Can any one please tell me how I can remove the slash from the end of a variable
In my index.php I have the following:
$url=$_SERVER['REQUEST_URI'];
include_once "sites/$url.php";
My problem is if I write example.com/test/somefile/ nothing comes but if I write example.com/test/somefile it works
So is there a way to remove the slash if the variable ends with a slash?
Please do not do this.
You are relying on your user being a goody two shoes and not futzing with requests.
In conclusion: DO NOT rely on browser requests to include a file in your code
Try this
$url = rtrim($url, '/');
From PHP.net http://ua2.php.net/rtrim
>
You can also specify the characters you want to strip, by means of the character_mask parameter. Simply list all characters that you want to be stripped. With .. you can specify a range of characters.
While this will solve your problem, please take a few minutes to consider the warnings posted in the comments and the other answer(s) regarding code injection since it is a very serious security issue.
Related
I have already checked quite a few other answers but to no avail.
I have been hired to fix bugs for a job that some other developer ran away from.
The application has a add comment and delete comment functionality.
The problem comes in the delete comment part. He designed the database such that all comments are simply entered into a single cell separated by pipe characters. So while deleting a comment, the entire comment needs to be placed in the url as a parameter which is then passed to the model and removed from the database.
I do know this is bad, but I cannot recode the entire functionality.
Now, when a user enters a comment such as "What's Up?", the delete comment url throws the "Codeigniter: The URI you submitted has disallowed characters." error.
I tried converting the quotes to HTML character entities but they again contain disallowed characters.
Can anybody please suggest a possible workaround for this problem?
Redesigning the database is not a viable option as I'll then have to change the extensive php code used for handling the different delimiters.
Messing with the disallowed characters list also seems to be a bad idea.
Thank you.
Open your config file and find this parameter:
$config['permitted_uri_chars'] = 'a-z 0-9~%.:_()#&-!=?';
You can change it according to your requirement or you can leave it blank.
Read the comment section in config file.
It says that: Leave blank to allow all characters -- but only if you are insane.
I am not sure if htmlentities will help.
Did you first call urlencode on just the parameters?
<?php
$query_string = 'foo=' . urlencode("What's Up?");
echo '<a href="mycgi?' . htmlentities($query_string) . '">';
?>
<a href="mycgi?foo=What%27s+Up%3F">
Also check if you need to add escape characters to any of these if they are treated as special characters by the database.
e.g. If % is treated as special character, then you may need to add a \ before it.
I need to pass filenames via the url, e.g.:
http://example.com/images/niceplace.jpg
The problem I'm having is when the file name contains a blank character, e.g.:
http://example.com/images/nice place.jpg
or
http://example.com/images/nice%20place.jpg
For these two URLs, codeigniter complains about the blank char: "The URI you submitted has disallowed characters."
How should I go about fixing this?
I know I can add the blank character to the permitted_uri_chars in config.php but I'm looking for a better solution as there might be other disallowed characters in a filename.
I figured out a solution.
The URL is generated using rawurlencode().
Then, within the images controller, the filename is decoded using rawurldecode(html_entity_decode($filename)).
I successfully tested this solution with a few special characters I can think of and with UTF-8 characters.
You can use this method:
http://php.net/urlencode
Actually, you will run into another issues, when a filename would contain & character, and a few others. urlencode would get rid of all the possible issues.
This configuration option is created to avoid some characters being passed in URI and you want to walkaround it in some cases. I think most appropriate solutions are:
Pass file name as a parameter - http://domain.com/images/?image=test.jpg
Remove all non alfanumeric characters and may be some other (dash, underscore, etc) from file name when you save it. In my opinion, it is better, because you can face other problems with some character in other cases.
One of the better way to work with url's for specified condition is to encode/encrypt your url parameters using encryption/security class in order to maintain URL security:
$encrypt=$this->encrypt->encode($param1) & $this->encrypt->decode($encrypt)
Alternatively if you want special chars to be allowed in the URL then change your config settings in config.php file.
File Location: application/config/config.php
$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-';
Add all characters in right side that you want to be allowed with your application.
I have seen plenty of people having this problem and it seems the only way to stop apache treating the encoded ampersand and a URL ampersand is it use the mod rewrite B flag, RewriteRule ^(.*)$ index.php?path=$1 [L,QSA,B].
However, this isn't available in earlier versions of apache and has to be installed which is also not supported by some hosting companies.
