My code
I have a function get_points_table() that returns an array like so:
Array
(
[0] => Array
(
[player] => steve
[points] => 10
)
[1] => Array
(
[player] => jess
[points] => 7
)
)
I would like to pass this array as JSON to a JavaScript script to output as HTML.
My current script looks like this:
<?php
require_once 'db.php';
$points_table = get_points_table($dbh);
echo json_encode($points_table);
?>
My problem
My understanding is that if I don't sanitise the data before echo'ing it back, there is a security risk posed by a player setting their username to something like steve<script>alert()</script> or using some other combinations of special characters.
My research suggests I need to use some combination of htmlentities() and/or htmlspecialchars() to safely output the data. However htmlentities() does not return utf8 encoded data, so I also need to use utf8_encode() in order for json_encode() to understand it. htmlentities() also does not allow you to pass an array as a value.
What I've tried
I've tried various combinations of array_walk(), array_walk_recursive() and array_map() to apply htmlentities() to each value of my array but to no success. I've also tried accessing the values in nested foreach loops to no success either. e.g.:
foreach($points_table as $key=>value) {
htmlspecialchars($value);
htmlentities($value);
utf8_encode($value);
}
echo json_encode($points_table);
What I need
I would like to know how to sanitise my array so I can safely pass it as JSON to be output as HTML, even if the user sets their username to something like steve<script>alert()</script><php echo "hello world";?> ;-- - &%00
Ideally I would like to do this so that the end result has the username in human readable format without converting symbols to html entities (i.e. steve<script> not steve"<script>")
This feels like a very common thing developers would do and should have a simple and easy answer, but I have done much searching and cannot work it out for myself.
I have the following url where var_a should always be a number. Also I don´t know how many var_a will be:
http://localhost/url.php?var_a[]=298&var_a[]=299
How to prevent getting an error if the user writes special characters in the url?
I have done this:
$data = preg_replace('/[^0-9\']/', '',$_GET['var_a']);
$data = str_replace("'", '', $data);
print_r ($data);// Array ( [0] => 298 [1] => 299 )
//This is ok, all number were printed
But I still get an error with the special characters like # % &
e.g.
http://localhost/url.php?var_a[]=298&var_a[]=#299
print_r ($data);// Array ( [0] => 298 [1] => )
//299 was not printed!
How can I fix this?
As far as I can tell, you can't fix it if the users are entering the values directly in the URL. The reason being is that these characters have special meanings in URLS: # represents data fragment, % represents unicode values, and & represents a new variable . The two options you can do are to use if it is coming from a form is to use $_POST values, or use urlencode before submitting the values. Pound sign (#) not working in PHP has more information on using urlencode .
I have a select multiple tag with a name city[]. The [] brackets are supposed to signify an array in the url query string for the PHP later.
I'm using jQuery .serialize() to get the form value to build a query string for an AJAX call. However, it looks like .serialize() is encoding the URL and not writing the brackets
I should get
index.php?city[]=METROPLOIS&city[]=GOTHAM
Instead I'm getting
index.php?city%5B%5D=METROPLOIS&city%5B%5D=GOTHAM
Is there a way to make it stop encoding for just the name? There may be some instances where the city name has a space, so I'll still need it to encode that.
I think you are just a bit confused since you may be unfamiliar with URL escaping.
But, this works perfectly in PHP. For instance, print_r($_GET) will output:
Array
(
[city] => Array
(
[0] => METROPLOIS
[1] => GOTHAM
)
)
Being city interpreted correctly as an array and containing the expected values. Since, city%5B%5D is a valid URL encoded string for city[].
I have a symfony app that uses the json_encode and json_decode to keep a record of some prices.
The problem is that json_decode works OK in one file (I can decode the string stored in my PSQL database), but when I call it from other file json_decode returns null, I've check the file encodings (all are utf-8) the tables and database encoding(utf-8 too). So I don't know where the problem can be, tried utf8_encode() too...
Any help will be appreciated.
Thanks.
