I have a php file which doesn't establish database connection.
When I pass an url as a param like
http://mydomain.com?q=http%3A%2F%2Fmyoranotherdomain.com
It shows a 403 error:
You don't have permision to access blahblah.php file.
And when I remove the http part in param, it's alright like
http://mydomain.com?q=myoranotherdomain.com
How can I let domains be passed in the url as params?
The easiest way is to encode the url with:
string urlencode ( string $str )
http://php.net/manual/en/function.urlencode.php
You also have to do the decode:
string urldecode ( string $str )
http://php.net/manual/en/function.urldecode.php
It's always this methode to encode parameter with special characters.
Final Solution:
I found this: I get a 403 error when submitting "http://www." via GET. Even if it's encoded beforehand. Is there a solution for this?
The answer is to replace the http://www String with something like: htpwwwashere in javascript and replace it again in your php.
The reason - according to the link above - is some security stuff like to prevent injection attacks on the pages they're serving up.
Related
I want to use the GET method to send a string to the receive page, but if the string includes '#', the receiver page can only get the sub string before the '#'.
As the following example:
test
When I click the 'test' link to open the 'test.php' page, which has the following code:
<?php
if(isset($_GET["q"])) {
echo $_GET["q"];
}
?>
It only display 'string1' on the page, '#string2' is missing.
So I want to know what happened to the string, and how to fix this problem.
Thank you for any help!
=======Update===========
With the help of #Eric Shaw and #JP Dupéré, I know how to fix this problem.
The simplest way is encoding the string before using the get method.
To encode the query string, you can:
use urlencode() in PHP, and urldecode() can decode the string.
use encodeURIComponent() in JavaScript, and decodeURIComponent() can decode the string.
Try
urlencode("string1#string2")
before calling GET.
The #foo is used to jump to an <a name="foo"/> tag on the page, rather than viewing the top of the page when the browser loads it.
The stuff after the # is processed by the browser and NOT sent to the server.
You can escape the # and the escaped version will be sent to the server, i.e.
test
will do what you want I think
This escaping is also a common technique to get the # passed along in the URL for redirectors.
I encode a url having GET parameters using base64 and then decode it back to get the same url back. The string I receive is.
task_type=all&keyword=asdfsd&location=Vasant Kunj&category=17&subcategory=19&price[]=&price[]=100&price[]=300&price[]=500&price[]=above&educations[]=&educations[]=22&educations[]=29&industry[]=&industry[]=1&industry[]=7&experience=6&freshness=1
Now how can I get the original $_GET array back so that I can use it. Or any other way of getting all the parameters so that I can use them. Or any other better way to encode and decode so that original url is not visible to the user.
All help appreciated. Thanx in advance.
As you are encoding the url having GET parameters using base64 you will not be able to get exact GET parameters. But after decoding it you are getting the query string back as you have mentioned, So in this case you can use parse_str(), see doc
Example:
$queryString = "task_type=all&keyword=asdfsd&location=Vasant Kunj&category=17&subcategory=19&price[]=&price[]=100&price[]=300&price[]=500&price[]=above&educations[]=&educations[]=22&educations[]=29&industry[]=&industry[]=1&industry[]=7&experience=6&freshness=1";
parse_str($queryString, $getParamsArray);
var_dump($getParamsArray);
I guess this is what you were looking for...
There is a string XX&YY and I'm passing it to another page. ie, localhost/sample/XX&YY/1 for some processing. Now when I try getting the name value on the other side I'm able to get only XX and not full XX&YY. How to rectify it? Any ideas?
Note : here is my url localhost/sample.php?name=somevalue&pageno=somevalue has been url re-written to localhost/sample/name/pageno.
You have to escape the URL . You can use rawurlencode() or urlencode() to encode your URL.
sidenote: Difference of the 2 functions
If I'm understanding correctly, this is the URL to your script:
http://localhost/sample/name/pageno
Which is then rewritten by your web server to this:
http://localhost/sample.php?name=somevalue&pageno=somevalue
Then, this is how you should format the URL:
$url = sprintf('http://localhost/sample/%s/%s',
urlencode('XX&YY'),
urlencode('1')
);
I have been using URL decode on encoded URL variables from $_get.
