I have a file on my server that i want to access. The filename is ken\'s book.doc
But in my db, it was stored as ken's book.doc
(I have fixed the backslash issue, but still have problems accessing the previously uploaded files on server.
I used addslashes to add the back slash but it displays it as: ken/'s book.doc (that is a forward slash instead of a backslash.
I have used:
str_replace("'", "\'", $filename);
yet it displays as a forward slash.
How can i fix this?
Thanks
EDIT
Extra Information: I am using the new value as part of a link. that is:
View
If you have a filename that contains a backslash on disk, I would fix that first. Your second problem was appearantly not using mysql_real_escape_string when storing that filename into the database (why it ended up there without backslash).
addslashes btw does not add forward slashes by itself. That part of your story is untrue. And to remove them again you wouldn't need the quirky str_replace call, but just stripslashes.
The actual problem (after your edit) turns out to be a html link. That's simply because browsers have the habit of turning backslashes into forward slashes in urls. To prevent that apply urlencode()
View
Related
I have already checked quite a few other answers but to no avail.
I have been hired to fix bugs for a job that some other developer ran away from.
The application has a add comment and delete comment functionality.
The problem comes in the delete comment part. He designed the database such that all comments are simply entered into a single cell separated by pipe characters. So while deleting a comment, the entire comment needs to be placed in the url as a parameter which is then passed to the model and removed from the database.
I do know this is bad, but I cannot recode the entire functionality.
Now, when a user enters a comment such as "What's Up?", the delete comment url throws the "Codeigniter: The URI you submitted has disallowed characters." error.
I tried converting the quotes to HTML character entities but they again contain disallowed characters.
Can anybody please suggest a possible workaround for this problem?
Redesigning the database is not a viable option as I'll then have to change the extensive php code used for handling the different delimiters.
Messing with the disallowed characters list also seems to be a bad idea.
Thank you.
Open your config file and find this parameter:
$config['permitted_uri_chars'] = 'a-z 0-9~%.:_()#&-!=?';
You can change it according to your requirement or you can leave it blank.
Read the comment section in config file.
It says that: Leave blank to allow all characters -- but only if you are insane.
I am not sure if htmlentities will help.
Did you first call urlencode on just the parameters?
<?php
$query_string = 'foo=' . urlencode("What's Up?");
echo '<a href="mycgi?' . htmlentities($query_string) . '">';
?>
<a href="mycgi?foo=What%27s+Up%3F">
Also check if you need to add escape characters to any of these if they are treated as special characters by the database.
e.g. If % is treated as special character, then you may need to add a \ before it.
I need to pass filenames via the url, e.g.:
http://example.com/images/niceplace.jpg
The problem I'm having is when the file name contains a blank character, e.g.:
http://example.com/images/nice place.jpg
or
http://example.com/images/nice%20place.jpg
For these two URLs, codeigniter complains about the blank char: "The URI you submitted has disallowed characters."
How should I go about fixing this?
I know I can add the blank character to the permitted_uri_chars in config.php but I'm looking for a better solution as there might be other disallowed characters in a filename.
I figured out a solution.
The URL is generated using rawurlencode().
Then, within the images controller, the filename is decoded using rawurldecode(html_entity_decode($filename)).
I successfully tested this solution with a few special characters I can think of and with UTF-8 characters.
You can use this method:
http://php.net/urlencode
Actually, you will run into another issues, when a filename would contain & character, and a few others. urlencode would get rid of all the possible issues.
This configuration option is created to avoid some characters being passed in URI and you want to walkaround it in some cases. I think most appropriate solutions are:
Pass file name as a parameter - http://domain.com/images/?image=test.jpg
Remove all non alfanumeric characters and may be some other (dash, underscore, etc) from file name when you save it. In my opinion, it is better, because you can face other problems with some character in other cases.
One of the better way to work with url's for specified condition is to encode/encrypt your url parameters using encryption/security class in order to maintain URL security:
$encrypt=$this->encrypt->encode($param1) & $this->encrypt->decode($encrypt)
Alternatively if you want special chars to be allowed in the URL then change your config settings in config.php file.
File Location: application/config/config.php
$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-';
Add all characters in right side that you want to be allowed with your application.
