Suppose I do
http://site.com/something?url=http://lol.com/lol
are there any advantages (eg security etc) of doing
'http://site.com/something?url=' . urlencode('http://lol.com/lol');
instead of just passing in an unencoded version of the url in? Why should I urlencode something passed via GET instead of just passing in an uncoded version (though of course if the url param has & or ? or = in it then I should definitely encode it...but suppose they don't, why should I encode them)
There are characters which have special meaning in URLs. Those characters will have special meaning in the outer URL (instead of the inner URL where they belong) if you pass them without encoding.
For example, if you want to pass
http://example.com/foo?1=2&3=4
And you don't encode it, then you will get:
http://example.com/?url=http://example.com/foo?1=2&3=4
with
url is http://example.com/foo?1=2
3 is 4
suppose they don't, why should I encode them
Because then you have to look at every URL you pass to decide if it needs encoding or not.
Always encoding is much simpler and less error prone then deciding on a case by case basis.
as long as i know the second sample is pretty good if you have the probalability to use unicode characters in your url.
Related
I have a site that allows users to create a page based on user input example.com/My Page
The problem is if they create a url like example.com/H & E Photos or example.com/#1 Fan Club
Once php decodes the url, it tries to parse those characters into a hash (or a query string in the case of ?)
In my .htacess I am doing this ([^/]+?)
What is the typical way of handling a situation like this? Ideally, without going to an id system (example.com/131234121). Poor planning on my part :(
EDIT. Talking about PHP here. url is encoded when it hits the server, php decodes before parse regex and url
If you are using PHP to create/handle storing entries for user-entered-URLs then use htmlentities on the string before trying to handle it.
https://www.php.net/manual/en/function.htmlentities.php
https://www.w3schools.com/php/func_string_htmlentities.asp
Apparently, what I was looking for was a rewrite flag.
http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html#rewriteflags
B Escape non-alphanumeric characters before applying the transformation.
This allows you to send percent-encoded strings to the URL without them being decoded beforehand.
So it was actually an apache thing and not PHP. Sorry for the misleading question.
I've been coding in PHP for a while, and this is the first time I came across this issue.
My goal is to pass a GET variable (a url) without encoding or decoding it. Which means that "%2F" will not turn to "/" and the opposite. The reason for that is that I'm passing this variable to a 3rd party website and the vairable must stay exactly the way it is.
Right now what's happening is that this url (passed as a GET variable):http://example.com/something%2Felse turns into http://example.com/something/else.
How can I prevent php from encoding what's passed in GET?
Apache denies all URLs with %2F in the path part, for security reasons: scripts can't normally (ie. without rewriting) tell the difference between %2F and / due to the PATH_INFO environment variable being automatically URL-decoded (which is stupid, but a long-standing part of the CGI specification so there's nothing can be done about it).
You can turn this feature off using the AllowEncodedSlashes directive, but note that other web servers will still disallow it (with no option to turn that off), and that other characters may also be taboo (eg. %5C), and that %00 in particular will always be blocked by both Apache and IIS. So if your application relied on being able to have %2F or other characters in a path part you'd be limiting your compatibility/deployment options.
I am using urlencode() while preparing the search URL
You should use rawurlencode(), not urlencode() for escaping path parts. urlencode() is misnamed, it is actually for application/x-www-form-urlencoded data such as in the query string or the body of a POST request, and not for other parts of the URL.
The difference is that + doesn't mean space in path parts. rawurlencode() will correctly produce %20 instead, which will work both in form-encoded data and other parts of the URL.
Hex base16 encoding it is part of the HTTP protocol you cant prevent it else it would break the actual HTTP socket request to the server.
Use:
urlencode() to encode
urldecode() to decode
Please show an actual example of how you are sending the url to the 3rd party.
As it should read http%3A%2F%2Fexample.com%2Fsomething%2Felse not just the odd %2F like in your example.
I let users write and then post what they have written to my MYSQL database, using PHP. I have been sending the strings as URLs and then $_GET['string'] in the php and then putting them in the database. I always have to take care of the spaces in the string by replacing them with %20. And then I had to replace all kinds of different characters on top of that in order for the URLs to work. This is a losing battle and the users expect their strings to be saved but if they contain a character I have not thought of, this will not be the case. I have even tried sending along the strings as NSData in a POST but that did not seem to save the strings either.
How can I be sure the users' strings will save, no matter what crazy characters they type?
Thanks,
R
Encode your data using NSUTF8StringEncoding before sending it to the server, and always use POST to send data to the server instead of GET. Also, it's a good idea to stop using ASCII altogether and to replace it with Unicode wherever you use strings. UTF-8 is a very convenient and compact Unicode encoding.
How can I post a full URL in PHP?
For example:
I have a form allowing individuals to submit a long url. The resultant page is /index.php?url=http://www.example.com/
This is fine for short URLs, but for very long and complex URLs (like those from Google Maps) I need to know how to keep all of the data associated with variable url.
You need to percent encode the string — otherwise characters which have special meaning in URIs will have that special meaning instead of being treated as data.
http://php.net/urlencode
If users submit this data via a form, then it will be automatically encoded.
If you plan to include the URI in a link in an HTML document, then don't forget to convert special characters to HTML entities.
You sort of answer your own question:
How can I post a full URL in PHP?
If very long URLs are getting truncated by the users' browsers, your only option is to re-work your system to POST the URL to your script, as opposed to passing it in the query string.
If there is some condition that frustrates the use of a POST request, you should update your question with more detail about what your system does.
I have a website that uses the facebook, twitter, delicious share links. They contain a a url encoded url of the website that you wish to share. The problem is I then want to send the facebook/twitter/delicious url through a php redirect page.
Will it work to encode a url within an encoded url? Will there be side effects?
To simplify my question:
www.website.com/redirect.php?url=" URLENCODED (http://www.facbook.com/sharer.php?t='URLENCODED(title)'&u='URLENCODED(http://www.hotel.com)')
You can encode a string multiple times with the percent encoding and get the original value by decoding it the same amount of times:
$str = implode(range("\x00", "\xFF"));
var_dump($str === urldecode(urldecode(urldecode(urlencode(urlencode(urlencode($str)))))));
Here the value of $str is encoded three times and then decoded three times. The output of that repeated encoding and decoding is identical to the value of $str.
So try this:
'http://example.com/redirect.php?url='.urlencode('http://www.facbook.com/sharer.php?t='.urlencode('title').'&u='.urlencode('http://www.hotel.com'))
You should be able to recursively encode the URL as many times as you want. If you encode a character like / repeatedly you will get:
0: /
1: %3F
2: %%3F
3: %%%%3F
etc.
It's all right to add a second layer of URLEncoding. The idea of URLEncoding is to prevent the server from misinterpreting any special characters that may be present in a text string. However, the receiving script must expect an extra layer of urlencode(), and act accordingly.
Or if you know the string has been urlencoded, couldn't you simply pass it along as-is? No further urlencoding is necessary.
Or just urldecode the title and URL, then urlencode the whole string.
As mentioned earlier you can encode urls as much as you like but you should know the more times you encode url data the more it'll increase in length may be up two twice in length. which will be annoying for users if it is too long. also there may be a limitation on url length on some browsers.
Also on the server side there will be an overhead encoding and decoding the data.
In short you should really be sure you need it before encoding/decoding multiple times.