clients to see. I have coded it the following way
<a href="lbs_map.php?msisdn=<?php echo base64_encode ("27".substr($rows['member_msisdn'],
1)); ?>
This is my output now:
/lbs_map.php?msisdn=Mjc4Mjc5MTAxMTk=
I am using this to try and decode the string:
<?php
$str = 'VGhpcyBpcyBhbiBlbmNvZGVkIHN0cmluZw==';
echo base64_decode($str);
?>
But it is not working at all to decode it and give me the required info i want. I need help on the decoding of the string
The encode string must work with the code string as the code string varies and is never the same
If you're passing base64 encoded data via the url, you need to urlencode() it first as = is a reserved character in urls.
You need to urlencode() the msisdn parameter.
Also keep in mind that base64 is not the way to go if you want to hide something from your users as it's not an encryption function and can be easily decoded.
In my code, I create a link like this:
$link = 'http://www.mydomain.com/'.urlencode($str).'/1';
I use url-rewriting and the rule in my htaccess file looks like this:
rewriteRule ^(.+)/(.*)$ index.php?var1=$1&var2=$2 [NC,L]
This code is working fine for almost every strings. But sometimes, the string to encode contains "&". The urlencode function encodes it corectly, but when I read the $_GET array in php, it looks like this (with $str = 'substring1&substring2'):
'var1' => 'substring1' (without "&")
'substring2' => '' (without "&")
'var2' => 1
I really need the "&" in my var. Is there a way to encode that character to make it works?
Also, I really don't know why, but sometimes I get a forbidden http error with some strings passed as var1. Apparently, they have nothing special, for exemple, "Décarie Square" makes that error. Other strings with spaces and "é" are working fine.
Apache's mod_rewrite automatically decodes urlencoded strings when it does regex matching. But it only does this once, so you should be if you urlencode your string twice. This will re-escape all of those `%' characters.
try
$link = 'http://www.mydomain.com/'.urlencode(urlencode($str)).'/1';
or stop relying on rewrite rules and use a framework that handles URL routing properly.
Oh, and there should also be htmlentities() somewhere in there.
Apache will automatically translate (decode) the path. You must use a different encoding or even double encoding. Base 64 will work.
your $str isn't setup with key=val pairs
Try $str = 'var1=substr1&var2=substr2';
Two options:
Urlencode the string before urlencoding the query.
Replace all non alphanumerical chars with a dash or underscore
As for the forbidden error are you using http auth basic or digest?
Update may mistake try using htmlentities or htmlspecialchars instead of urlencode
I am retrieving an encoded url via querystring. I need to pass it again to the next page. When I retrieve it the first time, using $_REQUEST['url'], only the slashes are decoded, e.g:
http://example.com/search~S10?/Xllamas&searchscope=10&SORT=D/Xllamas&searchscope=10&SORT=D&SUBKEY=llamas/51%2C64%2C64%2CB/browse
The php docs page for urldecode advises against decoding request data, and says that it will already be decoded. I need it either completely decoded, so I can encode it again without double-encoding some parts, or not decoded at all.
I'm not sure why my experience of this data is incongruous with the php docs. Appreciate any help or pointers to same!!
EDIT: attempt to post relevant code, which is scattered about:
the url is encoded and added to the querystring (in an html file using smarty template):
<a class="button" href="{$baseurl}search_nojs?searcharg={$searcharg|escape:'url'}&url={$next|escape:'url'}"><span>Next>></span></a>
if that link was followed, i'm grabbing the url back out of the querystring (in a php file):
if(array_key_exists('url', $_REQUEST)) {
$sm->assign("searchurl", $_REQUEST['url']);
}
Then I'd like to stick the url back into the querystring for the next link (in another html file):
href="{$baseurl}detail?bibid={$res.bibid}&searcharg={$searcharg}{if $searchurl}&searchurl={$searchurl}{/if}"
I'm also printing {$searchurl} straight onto the page, and getting the same half-escaped result.
Here is another example of the querystring vs. the data i get from $_REQUEST:
originally encoded url in querystring:
searcharg=mammals&url=http%3A%2F%2Fexample.com%2Fsearch%7ES10%3F%2FXmammals%26searchscope%3D10%26SORT%3DD%2FXmammals%26searchscope%3D10%26SORT%3DD%26SUBKEY%3Dmammals%2F51%252C1114%252C1114%252CB%2Fbrowse
data retrieved from $_REQUEST:
searcharg=mammals&searchurl=http://example.com/search~S10?/Xmammals&searchscope=10&SORT=D/Xmammals&searchscope=10&SORT=D&SUBKEY=mammals/51%2C1114%2C1114%2CB/browse
I know this method may seem curious -- I am trying to make a mobile display, working around a black-box database. Thanks again for any help!!
Here is another example of the querystring vs. the data i get from $_REQUEST:
originally encoded url in querystring:
searcharg=mammals&url=http%3A%2F%2Fexample.com%2Fsearch%7ES10%3F%2FXmammals%26searchscope%3D10%26SORT%3DD%2FXmammals%26searchscope%3D10%26SORT%3DD%26SUBKEY%3Dmammals%2F51%252C1114%252C1114%252CB%2Fbrowse
This is double encoded. For example: %252C -> %2C -> ,
So at the point that you encode the url parameter, you're introducing double encoding. Perhaps you should ensure that, before encoding parameters, you decode them until they can be decoded no more (aka canonicalisation). You could use urldecode in a loop for this.
You also want to ensure that when you put the url parameter back into html context (as a link) that you escape for HTML Attributes too. Otherwise you have an XSS vulnerability.
The comma (U+002C) is a reserved character in the query and thus must be encoded with %2C:
3.4. Query Component
The query component is a string of information to be interpreted by
the resource.
query = *uric
Within a query component, the characters ";", "/", "?", ":", "#",
"&", "=", "+", ",", and "$" are reserved.