I have a webform in php that sends 2 emails. One is in plaintext, one in html to the customer that includes a url string based on the user input.
If the name field for instance says "Bob O'Reilly", the plaintext email is fine but the html email string would read "http://www.mysite.com?name=bob o", completely truncating the string. I know I need to escape the apostrophe but I've tried addslashes and it doesn't seem to do what I need it to.
Thanks
You should probably urlencode the string when using it in a link: http://php.net/manual/en/function.urlencode.php.
This transforms any characters that may have some special meaning to a code like %20 (space). You can use urldecode if you need to accept a requested, urlencoded string.
Related
I need to make up a simple string in PHP which is a string of data to be posted to another site.
The problem is that one of the fields is 'notify_url=..' and when I use that PHP takes the & in front of it and the not part to mean the logical operator AND NOT and converts it to a ¬ character:
$string = 'field1=1234&field2=this¬ify_url=http';
prints as 'field1=1234&field2=this¬ify_url=http'
The encoding on my page is UTF-8.
I have tried creating the string with single quotes as well as double quotes. I have tried making the fields names variables and concating them in but it always products the special character.
This is not being urlencoded because the string is meant to be hashed before the form is submitted to verify posted data.
PHP isn't doing that, it's your browser interpreting HTML entity notation. & has a special meaning in HTML as the start of an HTML entity, and ¬ happens to be a valid HTML entity. You need to HTML-encode characters with special meanings:
echo htmlspecialchars($string);
// field1=1234&field2=this¬ify_url=http
I was wondering if anybody knew how to get around this problem.
I am gathering user input from a HTML form which is then posted using htmlspecialchars into PHP to avoid issues when using quotes/etc...
However, I also want to run server-side validation checks on the data being gathered through regular expressions - though I'm not sure how to go about this.
So far, I have thought of decoding the htmlspecialchars - but because I am going to be using the Strings straight away, this means that the code could break after I run this conversion. e.g: Let's say the user inputted a single quote, " into a field. This would be converted to ", then if I decode this and use it in a variable, it could end up like: $string = """; which is going to give me issues.
Any advice on this would be greatly appreciated!
You seem to misunderstand the difference between data and how this data is altered to be parseable in a certain context.
A php string can contain any data. What is stored in this string is the "raw" form: the form in which we want to manipulate the data if needed.
In certain contexts, not all characters are valid. For example, in a html textarea, the < and > characters may not be used, because they are special characters. We still want to be able to use these characters. To use special characters in a context, we escape these characters. By escaping a special character it looses its special meaning. In the context of a html textarea, the < character is escaped as the sequence <. Unlike the < character, this escaped sequence does not have a special meaning in html, and thus if we send the following sequence to the browser, it knows how to parse that sequence and display the right thing: <textarea><</textarea>. When we talk about what the data is that this textarea contains, we do not say that it contains <, but instead we say that it contains <.
As you said, in a php script, in a double quoted string, the " character has a special meaning. This has only to do with parsing. PHP simply does not know how to parse a sequence $str = """;. If we would want to have the double quote in such a double quoted string, we would need to escape it. We escape a double quote in a php double quoted string by prepending it with a \. To make a string containing a single double quote, using the double quoted notation, you would write $str = "\"";.
However, none of this matters.. You are taking input from a html form. When you click the submit button, the browser reads what is in the textarea(, and decodes it as html?). The browser then encodes it in a way as dictated by the form tag, and sends it to the server. The server then decodes the blob of text back in it's raw data form. That data is passed to PHP, and it is this form you will encounter in $_POST['myTextarea'].
In conclusion: If data is encoded, realize for which context it was encoded and decode it based on that context. You do not need to escape for php quoted strings, because you are working on internal strings. There is nothing to parse. Remind yourself that when you are going to use the data somewhere, that you should take care that all special characters in your data for that particular context are escaped.
I suppose that htmlspecialchars() function is called after posting the form to PHP. Simplest solution then will be to match against regular expression first and then do htmlspecialchars().
Also, if you have string encoded with htmlspecialchars(), after decoding with htmlspecialchars_decode(), PHP internal representation will be "\"", so you break nothing. There is big difference how you write strings by hand to PHP file and how PHP internally handle them. You really don't need to be bothered by this.
