If I have a URL like asdf.com/index.php?a=0&b=2, then using $_GET for a would be 0 and for b would be 2. However, the term I put into a single $_GET function has an ampersand in it already, like a=Steak&Cheese. Is there a way to make ampersands work without the $_GET variable thinking its job ends when the ampersand shows up (therefore not pulling the entire term)?
urlencode() it so & turns into %26.
If you need to make a query string out of some parameters, you can use http_build_query() instead and it will URL encode your parameters for you.
On the receiving end, your $_GET values will be decoded for you by PHP, so the query string a=Steak%26Cheese corresponds to $_GET = array('a' => 'Steak&Cheese').
Yes, you must URL Encode before request URL. Read this http://www.w3schools.com/TAGS/ref_urlencode.asp
Here is a previous post covering this in jquery AJAX requests, but to summarize you have to encoded the uri. This will convert the ampersand value to a ascii value.
Ampersand in GET, PHP
Related
I am doing a post HTTP request in swift 4.2 and in one of my Strings I put in the parameters contain "&" but apparently the requests gets cut off after this symbol. I thought about replacing every "&" symbol with a unique placeholder and convert it back in PHP.
But is there are more elegant or easy way of doing this?
URL encode your data (and decode it when you need to use it), that will make the ampersand into %26 which will stop it cutting off in your GET request.
You could replace the "&" with "%26" and then it's have to work :)
All Precent-encoding characters:
https://en.wikipedia.org/wiki/Percent-encoding#Percent-encoding_reserved_characters
You should probably minimize how much manual percent escaping you do. You might, for example, use URLComponents to build your URL and percent escape it for you:
guard var components = URLComponents(string: "http://example.com") else { return }
components.queryItems = [URLQueryItem(name: "foo", value: "bar&baz")]
let url = components.url
That will result in:
http://example.com?foo=bar%26baz
The ampersand, as well as a few other characters, need to be encoded if they are within a query parameter otherwise they could be recognized as a delimiter of some sort.
You can encode a string for a query param in Swift like this:
let value = string.addingPercentEncoding(withAllowedCharacters: .urlQueryAllowed)
let urlString = "https://example.com/?query=\(value)"
On the other side, your server will receive the encode param value but will need to decode it.
PHP includes the urlencode() and urldecode() functions, and stift includes the .addingPercentEncoding function.
This means you can replace with the encoded version of the '&' symbol which is '%26', or you can use swift's function
Then when you recieve this value you can use urldecode( $escapedString ), or just replace '%26' with '&', or just pull the values stright from the request with $_GET.
When connecting to PayPal I use a URL like this (I am using fake values here, but the structure is real):
https://www.paypal.com/cgi-bin/webscr?&business=ZDS346347&cmd=_xclick&amount=100&item_name=Test&no_note=1&no_shipping=1&rm=2&return=http://www.website.com/registration.php?paypal=1&classid=122&sessionid=264&studentid=2286
The problem is when I send this url, it truncates my return value query string from this:
paypal=1&classid=122&sessionid=264&studentid=2286
to this:
paypal=1
The ampersands in the return value are confusing it, but I need to use them so I can process those query string values on the return.
Is there someway, I can pass that whole return string to PayPal so it won't truncate after the first ampersand it hits.
Thanks,
Chris
Wrap the passed URL with urlencode to turn the ampersands into PayPal-parsable characters, then when your URL gets called use urldecode to decode them.
This happens because PayPal's URL simply splits everything after the ? into chunks by the & symbol. It doesn't know when one is part of your website or not. So it's sending PayPal classid=122 as it's own key/value pair, not as a part of your URL. Encoding the URL this way should make it work correctly.
edit Referenced the wrong PHP functions. urlencode/decode are for GET parameter passing, htmlspecialchars is for storing HTML data
Let's say I have the following URL: pic.php?t=1&p=23
When I try phpThumb.php?src=/pic.php?t=1&p=23, I get Forbidden parameter: p.
Anyone knows if there's a way around it?
You need to URLEncode that ampersand if you are trying to pass p=23 to pic.php. Try replacing the & with %26.
What you are effectively doing there is passing p=23 as a parameter to phpThumb.php, which obviously it doesn't like...
What you probably want to do is 'phpThumb.php?src='.urlencode('/pic.php?t=1&p=23');
Read this and this.
urlencode() the URL before passing it to phpThumb.
You can URL encode the ampersand to make it part of the content of the parameter in the querystring. This way, the whole /pic.php?t=1&p=23 gets passed as the src.
phpThumb.php?src=/pic.php?t=1%26p=23
The %26 is the encoded version of the &.
Use urlencode().