Here's the valid encoded json (It was an array encoded by php json_encode)
{"1":{"1":{"fechaInicio":"30-05-2011","precios":{"1":{"precio":"20000","abreviatura":"CLP"}},"fechaRetiro":"31-05-2011"}},"2":{"2":{"fechaInicio":"30-05-2011","precios":{"1":{"precio":"20000","abreviatura":"CLP"}},"fechaRetiro":"31-05-2011"}}}
The array:
$preciosOfertor = Array ( [unidades] => Array ( [1] => Array ( [1] => Array ( [fechaInicio] => 30-05-2011 [precios] => Array ( [1] => Array ( [precio] => 20000 [abreviatura] => CLP ) ) [fechaRetiro] => 31-05-2011 ) ) [2] => Array ( [2] => Array ( [fechaInicio] => 30-05-2011 [precios] => Array ( [1] => Array ( [precio] => 20000 [abreviatura] => CLP ) ) [fechaRetiro] => 31-05-2011 ) ) ) )
To encode it I use:
$preciosOfertor = json_encode($preciosOfertor);
Then I call
$precios = json_decode($databaseObject->getPreciosOfertor(),true);
When i use json_decode in the file that encodes the array it works, but then when I use it in other file of the project I just get NULL with var_dump().
Installed Services_JSON as suggested, but now I'm getting an empty array
The encoded json with Services_JSON is this one:
{"unidades":{"1":{"1":{"fechaInicio":"30-05-2011","precios":{"1":{"precio":"20000","abreviatura":"CLP"}},"fechaRetiro":"31-05-2011"}}}}
But when I call $json->decode() I get Array ( )
Ok people, first thank you all for the help.
I got the solution and It was all thanks to Zend Json library.
Symfony uses escaping strategies to prevent XSS attacks, SQL Injection attacks, etc. So what happened here in my case, when I called json_encode and json_decode it was inside the object that Doctrine generates to represent my object (In this case a reservation), so because it was a local call to the row data (valoresOfertor), the data from the database was not escaped thus the methods worked fine.
But then, when I tried to encode and decode the values of the row outside the reservation class, Symfony used it's escaping strategy so
"
became
"
So, trying different JSON libraries, I used Zend one, and saw the exception that displayed (Syntax Error:
at Zend_Json::decode('{"unidades":{"1":{"1":{"fechaInicio":"30-05-2011","precios":{"1":{"precio":"20000","abreviatura":"CLP"}},"fechaRetiro":"31-05-2011"}},"2":{"2":{"fechaInicio":"30-05-2011","precios":{"1":{"precio":"20000","abreviatura":"CLP"}},"fechaRetiro":"31-05-2011"}}}}')
in SF_ROOT_DIR/apps/saas/modules/editreserva/templates/habitacionesSuccess.php line 20 ...
So then i Added the following line:
htmlspecialchars_decode($jsonVariable);
And it worked.
I hope it helps someone if he experiments the same with symfony and json.
As far as I know, there were one or more bugs in json_encode() and json_encode() in previous versions of PHP. You could try to update PHP to the latest version or you could use an external library to encode and decode JSON. There are some, but I think PEAR JSON is the best.
it might be the UTF-8 BOM present. Try using UTF without BOM encoding. Also echo the json_last_error() to see what's the problem.
EDIT:
It IS a valid JSON
From php.net : NULL is returned if the json cannot be decoded or if the encoded data is deeper than the recursion limit.
So either you've set e recursion limit lower than the data depth (which may not seem to be the case, if you say that it does work on another page), or the json cannot be decoded.
If it works on one page and it doesn't in another, check the file encoding.
The first page may be encoded to utf-8 (the encoding of your json) but the second one might be something else (like ascii). check the bom also.Youw may need to encode the page to utf-8 without bom.
If it's a template you're dealing it, have a look at:
$sf_data->getRaw();
http://www.geeganage.com/symfony-json-made-easy/
Hi
When I print out the variable, I got pound sign on the array as below:
...
[#weight] => 0
[#theme] => text_formatter_default
[#field_name] => field_product_item_no
[#type_name] => product
...
What is the meaning of Pound sign?
Thanks
This is just the way the Drupal Forms API expects its data.
In Drupal, [#key]'s value is metadata, whereas [key]'s value is data.
According to the answer given to my question about "#" properties on the Drupal Stackexchange,
Put simply, array keys in a render array without a # in front of the name are seen as children of the render array, and are subsequently rendered themselves (recursively).
Those with a # in front of theme are seen as meta data/variables for the render array to use as necessary, and are not themselves rendered.
The pound sign is just a valid character as array key and has no special meaning in PHP besides a convention defined by the application.