I have an application that posts content to a MySQL DB via PHP. The PHP uses $_GET to pull the content from the URL and then inserts it into the DB.
This works great, but I have discovered an issue. If the user enters certain characters (", &, and others), the $_GET method does not properly separate the content from the URL.
Let's say the user posts this content:
I love blue & green
In this situation, the & symbol cuts the string after the word blue.
Is there any way for me to edit my PHP file to ignore the & symbol and to actually treat it as part of the variable it is supposed to $_GET? Any help would be great!
You can URLencode data before sending it to the PHP. It's a better solution.
Specials chars must not be used in a query string if those chars are in data.
In Javascript, you can use the escape function : escape(&ee) will give %26ee
The correct method is to urlencode the "&" caracter by the client : pass "%26" instead of "&"
you can use $_SERVER['QUERY_STRING']
from http://php.net/manual/en/reserved.variables.server.php
You could send the request as a base64 encoded string:
$string = base64_encode("This is my long string with &ersands and 'quotes'");
print base64_decode($string);
Note that base64-encoded data takes about 33% more space than the original data.
From the manual:
http://php.net/manual/en/function.base64-encode.php
You also have urlencode
try to urlencode your string:
&
becomes
%26
it's a PHP function :
http://php.net/manual/fr/function.urlencode.php
What about, before creating Query string, encode it ?
$str = "I love blue & green ?=&˙Đ[]";
$str = urlencode($str);
echo $str;
Will return:
I%20love%20blue%20%26%20green%20%3F%3D%26%CB%99%C4%90%5B%5D
You have to URL encode the string before you pass it as a GET parameter. In this particular case you have to replace & symbol with %26.
This can be done for example using javascript right before you send the form.
Related
I am doing a post HTTP request in swift 4.2 and in one of my Strings I put in the parameters contain "&" but apparently the requests gets cut off after this symbol. I thought about replacing every "&" symbol with a unique placeholder and convert it back in PHP.
But is there are more elegant or easy way of doing this?
URL encode your data (and decode it when you need to use it), that will make the ampersand into %26 which will stop it cutting off in your GET request.
You could replace the "&" with "%26" and then it's have to work :)
All Precent-encoding characters:
https://en.wikipedia.org/wiki/Percent-encoding#Percent-encoding_reserved_characters
You should probably minimize how much manual percent escaping you do. You might, for example, use URLComponents to build your URL and percent escape it for you:
guard var components = URLComponents(string: "http://example.com") else { return }
components.queryItems = [URLQueryItem(name: "foo", value: "bar&baz")]
let url = components.url
That will result in:
http://example.com?foo=bar%26baz
The ampersand, as well as a few other characters, need to be encoded if they are within a query parameter otherwise they could be recognized as a delimiter of some sort.
You can encode a string for a query param in Swift like this:
let value = string.addingPercentEncoding(withAllowedCharacters: .urlQueryAllowed)
let urlString = "https://example.com/?query=\(value)"
On the other side, your server will receive the encode param value but will need to decode it.
PHP includes the urlencode() and urldecode() functions, and stift includes the .addingPercentEncoding function.
This means you can replace with the encoded version of the '&' symbol which is '%26', or you can use swift's function
Then when you recieve this value you can use urldecode( $escapedString ), or just replace '%26' with '&', or just pull the values stright from the request with $_GET.
I am working on a project and a lot of my variables need to contain special characters such as {}[].'"!?/\=+- and many more what is the safest way to pass these variables back and forth between SQL, PHP, and output? and how can I prevent a variable from interfering with my code? Ie:
<?php
echo $var;
echo '$var';
echo "$var";
?>
The best way would be to URL encode your data as soon as it is supplied. Then store it and when you are using it, urldecode it.
Something like
string urlencode ( string $str )
To encode and
string urldecode ( string $str )
To decode. This changes your "special" characters into safe characters.
In PHP, the name of a variable cannot contain special characters (other than the initial dollar sign $ and underscores _). The value of a variable can contain whatever you'd like so long as you follow the rules of defining PHP strings.
The variable values won't interfere with your code. If you're concerned about it interfering with your output HTML, use htmlspecialchars as Rocket Hazmat suggested in the comments.
You can use PDO/MYSQL for isnerting the data into the database..
For converting into html entites you can use htmlchars() function.
