I'm using CodeIgniter and I have a controller which processes uploads using AJAX.
The controller expects to receive the name of the file as paramater, therefore I need to accept almost any kind of possible character in the URL.
My JavaScript encode the file name using encodeURI(), therefore a file named "My File [x].avi" becomes "My%20file%20%5BX%5D.mpg". Everything fine so far.
Problem comes when receiving that parameter into CodeIgniter. The URL looks like
http://localhost/myproject/uploader/upload/My%20file%20%5BX%5D.avi
And the header of the controller:
function upload($param1='') { }
When I print $param1 I got:
string(8) "My_file_"
Even if I use urldecode() it remains the same. Therefore CodeIgniter is eating the encoded square brackets. Any help?
Thank you so much in advance.
I think you have $config['global_xss_filtering'] set to true and so CI is cleaning the vars. If this is the case, you can either set it to false or tweak input->xss_clean function.
Related
So I'm having quite a problem! I need to import a HTML file to a blade in Laravel, which I'm already doing! With this code:
<?php include ; ?>
I need to do it this way; for this project, I cannot transform the HTML files to blades.
But now comes a problem: my HTML files need to redirect me between them. For example if I have two HTML files, the first one needs to contain a redirect to the second one and vice versa. To do this, I need to pass a variable that contains that redirect to my HTML file: is that even possible?
I pass the collection that contains the argument to my blade already where I include the HTML File.
What I've tried:
I tried to pass the argument I need to the "href", imagine the argument is
$loop->iteration
Which it is, as I need to pass a int to my url, so I tried to :
href="{{$loop->iteration}}"
But it return me: exactly what I wrote in my url, so it doenst treat my argument as a php argument but as a string..
For one of my Laravel Web app I want to log all the Request Parameters(Post as well as Get) in database in Json Format for that I am using $request->all() Method, which results in an exception when user tries to upload any file.
that's why I want a way to select only Serializable Parameters from the request.(for get as well as for post Requests) or a way to select all the request parameters except files.
Request::except([]) will not work for me since in Except method we will have to provide the file parameter names.
In my project, i used this except for many fields like below,
$input = $request->except('first_name', 'middle_name', 'last_name', 'address',...);
It is work fine for me.
I stored all the remain values into $input and store values from that input variable.
Please try this one.
In your case please take this debug code for test once, might be you like it to use in your current work
$allRequestParams = array_map(function($input) {
return !is_array($input) ? $input : false;
}, $request->all());
echo '<pre>';
print_r($allRequestParams);
echo '<pre/>';
die;
Since any of the answer didn't work for me I did lots of reading and some digging about laravel but still I could not find the specific solutions I was looking for, so I did a small hack, instead of using Laravel's Request Object and pulling parameters from there I simply used PHP's built in $_REQUEST parameter.
Eg.
$non_file_parameters = $_REQUEST;
$_REQUEST will have both Get as well as Post Parameters except file Parameters coz in Core PHP for files we have $_FILES super global variable.
Thanks guys for your efforts...
I would like to encode a php page which contains some php functions.
For example, I have a page named: code.php with this functions:
<?php
function data(){
echo "foo";
...
}
function storage(){
echo "storage files..";
...
}
?>
I use these functions in my other php pages and I would like to protect them by other users. How can I encode their code?
I read about base64_encode() but the examples only show how to encode a string: how can I use this solution to encode and decode my php functions?
Thank you!
If you want to stop others from seeing your PHP code you can either make it as hard as possible (via minifying, obfuscating, whatever you wish to call it) or encrypt it.
There's an answer right here on SO with a few suggestions and another I'd add is ion cube.
With encrypted code you're likely to need further changes to your web server such as an apache module. With obfuscation it will just make it harder for the other developers to read, for instance changing variables and functions names to something meaningless and hard to read.
You will inevitably need to keep a copy of your unobfuscated PHP so you can work on it in a sane manner, which may be hard if you're only developing on your server.
To use Base64 you're probably thinking of doing something like this:
eval(base64_decode('ZnVuY3Rpb24gZGF0YSgpew0KZWNobyAiZm9vIjsNCn0NCmZ1bmN0aW9uIHN0b3JhZ2UoKXsNCmVjaG8gInN0b3JhZ2UgZmlsZXMuLiI7DQp9DQokZGF0YSA9ICdkYXRhJzsNCiRzdG9yYWdlID0gJ3N0b3JhZ2UnOw=='));
What's happening here is the Base 64 string is actually valid PHP, and you first decrypt it the eval it. An example of what the decoded string might look like:
function data(){
echo "foo";
}
function storage(){
echo "storage files..";
}
$data = 'data';
$storage = 'storage';
After the above eval call you would then do something like:
// call the data function
$data();
// call the storage function
$storage();
As stated from the documentation:
PHP supports the concept of variable functions. This means that if a
variable name has parentheses appended to it, PHP will look for a
function with the same name as whatever the variable evaluates to, and
will attempt to execute it.
So, calling $someVariable() will try to run a function named whatever $someVariable contains. If you set $someVariable to foo, it would try to run foo(), if you set $someVariable to sausage, it would try to run sausage() and so on.
Obviously bear in mind that you need to make sure these function variables' names aren't going to be used elsewhere.
