I have a problem concerning the input of special characters. Firstly, + is considered
as a special character, right? I have a field in my form that needs to be able to contain a +. However, when I send it to my PHP script using AJAX and access the variable using $_POST, the + is not displayed, and therefore, not saved in the database.
Example:
// on the JavaScript side
value = +123;
paramPost = "name=abc&value=" + value;
alert("paramPost = " + paramPost);
// Output: parampost = name=abc&value=123
// The + is gone!
// Also, when I change value to a string, the + is still there,
// but when PHP receives it, it's gone.
ajax.doPost(paramPost);
// on the PHP side
$val = $_POST['value'];
echo "val = $val";
// Output: 123
// The + is no longer there!
What can I do to fix this?
I tried this:
$val = htmlspecialchars($_POST['value'], ENT_QUOTES);
...but it still didn't work.
A + is redundant on a number; change +123 to "+123".
If your JavaScript library does not escape that, also do encodeURIComponent(value) instead of value. So, your fixed code should be:
value = "+123";
paramPost = "name=abc&value=" + encodeURIComponent(value);
// ..
ajax.doPost(paramPost);
In javascript, a leading '+' before a number indicates it is positive. To send the value '+1' as part of a URI query param, you'll need to escape it. The correctly escaped version of '+1' would be:
%2B1
where %2B is the HEX value for '+'
Related
I have searched for similar questions and have found this
but it has not helped for my situation. On my site, a user inputs an answer. The string is sent via an ajax call to a php file. The string may or may not contain special characters, so I use
encodeURIComponent()
before the string is sent to the php file.
The user-inputted string is compared in the php file with a string that represents the "correct answer", and if the strings are found to be equivalent strings after processing, the user-inputted answer is "correct". I have not had a problem with any strings lately until today. Until today, strings with letters, special characters (parentheses, minus sign, plus sign) and numbers have worked fine using the following processing in php:
<?php include 'connect.php';
$UserInput = trim($_GET['userinput']);
$QID = mysqli_real_escape_string($cxn, $_GET['qid']);
$sqlIQ = mysqli_fetch_assoc(mysqli_query($cxn, "SELECT answer FROM IndexQuestions WHERE sampqid = $QID"));
$StrReplaceArray = array("<i>", "</i>", "</sup>", " ");
$CorrectAnswer1 = str_replace($StrReplaceArray, "", $sqlIQ['answer']);
$CorrectAnswer2 = str_replace("<sup>", "^", $CorrectAnswer1);
$UserAnswer1 = str_replace(" ", "", $UserInput);
$UserAnswer2 = str_replace("+-", "-", $UserAnswer1);
if (strcasecmp($UserAnswer2, $CorrectAnswer2) == 0) {
$CorrectOrNot = 'Correct';
} else {
$CorrectOrNot = 'Incorrect';
}
However, the latest string is not working. The user-inputted string is -2 ± √3 which is sent to the php file as -2 ± √3 (with or without the whitespace). The "correct answer" saved in another table is -2 ± √3. I have echoed the following:
echo $UserAnswer2 . " " . $CorrectAnswer2; //after str_replace processing shown above
and the html output for each variable looks identical to me. I have also tried the following for comparative purposes (instead of strcasecmp):
if ($UserAnswer2 == htmlentities($CorrectAnswer2)) { //etc.
but still the same.
When I check a separate table (which stores the user's answer), the answer is stored the way I want it to be:
$unixtime = time();
$AnswerID = substr(md5(rand(0, 1000000)), 0, 10).$unixtime;
$sqlIQStats = mysqli_query($cxn, "INSERT INTO IQStats (answer_id, useranswer) VALUES ('$AnswerID', '".htmlentities($UserAnswer2)."')");
and appears in the database as -2 ± √3.
The html charset the site uses is charset=utf-8.
var_dump gives the following (with no spaces for user answer): $UserInput and $UserAnswer2 both give string(8) "-2±√3" whereas $CorrectAnswer2 gives string(18) "-2±√3"
Does anyone have any ideas as to why the strings, after string-processing and comparison in the php file, are found to be inequivalent strings?
OK...solved it by changing $UserInput to:
$UserInput = htmlentities(trim($_GET['userinput']));
If i have some code in index.php
if ($_GET['x']==="\x01\x03\x03\x07")
{
echo 'OK';
}
So, how i could pass value x in url index.php?x=??? to get output 'OK'.
Thanks!
so, url must be like this:
... index.php?x=\x01\x03\x03\x07
and your $_GET must be like this:
$_GET['x'] = "\\x01\\x03\\x03\\x07";
It will return "OK"
To compare '\x01\x03\x03\x07'(hex value) with variable x that you sent in the url, first you have to change '\x01\x03\x03\x07' to '\\x01\\x03\\x03\\x07'. Why ? because if you don't double the '\' you won't be able to compare these.
So, you have to place the hex in a variable like this:
$hex = "\x01\x03\x03\x07";
and you will compare 'x' with edited $hex (the value be "\\x01\\x03\\x03\\x07").
to make edited/fixed $hex we have to use a function, str_ireplace().
here's the example:
$hex = "\x01\x03\x03\x07";
$hex_able_to_compare = "\\x01\\x03\\x03\\x07";
$fixed = str_ireplace($hex,$hex_able_to_compare,$hex);
if ($_GET['x'] == $fixed){
echo "OK!";
}
else {
echo "Not OK!";
}
So you can still compare your hex with place your hex to $hex variable.
