I have a page that receive via GET a base64 encoded data, it print data in an input hidden and it pass via get to another page.
The problem is this: when i pass
"Peuq/0X4XhFV+XNa8T06qFrP8lRadORUQBGJ1w6D4m33Jaqx/skKDEJIxjldBrcklboL/uB4C65cjz3BHMPmd3moEJ4GTK5k5Jwf9Ny4BA467bwgeaHJuOS+CjwFlIOzrhSWHTMVl4zWVvwMauuFAjhuMjOOj0/X5L12IcwGTTqLgHo"
via GET it becomes
"Peuq/0X4XhFV XNa8T06qFrP8lRadORUQBGJ1w6D4m33Jaqx/skKDEJIxjldBrcklboL/uB4C65cjz3BHMPmd3moEJ4GTK5k5Jwf9Ny4BA467bwgeaHJuOS CjwFlIOzrhSWHTMVl4zWVvwMauuFAjhuMjOOj0/X5L12IcwGTTqLgHo"
...so openssl can't work. How can I solve it?
Base64 can output + signs which are interpreted as spaces when sent in the URL. You can use urlencode to mitigate this:
<?php
$base64_data = $_GET['base64'];
$url_data = urlencode($base64_data);
$field_data = htmlspecialchars($url_data);
printf('<input type="hidden" value="%s" name="pass-it-on">', $field_data);
?>
On page two:
<?php
$base64_data = $_GET['pass-it-on'];
$real_data = base64_decode($base64_data);
?>
Note that there's no need to decode the htmlspecialchars ur urlencode calls since this is done automatically.
Certain characters in the URL are special, like + which stands for a space. To send arbitrary data via the URL, you need to URL escape it to avoid characters contained in the data being recognized as "special characters". Since you're putting the data into HTML, you also need to HTML-escape it to avoid characters in the URL-encoded data being recognized as special HTML characters. Hence:
$data = /* some data */;
$base64Data = base64_encode($data);
$urlData = urlencode($base64Data);
$htmlData = htmlspecialchars($urlData);
printf('<input type="hidden" value="%s" name="pass-it-on">', $htmlData);
Related
I have a little static function so that I can easily build html valid urls on my local website, it is below;
public static function url($path = false) {
// Build return url with special html characters escaped
return 'http://127.0.0.1/' . htmlspecialchars($path);
}
I have two urls one inside an anchor and another is inside a form action, they are below;
Root::url('test?category=' . $category . '&index=' . $index) // Href
Root::url('test?category=' . $_GET['category'] . '&index=' . $_GET['index']) // Form
GET === $, you can see inside my static function that I use htmlspecialchars to escape special html characters from my url.
The anchor one returns a valid link and works as expected. The form one however returns the following, as in when I click on the form submit, my url in my browser is as follows.
http://127.0.0.1/test?category=innate&index=0
Why is this? My website breaks because it is dependant on the GET parameters being valid.
Thanks for your time, hope this made sense.
EDIT
I insert the return value of the function call straight into my form action,
<form
action="<?= Root::url('test?category=' . $_GET['category'] . '&index=' . $_GET['index']); ?>"
method="post">
EDIT
The form html is as follows;
<form action="http://example.com/test?category=innate&index=0" method="post">
The anchor html is as follows
<a href="http://example.com/test?category=innate&index=0">
Could it be something to do with the server sending a POST request even though I have GET parameters?
EDIT #3
Ok so it has something to do with my function or what I am passing in, I hard typed in the url in the form submit and it worked, no problems, which means it can only be what my function is returning.
I myself cannot see what I may be!
ANSWER
After the form was being submitted, I was redirecting to the same page using header to counter form resubmission. The string for the header was being generated by Root::url().
Two hours this took me to figure out, but boy does it feel good!
Normally you wouldn't add a query string to a POST URL. It's not forbidden, though, it may only be somewhat confusing, especially if you use $_REQUEST (which you don't, it seems).
I don't know why your browser shows an uninterpreted &, it should interpret it.
Your problems are likely due to one of these:
a bad browser - try another one
bad content of the form input fields
other
This is quite logic.
