I have integrated paypal in my application. Everything works good.
I have a minor issue, i want my custom field email as query string on success page to insert more data for that user.
My input coding is below:
<input id="custom" name="custom" class="form_textbox"/>
And my redirect is as below:
<input type="hidden" name="return" value="http://myweburl.com/ticket.php?tck=test#email.com">
But its not passing dynamically. I want to pass email entered in input "custom" to this query string. I know may be the solutions will be basic, but i tried everything, but couldn't make it work.
It may be that that certain characters need to be encoded for URLs. At a minimum, you should be encoding the ? question mark in your return value. It also may not be a bad idea to encode the slashes /.
For example, here are some characters that may need to be encoded in your example:
? = %3F
/ = %2F
You can take reference other encoded characters on Wikipedia, or try Googling.
Related
I write
http://www.mysite.com/form.php/%22%3E%3Cscript%3Ealert('hacked')%3C/script%3E
on URL. Now I press enter and the URL is:
http://www.mysite.com/form.php/"><script>alert('hacked')</script>
Now I post the form. When using $_SERVER['PHP_SELF'], htmlspecialchars works, with REQUEST_URI not. Why?
When and why should I use action="" or action=<?=$_SERVER['PHP_SELF']?> or action=<?=$_SERVER['REQUEST_URI']?>?
Here the result of the posts:
$_SERVER['REQUEST_URI']:
/form.php/%22%3E%3Cscript%3Ealert('hacked')%3C/script%3E
htmlspecialchars($_SERVER['REQUEST_URI']):
/form.php/%22%3E%3Cscript%3Ealert('hacked')%3C/script%3E
$_SERVER['PHP_SELF']:
/form.php/"><script>alert('hacked')</script>
htmlspecialchars($_SERVER['REQUEST_URI']):
/form.php/"><script>alert('hacked')</script>
I think, the second should also be as the last...?
It sounds like you're confusing htmlspecialchars with urlencode.
htmlspecialchars replaces characters with special meaning in HTML with &-escaped entities. So, for example, ' becomes '. It doesn't turn %22 into ", however, because %22 has no special meaning in HTML, so it's safe to display it without modification.
urlencode replaces characters with special meaning in URLs with hexadecimal character codes using %. So, for example, " becomes %22.
If you want a form to be handled by the same URL that is used to display it, always use action="" rather than action=<?=$_SERVER['PHP_SELF']?> or action=<?=$_SERVER['REQUEST_URI']?>. As you've already figured out, there are serious risks of cross-site scripting (XSS) if you use either of the $_SERVER variables, because they contain user input and therefore cannot be trusted. So, unless you have a good reason that you need to tweak the URL somehow, just use action="".
When I copy a domain name from Google Maps and then paste it into a form I built, it enters it into a MySQL database with appended at the end of the domain name.
Any idea how I could strip that off of the domain name?
The relevant code is below
<div class="friend5title"><label for="url">Website:</label></div>
<div class="friend5field"><input name="website" type="text" id="website" maxlength="150"></div>
$website = mysql_real_escape_string($website);
mysql_query("INSERT INTO submission VALUES ('$website')");
It is a control character ( http://en.wikipedia.org/wiki/Left-to-right_mark ).
Ignore all of my previous answer I just realized (since I wrote quickly) it isn't in unicode it is actually in a HTML entity format so you need to strip that HTML entity out:
preg_replace('/()/', '', $string);
An alternative is to actually purify your string and purge it of all HTML entities since it shouldn't really have any in it. Normally there could be special characters like & but these should not exist in a URL taken from an input field I reckon.
Here is a question about removing HTML entities with a solid answer: How to remove html special chars?
As to why it is happening: it is possible that someone has a foreign browser which artifically makes the text in inputs go a certain way but in turn by adding this html entity.
On pasting in the input field you did copy a left-to-right character, with unicode number 8206. As the browser evidently did have a form not in some unicode character set (like UTF-8), it sent to the server that character as numeric entity . The server has to decode these, or the form (and page) has to be changed to accept UTF-8.
In the case of your LTR-character, it seems superfluous. You could add an onchange=... to remove characters < 0 and > 127 for the URL. They still are characters, so that is easily done.
Is there a way to replace the character & with and in a PHP web form as the user types it rather than after submitting the form?
When & is inserted into our database our search engine doesn't interpret the & correctly replacing it with & returning an incorrect search result (i.e. not the result that included &).
Here is the field we would like to run this on:
<input type="text" name="project_title" id="project_title" value="<?php echo $project_title; ?>" size="60" class="btn_input2"/>
Is there a way to replace the character & with and in a PHP web form as the user types it rather than after submitting the form?
PHP is on the server, it has no control over anything taking place under any circumstances what-so-ever on the client-side. It sends raw text from the web server, a 100megaton thermonuclear device explodes, and PHP never exists anymore after the content is sent. Just the document received on your client side remains. To work with effects on your client side, you need to work with JavaScript.
To do that, you would pick your favorite JavaScript library and add an event listener for "keyup" events. Replace ampersands with "and", and drop the replacement text back in the box. mugur has posted an answer that shows you how to do this.