Setup:
Script that generates word images from multiple letter images
(autotext.php)
URL is formatted:
www.whatever.com/autotext.php?text=hello%20world
Script that alters images server-side to run filters or generate
smaller sizes (thumbnail.php)
URL is formatted:
www.whatever.com/thumbnail.php?src=whatever.png&h=XXX&w=XXX
Use-case:
I want to generate a smaller version of the autotext server-side. So my call would look something like:
www.whatever.com/thumbnail.php?src=autotext.php?text=hello%20world&h=XXX&w=XXX
As you can see, I would like to treat a URL with _GET variables as a variable itself. No amount of playing with URI encoding has helped make this work.
I have access to the PHP for both scripts, and can make some simple alterations if that's the only solution. Any help or advice would be appreciated. I would not even rule out a Javascript frontend solution, though my preference is to utilize the two scripts I already have implemented.
You should be able to do this by urlencoding all the $_GET params into a variable then assigning that variable to another, like this (untested):
// Url generation
$url = www.whatever.com/thumbnail.php?src=(urlencode(http_build_query($_GET)));
Then you should be able to retrieve on other side:
$src = urldecode(explode('&', $_GET['src']));
I've seen this exact behavior when trapping where to redirect a user, after an action occurs.
---- Update ----
Your "use case" url was correct:
www.whatever.com/thumbnail.php?src=autotext.php?text=hello%20world&h=XXX&w=XXX
.... except that you CANNOT have more than one ? within a "valid" url. So if you convert the 2nd ? to a &, you should then be able to access $_GET['text'] from the autotext.php script, then you can urldecode it to get the contents.
NEW INFORMATION:
I used the print_r function on the $_REQUEST and something very strange is happening there too. Some values are being correctly passed by the GET such as a value on another form which passes in "TRUE". This can be seen in the print_r output but isn't written to the file... Still no closer to finding a solution to my problem however.
I'm working on a page with a lot of forms which are loaded in as needed by AJAX. This all works fine as does parsing the name:value pairs and storing them appropriately.
My error happens when the PHP parses the GET request sent by AJAX when the user is finished, it only seems to retrieve the values from certain fields.
The idea is that the user can add data from any number of forms, which are then turned into a GET request and sent to the server.
The JavaScript is building my request perfectly and all forms are sent correctly.
Depending on the forms the user submits, the data is processed by a large switch statement which passes the relevant names to a variadic function which grabs the values, and creates a string for writing to a file.
The strange error is that only some values get written to the file with others only having a blank line. No error reported by Apache or PHP, no error reported in the JavaScript console either.
I'll use the Colour form for example as this is one of the more complex.
So I add a colour action and click the button to submit all forms (this time, it's just the colour form though)
My get request looks like this:
actionIDs=Colour&coOptionSelect=Tinting&coColourEffect=Sepia&coRemoveColour=#000000&coRemoveFuzzNumber=0&coRemoveHueSelect=None&coReplaceColour=#000000&coReplaceFuzzNumber=0&coReplacementColour=#000000&coReplacementAlphaNumber=0&coReplaceHueSelect=None&coReplacementHueSelect=None
Next, the PHP parses the actionIDs part as sometimes, there will be many actions. This works fine.
We now jump to the Colour part of the switch statement.
case "Colour":
$config = processAction("coOptionSelect", "coColourEffect", "coRemoveColour", "coRemoveFuzzNumber", "coRemoveHueSelect", "coReplaceColour", "coReplaceFuzzNumber", "coReplacementColour", "coReplacementAlphaNumber", "coReplaceHueSelect", "coReplacementHueSelect");
file_put_contents($confpath . "colour.conf", $config);
break;
That writes to the correct file, but strangely, only coOptionsSelect and coColourEffect have their values written to the file. It isn't their input type as they are select statements similar to the other selects on the form. On other forms, it may be a number input or a text input that submits properly instead.
It isn't random either, the same ones will always write out properly. It also isn't positional as I moved around the values and it's still the same ones that write correctly, their position doesn't affect anything.
Finally here is processAction function.
function processAction()
{
$config = "";
foreach(func_get_args() as $field)
{
$temp = isset($_REQUEST[$field]) ? $_REQUEST[$field] : null;
$config = $config . $temp . "\n";
}
return $config;
}
The end result should be all values should write to their relevant files correctly, rather than the current issue where only a few values from each form are written, with the rest of the values being written as blank lines.
You probably need to encode your # sign to a encoded method %23
you could also use urlencode to do it before passing it to your variable.
Reference: http://php.net/manual/en/function.urlencode.php
Update:
If you are going to try to encode through javascript I would try and use this method
var newURL =
"http://example.com/index.php?url=" + encodeURIComponent(actionIDs);
or
var newURL =
"http://example.com/index.php?url=" + escape(actionIDs);
Reference: Encode URL in JavaScript?
You have three options:
escape() will not encode: #*/+
encodeURI() will not encode: ~!##$&*()=:/,;?+'
encodeURIComponent() will not encode: ~!*()'
But in your case, if you want to pass a URL into a GET parameter of other page, you should use escape or encodeURIComponent, but not encodeURI.
See Stack Overflow question Best practice: escape, or encodeURI / encodeURIComponent for further discussion.