I have an email address param where email addresses are passed un-encoded like so:
http://domain/script?email=test+test#gmail.com
What PHP escaping/encoding will let me safely display the email address on an input field on the page?
Everything I tried causes the encoded chars to show up instead of the user-friendly email address (i.e. test%2Btest%40test.com)
Update - here's what I've tried:
Going from ?email=test+test#gmail.com to:
urlencode($_GET['email']) = test+test%40test.com (# sign is encoded)
htmlspecialchars($_GET['email']) = test test#test.com (lost the +)
htmlspecialchars(urlencode($_GET['email']) = test+test%40test.com (# sign encoded)
Recall that I'm trying to take the unencoded url email param and safely output it into the value of an input field while keeping plus signs intact.
Maybe I should try this?
str_replace("%40", "#", htmlspecialchars(urlencode($_GET['email'])))
If you want to safely output it in the value of an input field, you need to htmlencode it first with htmlspecialchars.
Example :
<input type="email" name="email" value="<?php echo htmlspecialchars($_GET['email']); ?>"
Note : If you aren't using double quote around what you are output, you need to apply more escaping. This page explains it all.
This works:
str_replace("%40", "#", htmlspecialchars(urlencode($_GET['email'])))
You're probably looking for urldecode()? That's what converts %40, %2B, etc. back into normal characters.
use emailaddress = urldecode($_GET['email']); as Kevin suggested. it will do whatever you need.
What if you validate the email and write it as it was, if only an email address is acceptable?
Related
I am creating an HTML form (to send a plain text email, using Swift Mailer ..but that's not important right now), using PHP server-side, where I want to display the user's text input for them to finally confirm before actually sending the email.
I use nl2br(htmlspecialchars()) to display the user's form field input safely, and then need to output that input into an <input type="hidden" ../> form field to be submitted again for actually creating the email.
The email body can obviously contain all sorts of potentially troublesome characters such as single and double quotes, ampersands, less-then and greater-than symbols.
In the context of my input field, am I right in thinking that my sole(?) problem is ensuring that the form quotes around value=".." (I usually use double quotes) and any quote characters in the input string value don't clash with each other? Is there a PHP function along similar lines to htmlspecialchars which will escape quotes as necessary? I don't want to convert anything into HTML entities as the email that I will be sending will be plain text.
You must use the function String addslashes( $str ) http://php.net/manual/fr/function.addslashes.php
After much further perusal of the PHP manual, it looks as though I can use htmlspecialchars($text, ENT_QUOTES) to safely encode my text for the form field, and then use (the "relatively" new corresponding reverse function) htmlspecialchars_decode($text, ENT_QUOTES) to convert the HTML entities safely back to normal characters again, when creating the plain text email message.
I have integrated paypal in my application. Everything works good.
I have a minor issue, i want my custom field email as query string on success page to insert more data for that user.
My input coding is below:
<input id="custom" name="custom" class="form_textbox"/>
And my redirect is as below:
<input type="hidden" name="return" value="http://myweburl.com/ticket.php?tck=test#email.com">
But its not passing dynamically. I want to pass email entered in input "custom" to this query string. I know may be the solutions will be basic, but i tried everything, but couldn't make it work.
It may be that that certain characters need to be encoded for URLs. At a minimum, you should be encoding the ? question mark in your return value. It also may not be a bad idea to encode the slashes /.
For example, here are some characters that may need to be encoded in your example:
? = %3F
/ = %2F
You can take reference other encoded characters on Wikipedia, or try Googling.
oh eh...ya...lots commented there are lots email validation can be used but just that for this one I have to do it like what is mentioned below that's why....
I need to validate email like this
alphanumeric characters followed by # followed by alphanumeric characters followed by . followed by 2 – 4 more alphanumeric characters
this is what I have done but somehow I know it's the last part after . I messed up but I couldn't find where I messed up....
preg_match("/^([0-9]|[a-z])([0-9]|[a-z]|[_-])*#([0-9]|[a-z])*\.([0-9][a-z]){2,4}$/i","")
at start I used [0-9]|[a-z])([0-9]|[a-z]|[_-] because I didn't want people able to use _- as the start....so forced start as number/letters only
There must be a million different people that wrote a new regex for email validation. If you are interested in the email format you can just use
$email = filter_var($email, FILTER_VALIDATE_EMAIL);
and if the final value is empty the initial one wasn't a valid email address format.