I have a variable which consists of
// The First Page (hello.php)
$a = 'goto.php?a_56=63525588000&url=http://www.example.com/site/DISC+cUSTOMc+Studio+24+- +Windows/1142766.p?
id=1218224802931&usi=1142766&cmp=RMX&
ky=2crslw0k9ZOM0ciu2rqi4NsYY7eQnnEyP';
// The Second Page (goto.php)
$r = $_GET['url'];
echo $r;
//http://www.example.com/site/Disc cCustomc Studio 8 - Windows/1142766.p?id=1218224802931
Why is it getting cut off?
This isn't a length issue, it's because you want one of your GET parameters (url in this case) to contain the & character. You need to urlencode this character otherwise it will be interpreted as another GET parameter in the request, rather than as part of the url parameter.
When urlencoding, & will become %26 and your query string will become this,
goto.php?a_56=63525588000&url=http://www.example.com/site/DISC+cUSTOMc+Studio+24+-+Windows/1142766.p?id=1218224802931%26usi=1142766%26cmp=RMX%26ky=2crslw0k9ZOM0ciu2rqi4NsYY7eQnnEyP
It's getting cut off because it's treating the & in your url parameter as an actual GET parameter divider, when it's not.
You need to use urlencode() to encode your URL.
The ampersand is used to separate parameters in the outside query string. You will need to URL-encode it if you want to use it within a GET parameter.
Because & indicates the end of a key/value pair in a query string.
Use urlencode to prepare data for inclusion in a query string.
I am retrieving an encoded url via querystring. I need to pass it again to the next page. When I retrieve it the first time, using $_REQUEST['url'], only the slashes are decoded, e.g:
http://example.com/search~S10?/Xllamas&searchscope=10&SORT=D/Xllamas&searchscope=10&SORT=D&SUBKEY=llamas/51%2C64%2C64%2CB/browse
The php docs page for urldecode advises against decoding request data, and says that it will already be decoded. I need it either completely decoded, so I can encode it again without double-encoding some parts, or not decoded at all.
I'm not sure why my experience of this data is incongruous with the php docs. Appreciate any help or pointers to same!!
EDIT: attempt to post relevant code, which is scattered about:
the url is encoded and added to the querystring (in an html file using smarty template):
<a class="button" href="{$baseurl}search_nojs?searcharg={$searcharg|escape:'url'}&url={$next|escape:'url'}"><span>Next>></span></a>
if that link was followed, i'm grabbing the url back out of the querystring (in a php file):
if(array_key_exists('url', $_REQUEST)) {
$sm->assign("searchurl", $_REQUEST['url']);
}
Then I'd like to stick the url back into the querystring for the next link (in another html file):
href="{$baseurl}detail?bibid={$res.bibid}&searcharg={$searcharg}{if $searchurl}&searchurl={$searchurl}{/if}"
I'm also printing {$searchurl} straight onto the page, and getting the same half-escaped result.
Here is another example of the querystring vs. the data i get from $_REQUEST:
originally encoded url in querystring:
searcharg=mammals&url=http%3A%2F%2Fexample.com%2Fsearch%7ES10%3F%2FXmammals%26searchscope%3D10%26SORT%3DD%2FXmammals%26searchscope%3D10%26SORT%3DD%26SUBKEY%3Dmammals%2F51%252C1114%252C1114%252CB%2Fbrowse
data retrieved from $_REQUEST:
searcharg=mammals&searchurl=http://example.com/search~S10?/Xmammals&searchscope=10&SORT=D/Xmammals&searchscope=10&SORT=D&SUBKEY=mammals/51%2C1114%2C1114%2CB/browse
I know this method may seem curious -- I am trying to make a mobile display, working around a black-box database. Thanks again for any help!!
Here is another example of the querystring vs. the data i get from $_REQUEST:
originally encoded url in querystring:
searcharg=mammals&url=http%3A%2F%2Fexample.com%2Fsearch%7ES10%3F%2FXmammals%26searchscope%3D10%26SORT%3DD%2FXmammals%26searchscope%3D10%26SORT%3DD%26SUBKEY%3Dmammals%2F51%252C1114%252C1114%252CB%2Fbrowse
This is double encoded. For example: %252C -> %2C -> ,
So at the point that you encode the url parameter, you're introducing double encoding. Perhaps you should ensure that, before encoding parameters, you decode them until they can be decoded no more (aka canonicalisation). You could use urldecode in a loop for this.
You also want to ensure that when you put the url parameter back into html context (as a link) that you escape for HTML Attributes too. Otherwise you have an XSS vulnerability.
The comma (U+002C) is a reserved character in the query and thus must be encoded with %2C:
3.4. Query Component
The query component is a string of information to be interpreted by
the resource.
query = *uric
Within a query component, the characters ";", "/", "?", ":", "#",
"&", "=", "+", ",", and "$" are reserved.