I have very basic pagination script and search form with ~4 fields, and action="get" now my problem is that, when i submit my form, i get url like this:
user/people/1/?search=true&country=uk&age=20&online=true ... and so on
so after i submit form everything is just fine, but when i go to page 2 my url changes to:
user/people/2
so my search parameters disappears, this is how i render my links
href="user/people/<?=$next?>"
So my question is what is the best way to keep my paramenters, because now i can only think of for loop and build my link by merging all $_GET values, should i do it like that?
Just append $_SERVER[ 'QUERY_STRING' ] (make sure to htmlspecialchars() it first).
href="user/people/<?php echo htmlspecialchars( "{$next}?{$_SERVER[ 'QUERY_STRING' ]}" ); ?>"
By the way, the PHP short tags <?= ?> are not portable, so you should consider not using those, and using <?php echo ?> instead.
Update:
#Wrikken raises a couple of good points in their answer:
1) passing ENT_QUOTES as the second argument to htmlspecialchars() would be important if single-quoting the attribute value (or to cover it being changed to being single-quoted in the future). This is easy to forget, for me anyway, since I almost always double-quote attribute values. It's unfortunate that it further bloats a call that's already bloated by a long function name.
2) If you're just passing through the query string as-is, then I'd certainly prefer using $_SERVER[ 'QUERY_STRING' ] instead of http_build_query( $_GET ). If, however, you need to change some of the query params, http_build_query() would be the ticket. You can see an example of that in my PHP faceted browser.
Either:
...ople/?<?php echo htmlspecialchars($_SERVER['QUERY_STRING'], ENT_QUOTES);?>"
Or:
...ople/?<?php echo htmlspecialchars(http_build_query($_GET), ENT_QUOTES);?>"
Or:
...ople/?<?php echo htmlspecialchars(http_build_query($some_custom_array), ENT_QUOTES);?>"
Related
I've noticed that my php inside of a WordPress site work without actually echoing some strings in specific situations.
Example:
link
link
Both code output the permalink on my wordpress website. (Versions: PHP 7.17, WP 4.9.8)
Question:
When do I need to use echo and which security concerns do I need to be aware of?
Why both output the URL is because you are using the_permalink() - which echos the permalink. That in turn means it is NOT getting run through your esc_url -
Instead, you need to use echo esc_url( get_the_permalink() ); - where get_the_permalink() does not echo, but returns - therefore it will get passed into esc_url, which will then require the echo
The only difference between the_permalink and get_the_permalink: one echo's, one returns.
Note that WordPress is full of handy functions that work this same way:
the_ID() vs get_the_ID(),
the_title() vs get_the_title(),
etc...
Special case:
the_content() vs get_the_content()
Be aware however that the_content, while naming follows the same pattern and does echo vs. return, the_content has an additional difference that it passes the content through the the_content filters (which does a lot of formatting, expands shortcodes, etc).
According to the official source the function the_permalink() Displays the permalink for the current post.
So it has built-in functionality to print output without echo so you can use whatever text you like as the link text, in this case, “permalink”.
permalink
Echo
The echo() function outputs one or more strings.
echo is not actually a function (it is a language construct), so you
are not required to use parentheses with it. echo (unlike some other
language constructs) does not behave like a function, so it cannot
always be used in the context of a function. Additionally, if you want
to pass more than one parameter to echo, the parameters must not be
enclosed within parentheses.
Pls am new to programming
Pls sir I have being seeing this in many php files .php?id=3
But I don't understand how it works or how to put it in my code,
This is called the query string, it's a way of passing parameters to your page.
You can access them in the php using the $_GET superglobal like so:
var_dump( $_GET['id'] );
Tips for using query string variables:
Check it is set before trying to use it: isset($_GET['id']) because you can't be sure it will be there.
This is "user input" and so you should not trust it implicitly. Whatever you do with user input you should use the appropriate security mechanism to sanitize it to prevent vulnerabilities.
If you generate a link with dynamic query string variables then be sure to use URL encoding/Percent encoding which can be done with urlencode().