I have a search form. I use the following line to get the value. When it returns, it replaces plus sign to space, letters after single/double quotes are deleted. I want to enable users to search for the keywords they want. How can I allow these letters to display?
$title = trim(filter_input(INPUT_GET, 'title', FILTER_SANITIZE_SPECIAL_CHARS));
When I send with GET.
header("Location:http://site.org/search/?title=$title");
I tried using urlencode() and works for plus signs, but it didn't work for quotes. For example c"s would return c"s.
Thanks.
Those are special characters that correspond to what they are appearing to be, for instance a plus in a GET request corresponds to a space.
Please see this link.
You will have to replace these characters before you redirect. You can do this with urlencode.
From the manual for FILTER_SANITIZE_SPECIAL_CHARS
HTML-escape '"<>& and characters with ASCII value less than 32,
optionally strip or encode other special characters.
If the ascii value of the characters you are trying to are below 32, you will probably need to go a different route.
You need to encode / escape your data for the medium you are outputting to:
use url_encode to send the variables via a url;
use prepared statements with bound variables to query the database, that way you are safe from sql injection and you can search for texts with quotes in the database;
use htmlspecialchars to output your results to html or something like json_encode to send it to javascript.
I want to send an e-mail using the mail-function in PHP. The "FROM"-part of the header should contain a name with a space
name with space <mail#server.tld>
Unfortunately, some mail clients cannot handle the spaces. Thats why e.g. Thunderbird adds quotes to the name.
"name with space" <mail#server.tld>
That works fine, until you add special characters like ÄÖÜ, since they need to be encoded. The follwing would not work:
"name with ÄÖÜ and space" <mail#server.tld>
Thats why I tried the function mb_encode_mimeheader
echo mb_encode_mimeheader("name with"." ÄÖÜ"." and space", "ISO-8859-1", "Q");
# result:
# name with =?ISO-8859-1?Q?=C3=84=C3=96=C3=9C=20and=20space?=
That still does not work, since before the first occurence of the special characters, the spaces are still in the string. the correct result schould be:
=?ISO-8859-1?Q?name=20with=20=C3=84=C3=96=C3=9C=20and=20space?=
Is there a function in PHP that can handle this? or should I use a mixture of quotes and ´mb_encode_mimeheader´? Or is there a different way to handle spaces in mailheaders? To be honest, I did not understand the meaning of the different whitespaces mentioned in the RFC822.
You don't need quotes. RFC2047-encoding (i.e. mb_encode) handles spaces as well.
(Although for the record, just plain spaces are completely unproblematic; they are not the reason some clients use quoting, which is often completely redundant anyway. So the result with the spaces is actually not incorrect at all.)
As IETF says, emails only let ASCII characters in their headers. Thus I guess you should ASCII encode your email header.
However, based on the trends that I see in new specifications coming from Internet Engineering Task Force, soon we should see that you might don't need to encode/decode your headers.
I have a text field where where the user can pass wild cards - more specific to the question they can use '%' character.
I am using ajax to get the value and send it to a PHP file. If I enter '%BA' in the text file and retrieve the value using
document.getElementById('textfield').value
This actually gets '%BA'. I am using POST method to send it to a PHP file. But the variable displays as "�" in the web browser and inserts " ° - degree small o" in the database.
I am sure there are other cases that I am not aware of as well. Is there a function in PHP to escape the special characters or any other way to get the exact string?
Edit: This may be a guess but doing escape(document.getElementById('textfield').value) to send the value and using urldecode($values[3]) to retrieve the value doesn't work. Maybe it's a js to PHP problem.
Update: urldecode will not work. Read the first comment in urldecode. Used the function there. Solved.
while passing the value using ajax , you just encode the value with encodeURIComponent() function and use urldecode() function to decode it in the php file. This might solve the issue.
You could encode the characters with urlencode (and maybe htmlspecialchars too) before storing it in the database, and use urldecode ( and maybe htmlspecialchars_decode) to decode them before displaying to the user.
You can use escape in javascript i.e.
escape(document.getElementById('val'))