The current problem I am facing is I have a URL encoded like this:
blah.php?url=http%3A%2F%2Fm.youtube.com%2F#/watch?feature=player_embedded&v=zd7c5tQCs1I&desktop_uri=%2Fwatch%3Fv%3Dzd7c5tQCs1I%26feature%3Dplayer_embedded
I'm not sure what kind of encoding this is, can someone help me? When I use just "urldecode" on this it just returns m.youtube.com
Edit: My problem is not that url decode isn't working, it works if I manually enter this encoded URL and use urldecode(), but when this encoded url is in the actual pages url and I use the _GET function then I try to decode it it stripes off everything after the "#" in the URL.
<?php print urldecode($_GET["url"]);?>
It returns
"http://m.youtube.com/"
instead of
"http://m.youtube.com/#/watch?feature=player_embedded&v=zd7c5tQCs1I&desktop_uri=/watch?v=zd7c5tQCs1I&feature=player_embedded"
I think the issue is that the pound sign is not encoded, if I refresh the page it strips away the pound sing and everything after it, so how do I get around this? Can I still retrieve the info from "GET" even though there is a pound sign? (#)
The problem is that the full link has multiple = signs, and browser cant determine, that the other = signs refer just to the url= parameter.
in your case, at first, you need to use function before link is given to url= parameter:
========================= 1) JAVASCRIPT ======================
<script type="text/javascript">
var mylink = encodeURIComponent('http://testest.com/link.php?name=sta&car=saab');
document.write("http://yoursite.com/url=" + mylink);
</script>
========================= 2)or PHP ===========================
<?php
$mylink = 'http://testest.com/link.php?name=sta&car=saab';
echo 'http://yoursite.com/url='.urlencode($mylink);
?>
so, your output (url parameter) will get like this
http://yoursite.com/url=http%3A%2F%2Ftest.com%2Flink.php%3Fname%3Dsta%
so, the url parameter will get the encoded url.
after that, your .php file needs to decode that "url" parameter-
<?php
$varr = $_GET['url'];
$varr = preg_replace("/%u([0-9a-f]{3,4})/i","&#x\\1;",urldecode($varr));
$varr = html_entity_decode($varr,null,'UTF-8');
echo $varr;
?>
that will give you the correct value
I read on php.net about urldecode function and they say that superglobal $_get is already decoded, ex: "The superglobals $_GET and $_REQUEST are already decoded. Using urldecode() on an element in $_GET or $_REQUEST could have unexpected and dangerous results."
It is encoded into ASCII format .
see http://www.w3schools.com/tags/ref_urlencode.asp
So here is the problem, the pound sign (#) (Hash) wasn't encoded... since I can't go back and re-encode it I have to use javascript (ex. alert(window.location.hash);) to send me the full URL after the hash then I append it to PHP's version of the URL, I THEN use a find and replace function in PHP to replace the "#" with "%23", then I use the urldecode method and it returns the full proper url decoded.
This encoding is called percent encoding or URL encoding. You can use urldecode for decoding it. (Example: http://phpfiddle.org/lite/code/0nj-198 )
My variable with javascript looks like this:
var email = encodeURIComponent($('input[name=\'email\']').val())
email is clearly being encoded and is producing this when sent to server: email%2540yahoo.com
What function in PHP will decode this value properly?
I've tried using html_entity_decode
The correct url encoding for # is %40.
When a url, for example from an e-mail, with the encoded # character in it, is redirected using a rewrite rule, it will be rewritten as %2540 (the % is encoded as %25). If you keep rewriting / redirecting, you will replace % with %25 each time, ending up with %25252540 (or more 25, you get the picture).
For example clicking this:
http://example.org?email=info%40example.org
Will produce after a rewrite and redirect using a rewrite rule:
https://example.org?info%2540example.org
in the browser address bar, which does not correctly translate to info#example.org in php.
What function in PHP will decode this value properly?
You don't need to decode anything. $_GET["email"] and $_POST["email"] will work just fine. The encodeURIComponent function is used to properly url encode a url to avoid having invalid urls. If you have a valid url, PHP will successfully be able to read the parameters.
echo urldecode(urldecode('email%2540yahoo.com')); // email#yahoo.com
Try urldecode(<value_to_decode_here>);