Can any one please tell me how I can remove the slash from the end of a variable
In my index.php I have the following:
$url=$_SERVER['REQUEST_URI'];
include_once "sites/$url.php";
My problem is if I write example.com/test/somefile/ nothing comes but if I write example.com/test/somefile it works
So is there a way to remove the slash if the variable ends with a slash?
Please do not do this.
You are relying on your user being a goody two shoes and not futzing with requests.
In conclusion: DO NOT rely on browser requests to include a file in your code
Try this
$url = rtrim($url, '/');
From PHP.net http://ua2.php.net/rtrim
>
You can also specify the characters you want to strip, by means of the character_mask parameter. Simply list all characters that you want to be stripped. With .. you can specify a range of characters.
While this will solve your problem, please take a few minutes to consider the warnings posted in the comments and the other answer(s) regarding code injection since it is a very serious security issue.
my code is not working ? and i dont want to use str_replace , for there maybe more slashes than 3 to be replaced. how can i do the job using preg_replace?
my code here like this:
<?php
$str='<li>
<span class=\"highlight\">Color</span>
Can\\\'t find the exact color shown on the model pictures? Just leave a message (eg: color as shown in the first picture...) when you place order.
Please note that colors on your computer monitor may differ slightly from actual product colors depending on your monitor settings.
</li>';
$str=preg_replace("#\\+#","\\",$str);
echo $str;
There is merit in the other answers, but to me it looks like what you're actually trying to accomplish is something very different. In the php code \\\' is not three slashes followed by an apostrophe, it's one escaped slash followed by an escaped apostrophe, and in the rendered output, that's exactly what you see—a slash followed by an apostrophe (with no need to escape them in the rendered html). It's important to realize that the escape character is not actually part of the string; it's merely a way to help you represent a character that normally has very different meaning in within php—in this case, an apostrophe normally terminates a string literal. What looks like 4 characters in php is actually only 2 characters in the string.
If this is the extent of your code, there's no need for string manipulation or regular expressions. What you actually need is just this:
<?php
$str='<li>
<span class="highlight">Color</span>
Can\'t find the exact color shown on the model pictures? Just leave a message (eg: color as shown in the first picture...) when you place order.
Please note that colors on your computer monitor may differ slightly from actual product colors depending on your monitor settings.
</li>';
echo $str;
?>
Only one escape character is needed here for the apostrophe, and in the rendered HTML you will see no slashes at all.
Further Reading:
Escape sequences
The root of this problem is actually in how it was written into your database and likely to be caused by magic_quotes_gpc; this was used in older versions and a really bad idea.
The best fix
This requires a few steps:
Fix the script that puts the HTML inside your database by disabling magic_quotes_gpc.
Write a script that reads all existing database entries, applies stripslashes() and saves the changes.
Fix the presentation part (though, that may need no changes at all.
Alternative patch
Use stripslashes() before you present the HTML.
use this pattern
preg_replace('#\\+#', '\\', $text);
This replaces two or more \ symbols preceding an ' symbol with \'
$theConvertedString = preg_replace("/\\{2,}'/", "\'", $theSourceString);
Ideally, you shouldn't have code causing this issue in the first place so I would have a look at why you have \\' in your code to begin with. If you've manually put it in your variables, take it out. Often, this also happens with multiple calls to addslashes() or mysql_real_escape_string() or a cheap hosting providers' automatic transformation of all POST request variables to escape slashes, combined with your server side PHP code to do the same.
My PHP application adds backslashes to quotes in many locations with addslashes(). Unfortunately, this adding has produced output akin to the following.
Every time I refresh my page, this string increases in number of back slashes.
don't
don\'t
don\\'t
don\\\\'t
don\\\\\\\\'t
and so on.
I want to write a function that deletes all these extra back slashes. I have tried
str_replace($text, "\\\\", "");
to no avail.
You may just use:
stripslashes($text);
$text=preg_replace('/\134+/',"\134",$text);
What happens if your actual value happens to include \\ legitimately? For instance, if your content were referring to a Windows-style share reference - \\192.168.1.1\foo. If you blindly strip out any double slashes, you'll strip out ones that are meant to be there, as well.
The "right" answer is really to not add slashes to things that don't need them. You should know whether a given value is already escaped or not (after all, you're the one controlling where every value comes from, and what it's being used for) and only add slashes when you need them.