Tha following is working in index.php, but is it correct?
Before the html tag:
$la= array();
$la['index.php'] = 'Start page';
(Actually this is another language library that is included)
Then inside the header:
<title><?php echo $la[$_SERVER['PHP_SELF']];?></title>
For me the part "$la[$_SERVER['PHP_SELF']]" seams strange, but its working. The title is there in my browser. Is it good practice?
Yes, current code works. If it's good practice is up for debate.
PHP (like many other language) will evaluate the statements in order.
Everytime you use the brackets you are really using the arrays index operator where the index acts as the parameter.
Your code will first evaluate the $_SERVER['PHP_SELF'] statement which probably returns 'index.php'. The next call will be $la['index.php'] (since that was what your inner statement returned. This will in turn return the value 'Start page' which is what is sent to the echo.
There's nothing wrong with your code. The superglobal $_SERVER['PHP_SELF'] holds the name of the current file. It's not very secure because it can be manipulated to execute arbitrary code if you inject it without sanitizing it properly.
I have following code:
<?php
$param = $_GET['param'];
echo $param;
?>
when I use it like:
mysite.com/test.php?param=2+2
or
mysite.com/test.php?param="2+2"
it prints
2 2
not
4
I tried also eval - neither worked
+ is encoded as a space in query strings. To have an actual addition sign in your string, you should use %2B.
However, it should be noted this will not perform the actual addition. I do not believe it is possible to perform actual addition inside the query string.
Now. I would like to stress to avoid using eval as if it's your answer, you're asking the wrong question. It's a very dangerous piece of work. It can create more problems than it's worth, as per the manual specifications on this function:
The eval() language construct is very dangerous because it allows
execution of arbitrary PHP code. Its use thus is discouraged. If you
have carefully verified that there is no other option than to use this
construct, pay special attention not to pass any user provided data
into it without properly validating it beforehand.
So, everything that you wish to pass into eval should be screened against a very.. Very strict criteria, stripping out other function calls and other possible malicious calls & ensure that 100% that what you are passing into eval is exactly as you need it. No more, no less.
A very basic scenario for your problem would be:
if (!isset($_GET['Param'])){
$Append = urlencode("2+2");
header("Location: index.php?Param=".$Append);
}
$Code_To_Eval = '$Result = '.$_GET['Param'].';';
eval($Code_To_Eval);
echo $Result;
The first lines 1 through to 4 are only showing how to correctly pass a character such a plus symbol, the other lines of code are working with the data string. & as #andreiP stated:
Unless I'm not mistaking the "+" is used for URL encoding, so it would
be translated to a %, which further translates to a white space.
That's why you're getting 2 2
This is correct. It explains why you are getting your current output & please note using:
echo urldecode($_GET['Param']);
after encoding it will bring you back to your original output to which you want to avoid.
I would highly suggest looking into an alternative before using what i've posted
I am just learning about escaping things and started reading about how it could be risky to use $_SERVER['HTTP_HOST'] due to XSS attacks.
I came up with this and was wondering if I could get some feedback on my attempt.
htmlspecialchars(
filter_var( $_SERVER[ 'HTTP_HOST' ], FILTER_SANITIZE_URL ),
ENT_QUOTES, 'UTF-8'
)
Does it look okay?
So much depends on this one variable being secure, I just had to ask for input.
EDIT:
I will be using this for display throughout the site, including basic anchor-hrefs, form-actions, etc.
Different escaping functions should be used for different situations, for example:
urlencode for items that will be dropped in a query string in an <a> tag, ie. echo '<a href="index.php?foo=' . urlencode($foo) . '">'; (see also http_build_query)
mysql_real_escape_string for variables going in a SQL statement (though I prefer bind variable)
htmlentities for strings you want to display to the user, that may possibly have HTML within (see also strip_tags)
It depends on what do you want to use for. If you want to display it, use htmlspecialchars. If you want to use as a database query, you might use mysql_real_escape_string in case of mysql. (or prepared statements)