I am trying to remove any trailing slash from DOCUMENT_ROOT
rtrim($_SERVER['DOCUMENT_ROOT'], '/\\')
But its adding %5C after using rtrim:
E:%5Cwamp%5Cwww%5Ctestfolder
Also I replace all slash with DIRECTORY_SEPARATOR before using rtrim, but same thing happen.
Please tell me why its happening ?
The %5C is from URL encoding. The $_SERVER['DOCUMENT_ROOT'] value is not URL-encoded, so perhaps you are urlencoding the output when you send it to your browser?
rtrim only trims the end of the string, and your example output shows that no slash is suffixed to the string - it appears rtrim has done its job.
Please post your whole code for a more detailed look.
Related
I have downloaded some PHP code because I want to modify it and use it for my project.
I have this line of code:
$uri=rtrim(dirname($_SERVER['PHP_SELF']),'/\\');
I know the $_SERVER['PHP_SELF'] it is a superglobal variable that returns the file name of the current running script.
But I do not know why rtrim is used!
Can someone shortly explain to me?
From the PHP doc:
rtrim — Strip whitespace (or other characters) from the end of a
string
To explain more :
_SERVER['PHP_SELF']:
will return The filename of the currently executing script, relative to the document root. For instance, $_SERVER['PHP_SELF'] in a script at the address http://example.com/foo/bar.php would be /foo/bar.php
And the dirname will Returns a parent directory's path like src/foo/bar.php.
To ensure that there is no special caracter inside , the rtrim will strip whitespace (or other characters) from the end of a string.
Hope this help you.
Can any one please tell me how I can remove the slash from the end of a variable
In my index.php I have the following:
$url=$_SERVER['REQUEST_URI'];
include_once "sites/$url.php";
My problem is if I write example.com/test/somefile/ nothing comes but if I write example.com/test/somefile it works
So is there a way to remove the slash if the variable ends with a slash?
Please do not do this.
You are relying on your user being a goody two shoes and not futzing with requests.
In conclusion: DO NOT rely on browser requests to include a file in your code
Try this
$url = rtrim($url, '/');
From PHP.net http://ua2.php.net/rtrim
>
You can also specify the characters you want to strip, by means of the character_mask parameter. Simply list all characters that you want to be stripped. With .. you can specify a range of characters.
While this will solve your problem, please take a few minutes to consider the warnings posted in the comments and the other answer(s) regarding code injection since it is a very serious security issue.
http://localhost/foo/profile/%26lt%3Bi%26gt%3Bmarco%26lt%3B%2Fi%26gt%3B
The url above gives me a 404 Error, the url code is this: urlencode(htmlspecialchars($foo));, as for the $foo: <i>badhtml</i>
The url works fine when there's nothing to encode e.g. marco.
Thanks. =D
Update: I'm supposed to capture the segment in the encoded part of the uri, so a 404 isn't supposed to appear.
There isn't any document there, marco is simply the string that I needed to fetch that person's info from db. If the user doesn't exist, it won't throw that ugly error anyways.
Slight idea what's wrong: I found out that if I used <i>badhtml<i>, it works just fine but <i>badhtml</i> won't, what do I do so that I can maintain the / in the <i>?
It probably think of the request as http://localhost/foo/profile/<i>badhtml<**/**i>
Since there is a slash / in the parameter, this is getting interpreted as a path name separator.
The solution, therefore, is to replace all occurrences of a slash with something that doesn't get interpreted as a separator. \u2044 or something. And when reading the parameter back in, change all \u2044s back to normal slashes.
(I chose \u2044 because this character looks remarkably like a normal slash, but you can use anthing that would never occur in the parameter, of course.)
It is most likely that the regex responsible for handling the URL rewrite does not like some of the characters in the URL-encoded string. This is most likely httpd/apache question, rather than PHP. Your best guess is to start by looking at the .htaccess (file containing URL rewrite rules).
This question assumes that your are trying to pass an argument through the URL, rather than access a file named <i>badhtml</i>.
Mr. Lister, you rocked.
"The solution, therefore, is to replace all occurrences of a slash with something that doesn't get interpreted as a separator. \u2044 or something. And when reading the parameter back in, change all \u2044s back to normal slashes."
I have a file on my server that i want to access. The filename is ken\'s book.doc
But in my db, it was stored as ken's book.doc
(I have fixed the backslash issue, but still have problems accessing the previously uploaded files on server.
I used addslashes to add the back slash but it displays it as: ken/'s book.doc (that is a forward slash instead of a backslash.
I have used:
str_replace("'", "\'", $filename);
yet it displays as a forward slash.
How can i fix this?
Thanks
EDIT
Extra Information: I am using the new value as part of a link. that is:
View
If you have a filename that contains a backslash on disk, I would fix that first. Your second problem was appearantly not using mysql_real_escape_string when storing that filename into the database (why it ended up there without backslash).
addslashes btw does not add forward slashes by itself. That part of your story is untrue. And to remove them again you wouldn't need the quirky str_replace call, but just stripslashes.
The actual problem (after your edit) turns out to be a html link. That's simply because browsers have the habit of turning backslashes into forward slashes in urls. To prevent that apply urlencode()
View
I am trying to understand this one line of code below:
str_replace('../', '', $route);
Basically it says replace '../' with nothing in $route
$route = 'information/information&information_id=4';
from the url 'index.php?route=information/information&information_id=4'
But there is no ../ in the $route variable. Is it some sort of regex? If yes, what does it exactly do. Thanks guys.
You are correct in thinking that it replaces "../" with an empty string. It is not regex. There is no occurence of it in your example, but there could be.
It might be used for some sort of security to prevent you from going back up the directory structure from the document root.
If there's no ../ in the string, this will replace nothing. It's not a regex (see preg_replace() for that. It's just precaution against someone trying to pass invalid path (starting with ../), which could potentially be an attempt of accessing files outside of webserver's document root (in other words, a hacking attempt).