I assume your url() method looks like this:
url($string){
echo htmlspecialchars($string);
}
Let's have a look at the $string you are passing:
'test?category=' . $_GET['category'] . '&index=' . $_GET['index'];
As I see in your output, replacing the values, the final string before htmlspecialchars() occur would be:
'test?category=innate&index=0' and after it: test?category=innate&index=0
What happened here? you first concatenated the string, and then htmlspecialchars()'ed the & used to separate the parameters. And to not break the url, you don't want to convert THAT '&'.
Also to sanitize the url you shouldn't use htmlspecialchars() because most html entities would convert to somthing like & + somename + ; for example the Euro symbol would convert to € and you don't want the actual & symbol in your url, the browsers will interpret it as you have another new parameter awaiting.
You should use urlencode(), which will convert your & into: %26 , also, the function's name is self-explanatory, it's encoding a string to use on a URL.
Still, you want the & to separate the parameters, but not in the $GET values. What should we do? to urlencode the values before concatenating the string. I would suggest a method like this one:
function url($page, $get){
$parameters = array();
foreach($get as $k => $v) $parameters[] = urlencode($k)."=".urlencode($v);
//We are concatenating with ? and & the urlencoded() values in the next line:
echo urlencode($page).'?'.implode('&', $parameters);
}
url('test', $_GET); // outputs: test?category=innate&index=0
This would get rid of the special chars from a form's field names and values.
I noticed you will use 2 fixed parameters, category and index, so the method could be like this:
function url($page, $get){
$page = urlencode($page);
$category = urlencode($get['category']);
$index = urlencode($get['index']);
echo "$page?category=$category&index=$index";
}
Hope this is what you needed
I have been using URL decode on encoded URL variables from $_get.
The current problem I am facing is I have a URL encoded like this:
blah.php?url=http%3A%2F%2Fm.youtube.com%2F#/watch?feature=player_embedded&v=zd7c5tQCs1I&desktop_uri=%2Fwatch%3Fv%3Dzd7c5tQCs1I%26feature%3Dplayer_embedded
I'm not sure what kind of encoding this is, can someone help me? When I use just "urldecode" on this it just returns m.youtube.com
Edit: My problem is not that url decode isn't working, it works if I manually enter this encoded URL and use urldecode(), but when this encoded url is in the actual pages url and I use the _GET function then I try to decode it it stripes off everything after the "#" in the URL.
<?php print urldecode($_GET["url"]);?>
It returns
"http://m.youtube.com/"
instead of
"http://m.youtube.com/#/watch?feature=player_embedded&v=zd7c5tQCs1I&desktop_uri=/watch?v=zd7c5tQCs1I&feature=player_embedded"
I think the issue is that the pound sign is not encoded, if I refresh the page it strips away the pound sing and everything after it, so how do I get around this? Can I still retrieve the info from "GET" even though there is a pound sign? (#)
The problem is that the full link has multiple = signs, and browser cant determine, that the other = signs refer just to the url= parameter.
in your case, at first, you need to use function before link is given to url= parameter:
========================= 1) JAVASCRIPT ======================
<script type="text/javascript">
var mylink = encodeURIComponent('http://testest.com/link.php?name=sta&car=saab');
document.write("http://yoursite.com/url=" + mylink);
</script>
========================= 2)or PHP ===========================
<?php
$mylink = 'http://testest.com/link.php?name=sta&car=saab';
echo 'http://yoursite.com/url='.urlencode($mylink);
?>
so, your output (url parameter) will get like this
http://yoursite.com/url=http%3A%2F%2Ftest.com%2Flink.php%3Fname%3Dsta%
so, the url parameter will get the encoded url.
after that, your .php file needs to decode that "url" parameter-
<?php
$varr = $_GET['url'];
$varr = preg_replace("/%u([0-9a-f]{3,4})/i","&#x\\1;",urldecode($varr));
$varr = html_entity_decode($varr,null,'UTF-8');
echo $varr;
?>
that will give you the correct value
I read on php.net about urldecode function and they say that superglobal $_get is already decoded, ex: "The superglobals $_GET and $_REQUEST are already decoded. Using urldecode() on an element in $_GET or $_REQUEST could have unexpected and dangerous results."
