I looked around Stack Overflow for the recommended method type for PHP; either the GET or POST method. Recommended by the community, the GET method seems to be a good idea for passing queries for a simple search engine.
Unfortunately, the GET method adds unnecessary addition symbols to the URL to indicate spaces. Basically, a aesthetic issue.
I tried the trim() function to lessen the spaces, however, that is only called after the data is submitted and the URL is already set with the parameters.
Here is a the index.php file I think is not cooperating with me.
<?php $query = ""; ?>
<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Document</title>
</head>
<body>
<form action="index.php" method="GET">
<input type="text" name="query" placeholder="Enter Query">
<input type="submit" text="Search">
</form>
<?php
$query = $_GET['query'];
print $query;
?>
</body>
</html>
A example, if needed. If I type into the search bar this query...
sample 1
The URL will be formed this way...
http://localhost/search/index.php?query=sample++++++++++++++1
Is there a way to fix this problem or is the POST method the only way to circumvent this problem?
You will need to use the POST method.
<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Document</title>
</head>
<body>
<form action="index.php" method="POST">
<input type="text" name="query" placeholder="Enter Query">
<input type="submit" text="Search">
</form>
<?php
$query = $_GET['query'];
print $query;
?>
</body>
</html>
Use urlencode or str_replace.
urlencode will replace all spaces with plus symbols, and with str_replace you can replace either underscores with plus symbols, or spaces with minus symbols.
Replace spaces with underscores: str_replace(' ', '_', $url);
Urlencode your $_GET*: urlencode($url);
Related
I want to echo the textarea value with PHP, so I create a simple form with HTML, and inside it I include textarea element with name of b64_place and then input to submit the values.
I check if b64_place is set, and if it is I echo the value of the textarea. But my program doesn't even get into the condition block, I try debugging and it is just not doing nothing.
<!DOCTYPE html>
<html lang="en">
<head>
<title>Document</title>
</head>
<body>
<form action="index.php" method="GET">
<textarea name="b64_place" form="encode">Enter text here:</textarea>
<input type="submit" value="Encode">
</form>
<?php
if (isset($_GET['b64_place'])) {
$base64e_text = htmlspecialchars($_GET['b64_place']);
echo $base64e_text;
}
?>
</body>
</html>
Your textarea contains an attribute form This attribute is used to define the id of the form this input is attached to. So, when you submit the form, the textarea isn't bound with that form and the datas aren't send
You can either add an id to the form :
<!-- check this ----------------------v---------v -->
<form action="index.php" method="GET" id="encode">
<textarea name="b64_place" form="encode">Enter text here:</textarea>
<input type="submit" value="Encode">
</form>
or simply remove the form="encode"
Edit based on suggestion from senior SO members,
The reason i recommend you to change the method to POST is because of the length limit of the GET method. At some point you may want to encode very large data and it may get trimmed of because of URL length limit. But with POST you don't have to worry about this restriction.
Steps to solve your issue.
If your Form and your PHP code is in the same file changethe action="index.php" to action="" and change the method="GET" to method="POST"
In text area use placeholder to tell the user what to input instead of writing it between the tags.
change $_GET to $_POST everywhere in your code.
You can copy the following code into the index.php and it will work fine.
<!DOCTYPE html>
<html lang="en">
<head>
<title>Document</title>
</head>
<body>
<form action="" method="POST">
<textarea name="b64_place" placeholder="Enter text here:"></textarea>
<input type="submit" value="Encode">
</form>
<?php
if (isset($_POST['b64_place'])) {
$base64e_text = htmlspecialchars($_POST['b64_place']);
echo $base64e_text;
}
?>
</body>
</html>
<?php
if(isset($_GET['textvalue'])){
$string = $_GET['textvalue']; //preg_match return false
//$string = '한자漢字メ'; //preg_match return true
$stringArray = preg_match('/^[\p{L}]{2,30}$/u', $string);
}
?>
<!DOCTYPE html>
<html>
<body>
<form method="GET">
<input type="text" name="textvalue">
<input type="submit">
</form>
</body>
</html>
I'm trying to regex the value from the input.
Unfortunately, every time I submit the characters, preg_match return false. But, if I use the string from the variable, it'll return true.