An example:
<?php
${'[\*var'} = 1;
echo ${'[\*var'};
https://3v4l.org/5Dr93
For some reason when preg_replace sees ¬ in string and replaces it with ¬:
$url= "http://something?blah=2&you=3&rate=22¬hing=1";
echo preg_replace("/&rate=[0-9]*/", "", $url) . "<br/>";
But the output is as follows:
http://something?blah=2&you=3¬hing=1 // Current result
http://something?blah=2&you=3¬hing=1 // Expected result
Any ideas why this is happening and how to prevent it?
& has special meaning when used URIs. Your URI contains ¬, which is a valid HTML entity on its own. It's being converted to ¬, hence causing the trouble. Escape them properly as ¬ to avoid this problem. If your data is fetched from elsewhere, you can use htmlspecialchars() to do this automatically.
Use this & in place of this &
because your &no has special meaning
use this url :
http://something?blah=2&you=3&rate=22¬hing=1
and then do your replace accordingly
i am trying to send a value through link and get the value on other file using $_GET but the problem is the value has & in between two words and in url its coming like
list.php?v=Bakery%20&%20Cake%20Design
and when i echo this value in second page it come out to be bakery instead of bakery cake & design . Since i am sending this value from the first page via jquery on click i tried using encodeURI() to remove the %20 from the link but it still does't helps as the part after %20 & is not being printed on second page when i echo the value. my jquery code is
var vendor = $(this).text().replace(/\s/g,"%20"); in this i tried to remove it via replace too . But still no help .
You dont need to remove %20
just check that there should not be any space between the variable and the value!
This will produce %20 :
echo '<td><b><font color="#663300">Deactivate User</font></b></td>';
This will not:
`echo '<td><b><font color="#663300">Deactivate User</font></b></td>';`
Reason : just a whitespace between (php?id ='.$row)
On the JS side you need to use encodeURIComponent() on the item with the ampersand like.
var title = encodeURIComponent('bakery cake & design'); // bakery%20cake%20%26%20design
As opposed to encodeURI which:
Note that encodeURI by itself cannot form proper HTTP GET and POST requests, such as for XMLHTTPRequests, because "&", "+", and "=" are not encoded, which are treated as special characters in GET and POST requests. encodeURIComponent, however, does encode these characters. These behaviors are most likely not consistent across browsers.
Use the URL Decoder function
echo urldecode("A%20B") // will print 'A B'
I have this URL-
http://localhost/app_demo/sample.php?jsonRequest={"GenInfo":{"type":"Request","appname":"XXX","appversion":"1.0.0"},"searchDish":{"userId":"295","dishName":"","est":"Pizza & Wings","location":"","type":"","priceRange":"","deviceos":"value","deviceId":"<UDID>","deviceType":"value","pageNo":"1"}}
when I hit this URL and print
print_r($_REQUEST['jsonRequest']);
string print only upto
{"GenInfo":{"type":"Request","appname":"XXX","appversion":"1.0.0"},"searchDish":{"userId":"295","dishName":"","est":"2 Pizza
I search the net but did not get the answer.What is solution for this?
please help,
thanks.
A query string is normally composed of key/value pairs, the start of a query string is the question mark (?), and then all pairs are separated with an ampersand (&). Having an ampersand in your value is like starting a new parameter.
However, this is not the right way to do this. You shouldn't put JSON in the query string.
If you really must have an ampersand in the query string, use %26 and not &. %26 which is the hex value for the ampersand.
You should make a POST request instead of a GET request:
Encoding collisions
URI length limit
The character "&" is the problem, because it is reserved. (is the query string params separator)
You must "urlencode" your string before use it on your GET request. So characters like & are converted. But as jValdron point it you shouldn't put JSON in the query string, but you can do it.
So you urlencode the string:
$url = 'http://localhost/app_demo/sample.php?jsonRequest=';
$jsonRequest = urlencode('{"GenInfo":{"type":"Request","appname":"XXX","appversion":"1.0.0"},"searchDish":{"userId":"295","dishName":"","est":"Pizza & Wings","location":"","type":"","priceRange":"","deviceos":"value","deviceId":"<UDID>","deviceType":"value","pageNo":"1"}}');
$url .= $jsonRequest;
And then you urldecode
print_r(urldecode($_REQUEST['jsonRequest']));
Again, you shouldn't put JSON in the query string.