I have a piece of code that accepts a JSON string as a POST parameter. The challenge I'm having is how the string is decoded. Consider a post to mygateway.php with a field meta of:
{"test" : "One \"quote\" is as good as an escaped \"quote\"..."}
If I run:
$meta_json_string = $this->CI->post('meta', true);
The value of $meta_json_string is:
{
"test": "One "quote" is as good as an escaped "quote"..."
}
This fails to decode when run through json_decode(). Any suggestions on how to prevent CodeIgniter from unescaping the quotes so I can decode it?
Change it to this:
$meta_json_string = $this->CI->post('meta');
This way CI will not be running the XSS sanitation on the string which is too complex to reliably sanitize being a JSON string. Once you do the above then json_decode() it and then run $this->security->xss_clean() individually on the elements you are wanting to echo out.
Related
I am doing a post HTTP request in swift 4.2 and in one of my Strings I put in the parameters contain "&" but apparently the requests gets cut off after this symbol. I thought about replacing every "&" symbol with a unique placeholder and convert it back in PHP.
But is there are more elegant or easy way of doing this?
URL encode your data (and decode it when you need to use it), that will make the ampersand into %26 which will stop it cutting off in your GET request.
You could replace the "&" with "%26" and then it's have to work :)
All Precent-encoding characters:
https://en.wikipedia.org/wiki/Percent-encoding#Percent-encoding_reserved_characters
You should probably minimize how much manual percent escaping you do. You might, for example, use URLComponents to build your URL and percent escape it for you:
guard var components = URLComponents(string: "http://example.com") else { return }
components.queryItems = [URLQueryItem(name: "foo", value: "bar&baz")]
let url = components.url
That will result in:
http://example.com?foo=bar%26baz
The ampersand, as well as a few other characters, need to be encoded if they are within a query parameter otherwise they could be recognized as a delimiter of some sort.
You can encode a string for a query param in Swift like this:
let value = string.addingPercentEncoding(withAllowedCharacters: .urlQueryAllowed)
let urlString = "https://example.com/?query=\(value)"
On the other side, your server will receive the encode param value but will need to decode it.
PHP includes the urlencode() and urldecode() functions, and stift includes the .addingPercentEncoding function.
This means you can replace with the encoded version of the '&' symbol which is '%26', or you can use swift's function
Then when you recieve this value you can use urldecode( $escapedString ), or just replace '%26' with '&', or just pull the values stright from the request with $_GET.
I get json encoded array from DB change one field and save again but json_encode remove the \ and after I cant see the text in my site.
$data_de=json_decode($row["data_json"], true);
$data_de[$ref."_visits"]++;
$datast=json_encode($data_de);
for example if before code the value on db was:
{"7_id":"7","7_name":"\u05d1\u05d3\u05d94","7_coded":"","7_visits":"0"}
after the value:
{"7_id":"7","7_name":"u05d1u05d3u05d94","7_coded":"","7_visits":"1"}
how I can prevent the removing of backslash?
To prevent removing of backslashes use this code in your json encode:
json_encode($data_de, JSON_UNESCAPED_SLASHES);
I have a php associative array containing strings as values and I encode it to JSON and store it in an html-data attribute. That is read by some JS.
So far so good.
Now, I need to use single quotes for the data attribute, otherwise the context switches.
<section id="settings" data-settings='{"some":"val"}'>
</section>
The question is, can I rely on the json_encode() function of php to encode strings always with double quotes? Surprisingly, I can't seem to find information on this. I only find articles from people having issues with quotes in the array values.
Thanks in advance.
Yes, as defined in the JSON spec, the delimiter will always be ". However, values may contain ' characters, which would break your HTML. To keep it simple and not worry about what might or mightn't pose an issue, HTML-escape your values!
<section data-settings="<?= htmlspecialchars(json_encode($foo)); ?>"></section>
This is guaranteed to work, always, no matter what values you pipe in or how you encode them.
NOTE that htmlspecialchars will by default only encode ", not '; so you must use " as the delimiter in HTML (or change the default escaping behavior).
Double-quotes is just convention - standard in JSON in many languagues. So if you want to store JSON in HTML attribute with double-quotes. You can encode that
In PHP
$encoded_json = base64_encode(json_encode($var));
In HTML
<section id="settings" data-settings='<?=$encoded_json?>'>
In JS
var variable = JSON.parse(atob(encoded_json));
I have this URL parameter:
KKe%7bZoE_%24g)tjm%40
When I put it into a variable and echo it, the result is:
KKe{ZoE_$g)tjm#
How to avoid that?
Data in $_GET is already URL-decoded. If you require the original string, get it from $_SERVER['QUERY_STRING']. Note that you will have to process the query string yourself though, including breaking down the individual components.
Alternatively, use rawurlencode($_GET[..]) to re-encode the value; which may or may not produce slightly differently encoded values than you originally got.
Test it with html_entity_decode - it helpt me a lot with my inputs.
If the string is not shown as it is, you have urlencode() or htmlentities() somewhere in your code. Check that, you shouldn't encode html entities before echoing if you want the string to be intact.
I have some weirdly formatted json string which is invalid json, but executes as valid javascript. This means PHP json_decode, will not work.
{
"Devices":{
"Device1":"{ \"Name\"=\>\"AutoTap LDVDS\",\"ID\"=\>\"LDVDSDevice\"}"
}
}
The backslashes are not valid. Is there some way I can escape this string so it can be re-encoded exactly the same as it came in?
Edit I don't care about parsing the messy string at all. It's preventing me from accessing other data. I was doing a simple regex to strip the ugly strings out of the json before parsing it. But now I need to re-encode the result array back into JSON and I want to avoid losing this data. The ugly string should remain exactly the same, as it may be important to some other application that uses this data.
The => comes from ruby object notation in case you are wondering.
Well, it's those weird escaped > that are killing it: \>
I see no reason why you can't str_replace them out of existence safely with a simple:
<?php
$code='{
"Devices":{
"Device1":"{ \"Name\"=\>\"AutoTap LDVDS\",\"ID\"=\>\"LDVDSDevice\"}"
}
}';
$code=str_replace('\\>','>',$code);
var_export(json_decode($code));
But then, you know the domain of your data.
And you should apply a grain of salt before applying that blindly to all your inputs.
You could run stripslashes on it, and then pass that sring into json_decode.