I'm using parse_str to get a raw value from a URL (which is obviously entered by the user), and I'm wondering if there's anything I should to to make it safe before I use it (i.e. convert special characters like '<').
I noticed that the function does remove some characters, but I couldn't find the specifics anywhere.
Thanks.
You can use htmlentities() and then parse_str() or parse_url() function
Related
UPDATE: Please ignore this question, it appears that md5 is not
returning result because I pass the URL through filter_var($url,
FILTER_SANITIZE_URL) and looks like FILTER_SANITIZE URL doesn't work
for foreign characters.
I have a problem where I want to get a hash from URLs e.g
https://ko.wikipedia.org/wiki/추간판_탈출증
The URL is provided by user in a form with so I assume it's already UTF-8 since my website is UTF-8.
However the above cannot be used with md5() as it returns empty result. May I know what php function do I use to convert it to something like below where md5() can be used?
https://ko.wikipedia.org/wiki/%EC%B6%94%EA%B0%84%ED%8C%90_%ED%83%88%EC%B6%9C%EC%A6%9D
I tried iconv, htmlspecialchar, htmlentities and I cannot seems to be able to find the right function to convert the strings.
You can use directly md5 to Encode whole URL as Below :
echo md5('https://ko.wikipedia.org/wiki/추간판_탈출증');
Which gives output as :
26eb333445f4e154f8ecb76e7c2ac858
UPDATED :
As Per w3schools FILTER_SANITIZE_URL
The FILTER_SANITIZE_URL filter removes all illegal URL characters from
a string.
This filter allows all letters, digits and
$-_.+!*'(),{}|\^~[]`"><#%;/?:#&=
The function you are looking for is rawurlencode. However you will have to extract the part of the url you want to encode or the whole url will be encoded.
$encoded = rawurlencode('추간판_탈출증');
// value of $encoded is now '%EC%B6%94%EA%B0%84%ED%8C%90_%ED%83%88%EC%B6%9C%EC%A6%9D'
use urlencode(url) function for conversion
once check this url url encode functions are found here
I have a string has encrypted but with some symbol qwfKOEK==dwk&f
What if I need pass this string to a parameter:
www.example.php?string=qwfKOEK==dwk&f
$_GET["string"]
But I can’t get the string cause the symbol interrupt it.
Anyway to escape the symbol?
I had try html_entity_decode but seems not working, any possible way to escape the symbol and $_GET the original string?
A URL value needs to be URL encoded using urlencode or rawurlencode.
The difference between the two is two slightly different standards for encoding, whereby the rawurlencode variant is generally preferred.
If you try to put this sting in a GET parameter, definitely it'll not be accepted as it explodes at "=" sign. You can try passing the same though a POST parameter or try changing the encryption technique. I hope this may solve the problem. plus, html_entity_decode() doesnt apply to "=" sign.
I have a text field where where the user can pass wild cards - more specific to the question they can use '%' character.
I am using ajax to get the value and send it to a PHP file. If I enter '%BA' in the text file and retrieve the value using
document.getElementById('textfield').value
This actually gets '%BA'. I am using POST method to send it to a PHP file. But the variable displays as "�" in the web browser and inserts " ° - degree small o" in the database.
I am sure there are other cases that I am not aware of as well. Is there a function in PHP to escape the special characters or any other way to get the exact string?
Edit: This may be a guess but doing escape(document.getElementById('textfield').value) to send the value and using urldecode($values[3]) to retrieve the value doesn't work. Maybe it's a js to PHP problem.
Update: urldecode will not work. Read the first comment in urldecode. Used the function there. Solved.
while passing the value using ajax , you just encode the value with encodeURIComponent() function and use urldecode() function to decode it in the php file. This might solve the issue.
You could encode the characters with urlencode (and maybe htmlspecialchars too) before storing it in the database, and use urldecode ( and maybe htmlspecialchars_decode) to decode them before displaying to the user.
You can use escape in javascript i.e.
escape(document.getElementById('val'))
I need to escape entire javascript code block using escape() compatible function via PHP, and then put resulting JavaScript code back into a code construct like this:
document.write(unescape(ESCAPED_JS));
I'm not trying to increase security by doing this, protect code, or anything like that. Just to make it a bit harder to glance over a code and see what it does.
Does anyone have a working solution for this, or idea how to do it? The only reference I found about it is on this page, but it only deals with unescaping JS-escaped string using PHP, but by taking special care of UTF-8 characters (which I also need to consider).
escape is not a standard function. Better use encodeURIComponent or JSON instead.
Gumbo is right (as always), but I think rawurlencode and rawurldecode are the php equivalents of js escape and unescape
You should be able to use urlencode and urldecode to do this.
http://php.net/manual/en/function.urlencode.php
With PHP, which function is best to be used with $_GET[] values to make them browser safe?
I have read up on a few htmlspecialchars() and htmlentities(). Should one of those be used or is there another function that would work better?
Using htmlspecialchars suffices to encode the HTML special characters. htmlentities is only necessary if you want to use characters that can not be encoded with the character encoding you are using.
But make sure to specify the quote_style parameter when you want to use the output in an attribute value quoted with single quotes like:
echo "<input type='text' value='".htmlspecialchars($_GET['foobar'], ENT_QUOTES)."'>";
And to specify the charset parameter when you’re using a character encoding other than ISO 8859-1:
echo htmlspecialchars($_GET['foobar'], ENT_QUOTES, 'UTF-8');
You use htmlspecialchars() to display $_GET variables, and use urlencode() to encode them.
htmlspecialchars() should be applied to every $_GET variable you output into your page.
If you're doing this just for safety (removing <script>'s etc) rather than because you need to make sure characters are encoded correctly (although that could definitely be a concern) it could be worth looking at strip_tags, which will remove tags entirely, rather than just encoding the < and > symbols. This is a bit nicer in some cases - <b>hello</b> will become just "hello", rather than having the tags converted to become visible.