This is a horrible solution in practice because your users will be screaming for bloody justice to deliver them from such an awful user experience. What you've ended up doing is replacing the input text with something they didn't want. Other search tools do this, why can't yours? You hit backspace, then what? When you hit in the text, you probably lose your cursor position.
Not only that, you're treating a symptom rather than the cause. Look at why you're doing this:
The reason is when & is inserted into our database our search engine flips out and replaces it with & which then returns an incorrect result (i.e. not the result that included &).
No, your database and search engine do no such thing as "flipping out". You're not aware of what's going on and try to treat symptoms rather than learn the cause and fix it. Your symptom cure will create MORE issues down the road. Don't do it.
& is an HTML Entity Code. Every "special" charecter has one. This means your database also encodes > as > as well as characters with accents in them (such as French, German, or Spanish texts). You get "Wrong" results for all of these.
You didn't show any code so you don't get any code. But here's what your problem is.
Your code is converting raw text into HTML Entity codes where appropriate, you're searching against a non-encoded string.
Option 1: Fix the cause
Encode your search text with HTML entities so that it matches for all these cases. Match accent charecters with their non-accented cousins so searching for "francais" might return "français".
Option 2: Fix one symptom
Do a string replace for ampersands either on the client or server side, your search breaks for all other encodings. Never find texts such as "Bob > Sally". Never find "français".
Before submitting the form you'd need to use JavaScript to change as the user types it in. Not ideal since JS can be turned off.
You'd be much better to "clean" the ampersands after submitting but before inserting into the database.
A simple str_replace should work:
str_replace(' & ',' and ', $_POST['value']);
But as others have pointed out, this isn't a good solution. The best solution would be to encode the ampersands as they go into the database (which seems to be happening just now), then modify your search script to allow for this.
You can do that as they complete the form with jquery like this:
$('#input').change(function() { // edited conforming Icognito suggestion
var some_val = $('#input').val().replace('&', 'and');
$('#input').val( some_val );
});
EDIT: working example (http://jsfiddle.net/4gXZW/13/)
JS:
$('.target').change(function() {
$('.target').val($('.target').val().replace('&', 'and'));
});
HTML:
<input class="target" type="text" value="Field 1" />
Otherwise you can do that in PHP before the insert sql.
$to_insert = str_replace("&", "and", $_POST['your_variable']);
I have an email address param where email addresses are passed un-encoded like so:
http://domain/script?email=test+test#gmail.com
What PHP escaping/encoding will let me safely display the email address on an input field on the page?
Everything I tried causes the encoded chars to show up instead of the user-friendly email address (i.e. test%2Btest%40test.com)
Update - here's what I've tried:
Going from ?email=test+test#gmail.com to:
urlencode($_GET['email']) = test+test%40test.com (# sign is encoded)
htmlspecialchars($_GET['email']) = test test#test.com (lost the +)
htmlspecialchars(urlencode($_GET['email']) = test+test%40test.com (# sign encoded)
Recall that I'm trying to take the unencoded url email param and safely output it into the value of an input field while keeping plus signs intact.
Maybe I should try this?
str_replace("%40", "#", htmlspecialchars(urlencode($_GET['email'])))
If you want to safely output it in the value of an input field, you need to htmlencode it first with htmlspecialchars.
Example :
<input type="email" name="email" value="<?php echo htmlspecialchars($_GET['email']); ?>"
Note : If you aren't using double quote around what you are output, you need to apply more escaping. This page explains it all.
This works:
str_replace("%40", "#", htmlspecialchars(urlencode($_GET['email'])))
You're probably looking for urldecode()? That's what converts %40, %2B, etc. back into normal characters.
use emailaddress = urldecode($_GET['email']); as Kevin suggested. it will do whatever you need.
What if you validate the email and write it as it was, if only an email address is acceptable?
Probably, this question has been asked before, though, I'll ask it again.
Currently, I'm facing a problem with form encoding. When posting my form, all spaces are replaced by the "+" character. I would like to replace this "+" character by a real space.
Does someone has a PHP solution for this?
Thanks in advance.
Cheers, Lennart
Can't reproduce
<form>
<input type=text name="a" value="text with spaces">
<input type=submit>
</form>
<?php if (isset($_GET['a'])) echo $_GET['a'] ?>
no spaces at all. What i m doing wrong?
This shouldn't happen if the browser behaves correctly. My assumption would be that a javascript is messing with your data. Replacing spaces with pluses is done when encoding urls, maybe that will help.
You can use firebug to check for any js interference.
I'm using AJAX (x = in this case JSON) for handling the form posts etc
Then let's see the code.
Possibly you're doing something like trying to form-encode your data manually before another component also form-encodes it. Replacing a space with + is quite standard and expected for form-encoding, but if you accidentally do it twice then you're going to be left with an encoded + at the end of it.
If you are using the JavaScript escape function: don't. (When you need to URL-encode a form value for inclusion in a parameter, the proper method is encodeURIComponent. escape is a fruity non-standard encoding of its own which you should almost never have any need to use.)