I have found a solution that works well for us. We have a url of /search/results/Takeaway+Foods/Inverchorachan,+Argyll+&+Bute+
This obviously breaks the url at & giving us /search/results/Takeaway+Foods/Inverchorachan,+Argyll which then gives a 404 error as there is no such page.
The url is held in the $_GET['url'] array. If it finds an & the it splits the array for each ampersand.
The following code pieces the URL back together by traversing the $_GET array for each piece.
I would like to know if this has any hidden problems that I may not be aware of.
The code:
$newurl = "";
foreach($_GET as $key=>$pcs) {
if($newurl=="")
$newurl = $pcs;
else
$newurl .= "& ".rtrim($key,"_");
}
//echo $newurl;exit;
if($newurl!='') $url=$newurl;
I am trimming the underscore from the piece as apache added this. Not sure why but any help on this would be great.
You said in a cooment:
We want the URL to show the ampersand so substituting with other characters is not an option.
Short answer: Don't do it.
Seriously, don't use ampersands this way in URLs. Even if looks pretty. Ampersands have a special meaning in a URL and trying to override that meaning because it looks nice is a very bad idea.
Most web-based software (including Apache, PHP and all browsers) makes assumptions about what an ampersand means in a URL, which you will find very hard to work around.
In particular, you will utterly confuse Google and other search engines if you've got arbitrary ampersands in the URL, so it will completely destroy your SEO rank.
If you must have an ampersand in the string, use urlencoding to turn it into a URL-friendly %26. This won't look good in the user's URL string, but it will work as intended.
If that's not acceptable, then substitute something different for ampersands; maybe the word "and", or a character like and underscore, or perhaps just remove it from the string without a replacement.
All of these are common practice. Trying to force the URL to have an actual ampersand character in it is not common practice, and for very good reason.
Take a look at urlencode :
You can also replace the "&" char with something not breaking the URI and won't be interpreted by apache like the "|" char.
We have had this fix in place for two weeks now so I believe that this has solved the issue. I hope this will help someone with a similar issue as I searched for weeks for a solution outside of an apache upgrade to include the B flag. Our users can now type in Bed & Breakfast and we can then serve the appropriate page.
Here is the fix in PHP.
$newurl = "";
foreach($_GET as $key=>$pcs)
{
if($newurl=="")
$newurl = $pcs;
else
$newurl .= "& ".rtrim($key,"_");
}
if($newurl!='') $url=$newurl;
My PHP application adds backslashes to quotes in many locations with addslashes(). Unfortunately, this adding has produced output akin to the following.
Every time I refresh my page, this string increases in number of back slashes.
don't
don\'t
don\\'t
don\\\\'t
don\\\\\\\\'t
and so on.
I want to write a function that deletes all these extra back slashes. I have tried
str_replace($text, "\\\\", "");
to no avail.
You may just use:
stripslashes($text);
$text=preg_replace('/\134+/',"\134",$text);
What happens if your actual value happens to include \\ legitimately? For instance, if your content were referring to a Windows-style share reference - \\192.168.1.1\foo. If you blindly strip out any double slashes, you'll strip out ones that are meant to be there, as well.
The "right" answer is really to not add slashes to things that don't need them. You should know whether a given value is already escaped or not (after all, you're the one controlling where every value comes from, and what it's being used for) and only add slashes when you need them.
I have a file on my server that i want to access. The filename is ken\'s book.doc
But in my db, it was stored as ken's book.doc
(I have fixed the backslash issue, but still have problems accessing the previously uploaded files on server.
I used addslashes to add the back slash but it displays it as: ken/'s book.doc (that is a forward slash instead of a backslash.
I have used:
str_replace("'", "\'", $filename);
yet it displays as a forward slash.
How can i fix this?
Thanks
EDIT
Extra Information: I am using the new value as part of a link. that is:
View
If you have a filename that contains a backslash on disk, I would fix that first. Your second problem was appearantly not using mysql_real_escape_string when storing that filename into the database (why it ended up there without backslash).
addslashes btw does not add forward slashes by itself. That part of your story is untrue. And to remove them again you wouldn't need the quirky str_replace call, but just stripslashes.
The actual problem (after your edit) turns out to be a html link. That's simply because browsers have the habit of turning backslashes into forward slashes in urls. To prevent that apply urlencode()
View