But the problem is: what if the the hex value is dynamic? we should make the value of $hex_able_to_compare as dynamic too,. :D
To passing the hex value in URL you need character "%" before hex code. For example, %20 stand for space character.
So URL you need is:
index.php/x=%01%03%03%07
You can references HTML URL Encode here
P/s: I think you are playing ctf.wargamevn.vn ;))
I have a url like
test.php?x=hello+world&y=%00h%00e%00l%00l%00o
when i write it to file
file_put_contents('x.txt', $_GET['x']); // -->hello world
file_put_contents('y.txt', $_GET['y']); // -->\0h\0e\0l\0l\0o
but i need to write it to without encoding
file_put_contents('x.txt', ????); // -->hello+world
file_put_contents('y.txt', ????); // -->%00h%00e%00l%00l%00o
how can i do?
Thanks
You can get unencoded values from the $_SERVER["QUERY_STRING"] variable.
function getNonDecodedParameters() {
$a = array();
foreach (explode ("&", $_SERVER["QUERY_STRING"]) as $q) {
$p = explode ('=', $q, 2);
$a[$p[0]] = isset ($p[1]) ? $p[1] : '';
}
return $a;
}
$input = getNonDecodedParameters();
file_put_contents('x.txt', $input['x']);
Because the The $_GET and $_REQUEST superglobals are automatically run through a decoding function (equivalent to urldecode()), you simply need to re-urlencode() the data to get it to match the characters passed in the URL string:
file_put_contents('x.txt', urlencode($_GET['x'])); // -->hello+world
file_put_contents('y.txt', urlencode($_GET['y'])); // -->%00h%00e%00l%00l%00o
I've tested this out locally and it's working perfectly. However, from your comments, you might want to look at your encoding settings as well. If the result of urlencode($_GET['y']) is %5C0h%5C0e%5C0l%5C0l%5C0o then it appears that the null character that you're passing in (%00) is being interpreted as a literal string "\0" (like a \ character concatenated to a 0 character) instead of correctly interpreting the \0 as a single null character.
You should have a look at the PHP documentation on string encoding and ASCII device control characters.
i think you can use urlencode() to pass the value in URL and urldecode() to get the value.
I'm sending comma separated values through a URL (key, value). I'm encoding them with Javascript's escape() and then replacing the commas within each value with %2c . The problem is at the PHP end the commas that are encoded are turned into "," BEFORE explode() takes place and then my string containing commas is broken up and it doesn't save right.
How can I stop PHP from converting my encoded bits back into unencoded bits?
My JS for each input is:
fieldData += $(this).attr("id")+","+escape($(this).html()).replace(/,/g,"%2c")+",";
My PHP is:
$fieldData = explode(",", $_POST['fieldData']);
Tried (along with other things):
$fieldData = explode(",", urlencode($_POST['fieldData']));
I would suggest using base64encode/decode for this.
The javascript would look something like this: http://jsfiddle.net/Y6yuN/
<script src='http://javascriptbase64.googlecode.com/svn/trunk/base64.js'></script>
fieldData += $(this).attr("id")+","+escape(Base64.encode($(this).html()))+",";
The escape is for the trailing =
So you would end up with comma delimited base64 encoded strings.
On the PHP side:
$fieldData = explode(",", $_POST['fieldData']);
foreach ($fieldData as $k => $v){
$fieldData[$k] = base64_decode(urldecode($v));
}
Your post is not really well explained, but I think you want to decode the data passed by JS. So, the code should be:
$fieldData = explode(",", urldecode($_POST['fieldData']));
Try to write it better if I am wrong!
<?php
include 'db_connect.php';
$q = mysql_real_escape_string($_GET['q']);
$arr = explode('+', $q);
foreach($arr as $ing)
{
echo $ing;
echo "<br/>";
}
mysql_close($db);
?>
Calling:
findByIncredients.php?q=Hans+Wurst+Wurstel
Source code HTML:
Hans Wurst Wurstel<br/>
Why is there only one newline?
+s in URL are urlencoded spaces. So what php sees in the variable is "Hans Wurst Wurstel". You need to split by space ' ', not +
arr = explode (' ',$q);
"+" gets converted to SPACE on URL decoding.
You may want to pass your string as str1-str2-str3 in get parameter.
Try:
<?php
include 'db_connect.php';
$q = mysql_real_escape_string($_GET['q']);
$arr = explode (' ',$q);
foreach($arr as $ing)
{
echo $ing;
echo "<br/>";
}
mysql_close($db);
?>
Hans+Wurst+Wurstel is the url escaped query string. The php page will likely process it once unescaped (in this case, all +s will be translated into spaces). You should choose a delimiter for explode according to the string as it is in that moment. You can use print_r() for a raw print if you don't know how the string (or any kind of variable) looks like.
Easy. While the standard RFC 3986 url encoding would encode the space " " as "%20", due to historical reasons, it can also be encoded as "+". When PHP parses the query string, it will convert the "+" character to a space.
This is also illustrated by the existence of both:
urlencode: equivalent of what PHP uses internally, will convert " " to "+".
rawurlencode: RFC-conformant encoder, will convert " " to "%20".
I'm assuming you want to explode by space. If you really wanted to encode a "+" character, you could use "%2B", which is the rawurlencode version and will always work.
(EDIT)
Related questions:
When to encode space to plus (+) or %20?
PHP - Plus sign with GET query