What going on and how do I fix it?
If anyone ran into this problem, I've found it. You just need to add this meta header:
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
I'm not sure why, but with out the codes above, html it send the values to php as a non-utf-8 value. So, then the preg_match try to read it, its reading a different value then what was typed in, thus; it return false.
That's why it work when you just uses the string. HTml is not involved.
note. Even if you try to read by echoing it out, html with return it to its orginal utf-8 value. weird.
Example:
<?php
if(isset($_GET['textvalue'])){
$string = $_GET['textvalue']; //preg_match return false
//$string = '한자漢字メ'; //preg_match return true
$stringArray = preg_match('/^[\p{L}]{2,30}$/u', $string);
}
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/>
<head>
<body>
<form method="GET">
<input type="text" name="textvalue">
<input type="submit">
</form>
</body>
</html>
I have little experience with PHP and regular expressions. I created a simple html input form and a submit button. i would like to do the following:
When the button is clicked, regexp splits the input string into an array of words:
that are all lowercase (with all ã changed to a)
and are all 10 symbols long.
Should it be like that?
$search_string = $_GET['keywords'];
$regexp = preg_split(^[a-zA-Z]{1,10}+$, $search_string);
$regexp = strtolower($search_string);
This is my simple html code:
<div>
<label for="keywords">keywords:</label>
<input type="text" name="keywords">
</div>
<input type="submit" value="Add Records">
Can you help me improve my regexp code? It doesn't seem to be working.
This is my code:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Document</title>
</head>
<body>
<form action="htmlform.php" method="POST">
keywords <input type="text" name="keywords">
<input type="submit" value="submit">
</form>
<?php
$search_string = $_GET['keywords'];
$regexp = preg_split("/^[a-zA-Z]{1,10}+$/", $search_string);
$regexp = strtolower($search_string);
?>
</body>
</html>
Maybe it is because your form method is POST but you are looking at $_GET?
$search_string = $_POST['keywords'];
I have a textarea that users can edit. After the edit I save the text in a PHP variable $bio. When I want to display it I do this:
<?php
$bio = nl2br($bio);
echo $bio;
?>
But if a user for example types an HTML command like "strong" in their text my site will actually output the text as bold. Which is nothing I want.
How can I print/echo the $bio on the screen just as text and not as HTML code?
Thanks in advance!
Replace echo $bio; with echo htmlspecialchars($bio);
http://php.net/htmlspecialchars
When you output text to the html / the browser and you want to make sure that the output does not break the html, you should always use htmlspecialchars().
In your case you do want to show the <br> tags, so you should do that before you add them:
$bio = nl2br(htmlspecialchars($bio));
You can also use strip_tags() to get rid of the html tags altogether, but you would still need to use htmlspecialchars() so that for example a < character will not break your html.
You can also use htmlentites()
<!DOCTYPE HTML>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<title></title>
</head>
<body>
<form method="POST" action="">
<p><textarea rows="8" name="bio" cols="40"></textarea></p>
<p><input type="submit" value="Submit"></p>
</form>
<p>Result:</p>
<?php echo isset($_POST['bio']) ? htmlentities($_POST['bio']) : null; ?>
</body>
</html>
So like:
I have been doing some testing with XSS and I created a simple form with one text input and the php at the top of the page echoes out the value, like this:
<!doctype html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Mysite</title>
</head>
<body>
<?php if(isset($_POST['name'])) {
$name = $_POST['name'];
echo $name;
}
?>
<form action="" method="post">
<input type="text" name="name"/>
<input type="submit" value="Submit" />
</form>
</body>
</html>
I entered a javascript code in the text input like this:
<script type="text/javascript">alert('XSS!');</script>
When I do this in Google Chrome I get nothing, no output, no alert box and no errors. But when I view it in Internet Explorer I get the alert box as expected.
Why is this happening?
Chrome has a built in xss filter:
http://blog.securitee.org/?p=37
and
https://security.stackexchange.com/questions/16247/does-google-chrome-protect-against-cross-site-scripting-xss
because this is what you are printing.. no browser should protect that(or you shouldn't rely on that).. you have to convert all html by yourself :) html encode it...