It is encoded into ASCII format .
see http://www.w3schools.com/tags/ref_urlencode.asp
So here is the problem, the pound sign (#) (Hash) wasn't encoded... since I can't go back and re-encode it I have to use javascript (ex. alert(window.location.hash);) to send me the full URL after the hash then I append it to PHP's version of the URL, I THEN use a find and replace function in PHP to replace the "#" with "%23", then I use the urldecode method and it returns the full proper url decoded.
This encoding is called percent encoding or URL encoding. You can use urldecode for decoding it. (Example: http://phpfiddle.org/lite/code/0nj-198 )
I am trying to pass a url for creating an iframe as a parameter of a query string. Because the url that I am passing contains an ampersand, I encode the url with 'urlencode' then append it to the query string.
<?php
$url = "http://www.somesite.com/index.php?option=content&view=article&id=1234:some+article";
$url_encoded = urlencode($url);
?>
On the page where I want to create the iframe, I retrieve the url parameter using the $_GET variable.
<?php
$iframe_source = $_GET[$url];
?>
<iframe id="external-link-frame" src="<?php echo $iframe_source ?>"></iframe>
However $_GET only retrieves the part of the parameter value up to the encoded ampersand.
<?php echo $_GET[$url]; //outputs http://www.somesite.com/index.php?option=content ?>
What must I do in order to send the entire url including the parameters that are part of its own query string.
UPDATE: I am able to do it by encoding the url twice
urlencode(urlencode($url));
Take a look at: https://stackoverflow.com/a/2433211/1359529
I think rawurlencode() will encode the ampersands too.
http://us3.php.net/manual/en/function.rawurlencode.php
I believe, how you append it, the $_GET function thinks that the ampersand signs are signifying new values to get. I bet if you did after that $iframe_view = $_GET[$view] it will output article.
If you want it to get the full URL, I think it's best to encode by replacing & signs with something else and then once you get the url, then replace them back to & signs.
I format text with javascript asigning + to every emtpy space like this
var ft = text.replace(/ /g,"+");
Then I pass ft to a php script via jquery ajax as an get argument.
But
print $_GET['text'];
gives me the text with empty spaces instead +.
Any ideas?
You should get familiar with the concept of URL encoding.
PHP's urldecode function will run against all $_GET variables by default, so if you want to see raw input, use rawurldecode:
$encoded = array_map('rawurldecode', $_GET);
echo $encoded['text']; //blah+blah
Also, it's a good idea to use JSON to pass data from javascript to PHP.
What series of steps would be reqired to safely encode and
pass a string from a html href using javascript to construct the link to a php program.
in javascript set up URL
// encodes a URI component.
path = "mypgm.php?from=" + encodeURIComponent(myvar) ;
in php:
// get passed variables
$myvar = isset($_GET['myvar']) ? ($_GET['myvar']) : '';
// decode - (make the string readable)
$myvar = (rawurldecode($myvar));
// converts characters to HTML entities (reduce risk of attack)
$myvar = htmlentities($myvar);
// maybe custom sanitize program as well?
// see [http://stackoverflow.com/questions/2668854/php-sanitizing-strings-to-make-them-url-and-filename-safe][1]
$myvar = sanitize($myvar);
I think the first two lines should be fine. You would use htmlentities if and when you have to output it as text.
Looking at your code, all you really need is this:
$myvar = !empty($_GET['myvar']) ? $_GET['myvar'] : '';
Beyond that, PHP automatically URL decodes. I personally prefer to do my htmlentities() or htmlspecialchars() when I go to output data, i.e.:
<?php echo htmlentities($mydata); ?>
The only other time you specifically need to escape or sanitize data is if you're building a SQL query:
$data = mysql_real_escape_string($mydata);
$query = "SELECT * FROM table WHERE stuff = '$mydata'";
That will prevent SQL injection. Unless you're formatting user input or performing validation, it's not absolutely necessary to do any other kind of sanitization.
Hope this helps!