(as an extra step you could try to validate the domain by using this function http://php.net/manual/en/function.checkdnsrr.php)
Have a try with this:
^[0-9a-z_\-]+#[0-9a-z_\-]+\.[0-9a-z]{2,4}$
But as said: there are ready-to-use regexes, much better than trying to reinvent the wheel. Also this current approach does not macth all valid addresses and validates some addresses that are illegal.
Which reason of email validation? It is very upset when you try to enter you email and you can't due to the stupid validation. I think it is enoth to check the availability of '#' and '.' signs, in case user unintentionally missed this.
$res = preg_match("/#[^#\.]*\./", $str);
I have two issues
When I submit the character ' through my HTML form (using POST) it is fine. However, in the form I allow to modify the submitted content, when it is brought in, anything after the ' disappears. I've deduced that this is because when I assign the text content containing the ' to the text field, it closes the quote. For example, if I submit Hello there I'm John, it will do: <input type=text value='Hello there I'm Jon />
So you see, the apostrophe in I'm closes the quote for the value attribute. So the only solution I can think of would be to escape the apostrophe, but even when I leave my mysql_real_escape_string() function on the content (as it's submitted to a database escaped and retrieved for this form).
Similarly, when I submit an & or a +, it disappears. This happens any time I try to print it anywhere, regardless of using the htmlspecialchars() function (which I was under the impression should encode them in HTML format for such characters, like: &). so as an example, if someone enters Me & you then it will be displayed as Me you.
So I'm asking: How can I fix the above issues, seeming to have to do with special characters, despite already having them escaped (and I even tried applying the escape function again)? If there is any sample code I should supply, please let me know, but I've explained what I am doing to each input.
When I submit the character ' through my HTML form (using POST) it is fine. However, in the form I allow to modify the submitted content, when it is brought in, anything after the ' disappears. I've deduced that this is because when I assign the text content containing the ' to the text field, it closes the quote. For example, if I submit Hello there I'm John, it will do: <input type=text value='Hello there I'm Jon /> So you see, the apostrophe in I'm closes the quote for the value attribute. So the only solution I can think of would be to escape the apostrophe, but even when I leave my mysql_real_escape_string() function on the content (as it's submitted to a database escaped and retrieved for this form).
This has nothing to do with submitting the data. You are trying to use ' in an attribute value that is delimited with ' characters.
Use htmlspecialchars($data, ENT_QUOTES)
Similarly, when I submit an & or a +, it disappears. This happens any time I try to print it anywhere, regardless of using the htmlspecialchars() function (which I was under the impression should encode them in HTML format for such characters, like: &). so as an example, if someone enters Me & you then it will be displayed as Me you.
In data encoded as application/x-www-form-urlencoded & means "Start of new key=value pair" and + means "A space". You need to urlencode($data).
First, it helps to properly contain HTML attributes, like so:
<input type="text" value="Hello there I'm Jon" />
I'm using double quotes, notice the trailing quote on the value, which your original didn't have. If you then wrap the value in htmlentities() you'll be able to properly display/save " or any other value in your form.
While double quotes aren't strictly necessary in HTML5 (' will work just fine in most cases), they are at least encouraged. If you're using some variant of XHTML, they are required.
A lazy but fast way to do things here is use urlencode() on the contents of the fields before they are posted, and the urldecode() on the other side.
It's not the proper way, or the nice way ... but it works if you don't want to write some specific code to handle the cases.
I am using cakephp. And I have textarea field where users paste data, I using tinymce plugin to format text. I have warned users not to enter telephone number or email address inside the textarea. But, I dont want to take chances.
Is there a way I can extract the telephone number and email from textarea and replace it something like XXXX#gmail.com..
I appreciate any help.
Thanks.
Here's something off the top of my head for replacing the e-mail address with hidden:
$str = "My e-mail is shown#gmail.com Contact me for more details";
$str = preg_replace("/([a-zA-Z0-9\._]+)(#[a-zA-Z0-9\-\.]+)/", "hidden\\2", $str);
print($str);
The e-mail regex is not the best, but it's something that works for your example. You can get more interesting regexes (emails and phone numbers) at http://www.regexlib.com/ and use them with a simple preg_replace.
You could:
$string = "blabla#blablabla.com";
$parts = explode("#",$string);
\\$parts[0] contains the local part
\\$parts[1] contains the domain.
Keep in mind that, (even though it is not usual), the format defined by RFC 822 allows the "#" symbol to appear within quotation marks. This means: "bl#bla"#blablabla.com is technically correct.