i am using the cakephp paranoid function but i want it to not strip new line character. I tried passing \n in allowed chars but it failed
You have to make sure you using the correct quotes:
echo Sanitize::paranoid($badString,array("\r\n","\n"));
Always use double quotes if your sending in escape chars, and if your stripping both returns and newlines make sure that "\r\n" comes before, as im sure the function will sanitize int he order of chars passed in.
What syntax are you using? Make sure that $allowedChars is an array and that you used double-quotes for the newline (single-quotes do not parse escapes like newline):
Sanitize::paranoid($badString, array("\n"));
Related
I have a password with special chars in my php file.
The original String returns a 500 html error code.
The following chars are the root cause.
()[]$
The line of code is:
private $password = "abc(de)fgh[ijk]lmn$opq$";
How can I correctly escape those chars?
I have tried to replace them with the HTML charset, as well as \\
Single quotes are the simplest way to make a string. They just display what they are given, no bells and whistles, no special "powers" like being able to show variable values.
Use Single quotes.
I have a use case where a customer needs to load JSON-serialized objects via a CSV import. Some of these objects contain strings which contain double-quotes. Typically I would simply add a '\' before the nested double-quote in order to escape it, however this seems to conflict with the parsing of the CSV file. We're using PHP 7.0 and the function "fgetcsv" to read the lines of the file. Whenever I do this I notice odd behavior after an escaped double-quote is encountered. Here's a sample row from the CSV:
"{""test"": ""\""this\"" is a test""}"
And here is how PHP reads this column using fgetcsv:
{"test": "\"this\"" is a test""}"
I have confirmed any double-quotes after the initial escaped double-quote run into this problem. Thinking the backslash may be causing issues with escaping I tried using another backslash to escape the backslash:
"{""test"": ""\\""this\\"" is a test""}"
And here's the result:
{"test": "\\"this\\" is a test"}
So while this does resolve the issue with any double-quotes beyond the first, I am left with two backslashes instead of one.
Without changing the underlying code, is there a way to escape this data so that fgetcsv will interpret it appropriately? Like so:
{"test": "\"this\" is a test"}
You could try using \" to represent a double quote instead of "".
E.g., "{\"test\": \"\\\"this\\\" is a test\"}"
Whether this works may depend on the version of fgetcsv you are using -- I'm not sure.
Alternatively, if you're using fgetcsv 5.3 or later, you could try changing the fgetcsv parameters to change the enclosure character or escape character so that it doesn't conflict with JSON. See the parameters in the fgetcsv docs.
enclosure
The optional enclosure parameter sets the field enclosure character (one character only).
escape
The optional escape parameter sets the escape character (one character only).
Note: Usually an enclosure character is escaped inside a field by doubling it; however, the escape character can be used as an alternative. So for the default parameter values "" and \" have the same meaning. Other than allowing to escape the enclosure character the escape character has no special meaning; it isn't even meant to escape itself.
(emphasis in original)
I have a search form. I use the following line to get the value. When it returns, it replaces plus sign to space, letters after single/double quotes are deleted. I want to enable users to search for the keywords they want. How can I allow these letters to display?
$title = trim(filter_input(INPUT_GET, 'title', FILTER_SANITIZE_SPECIAL_CHARS));
When I send with GET.
header("Location:http://site.org/search/?title=$title");
I tried using urlencode() and works for plus signs, but it didn't work for quotes. For example c"s would return c"s.
Thanks.
Those are special characters that correspond to what they are appearing to be, for instance a plus in a GET request corresponds to a space.
Please see this link.
You will have to replace these characters before you redirect. You can do this with urlencode.
From the manual for FILTER_SANITIZE_SPECIAL_CHARS
HTML-escape '"<>& and characters with ASCII value less than 32,
optionally strip or encode other special characters.
If the ascii value of the characters you are trying to are below 32, you will probably need to go a different route.
You need to encode / escape your data for the medium you are outputting to:
use url_encode to send the variables via a url;
use prepared statements with bound variables to query the database, that way you are safe from sql injection and you can search for texts with quotes in the database;
use htmlspecialchars to output your results to html or something like json_encode to send it to javascript.
i have this JSON string that i want to decode it with json_decode(); function
{"phase":2,"id":"pagelet_profile_picture","css":["VCxcl","Ix2pq"],"js":["fZYUE","VfnZ3"],"content":{"pagelet_profile_picture":"\u003cdiv class=\"profile-picture\">\u003cspan class=\"profile-picture-overlay\">\u003c\/span>\u003cimg class=\"photo img\" src\=\"http:\/\/profile.ak.fbcdn.net\/hprofile-ak-snc4\/222_111_2222_n.jpg\" alt=\"bla bla\" id=\"profile_pic\" \/>\u003c\/div>"}}
there is the json_last_error(); but it not helping me. (got JSON_ERROR_STATE_MISMATCH and JSON_ERROR_SYNTAX sometimes)
i want to know what wrong with this JSON string and how i can fix it automatically in PHP so i can decode it.
some code will be very helpful
thanks.
Using a json lint, it seems the problem is the src\=
the \ escapes the = sign, which makes no sense.
If you replace src\= with src= it passes the validator.
The fix:
Fix the code that generates the json string in the first place.
or
use str_replace to change 'src\=' to 'src='
The problem with a wrong encoding is that it's just a wrong encoding. Things then break.
If the problem is related to invalid escape sequences as Ben pointed out in his answer, you can try to fix the input string for these sequences, probably with a smarter algorithm that is looking for any not-needed escape sequence replacing it with it's non-escaped value by removing the escape character \.
You can do so by creating a list of characters that need actual to be escaped, then parse the whole string for the escape character, if found, check if the next character requires escaping or not and then act upon.
However that's only one strategy and as the input is not properly encoded, it's not easy to just fix things because they are already broken.
Here's a small example (download, rename to .php and execute it in your shell):
test.txt
Why does preg_replace return NULL instead of the original string?
\x{2192} is the same as HTML "→" ("→").
I had an null response when my regular expression included the u UTF-8 PCRE modifier. If your source text is not UTF and you have this modifier, you'll get a null result.
From the documentation on preg_replace():
Return Values
preg_replace() returns an array if the
subject parameter is an array, or a
string otherwise.
If matches are found, the new subject
will be returned, otherwise subject
will be returned unchanged or NULL if
an error occurred.
In your pattern, I don't think the u flag is supported. WRONG
Edit: It seems like some kind of encoding issue with the subject. When I erase '147 3.2 V6 - GTA (184 kW)' and manually re-type it everything seems to work.
Edit 2: In the pattern you provided, there are 3 spaces that seem to be giving issues to the regex engine. When I convert them to decimal their value is 160 (as opposed to normal space 32). When I replace those spaces with normal ones it seems to work.
I've replaced the offending spaces with underscores below:
'147 3.2 V6 - GTA (184 kW)'
'147 3.2_V6 - GTA_(184_kW)'
You are using single quotes, which means the only thing that you can escape is other single quotes. To enable escape sequences (e.g. \x32, then use double quotes "")
I am not a UTF8 expert, but the escape code \x2192 is not correct either. You can do: \x21\x92 to get both bytes into your string, but you may want to look at utf8_encode and utf8_decode
Your source string has invalid characters in it, or something. PHP gives:
Warning: preg_replace(): Compilation failed: invalid UTF-8 string at offset 0 in test.php on line 7
I believe there is also a fault in your Regex expression: ~\x{2192}~u
Try replacing what I have and see if that works out for you: /\x{2192}/u