I have been given some instructions to percent encode a URL twice. I know how to percent encode a URL once but how do you do it twice?
Surly when it is encoded once, it will be the same when encoded again.
Have I missed something?
Instructions or algorithm would be great!
It won't be the same since you encode the % used for encoding.
$url = 'http://www.youtube.com/watch?v=35_0IN36rUI'
echo $url;
echo urlencode($url);
echo urlencode(urlencode($url));
will give:
http://www.youtube.com/watch?v=35_0IN36rUI
http%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D35_0IN36rUI
http%253A%252F%252Fwww.youtube.com%252Fwatch%253Fv%253D35_0IN36rUI
To doubly encode the Url in php do:
$encodedUrl = urlencode(urlencode($url));
Definitely not the same output when encoded twice. The first adds percent encodings and the second will actually encode those percent signs... For example:
urlencode('guts & glory'); // "guts+%26+glory"
urlencode(urlencode('guts & glory')); // "guts%2B%2526%2Bglory"
So I am trying to encode/decode a url that when decoded will return the encoded + symbols from teh url. For example, I encodewebsite.com/index.php?eq=1+12 which when encoded turns the + into %2B, as it should. When I retrieve the value from $_REQUEST['eq'] and use urldecode() it echo's as "1 12". I cannot seem to get the decode to bring back the + so to speak. Am I doing something wrong here, or is there a more efficient/better way to go about doing this? Here is the exact encode/decode lines I use.
Submit Page
<?php
$eq = "1+12";
$send = '<a href="website.com/index.php?eq='.urlencode($eq).'</a>';
echo $send;
Retrieval page
<?php
$eq = urldecode($_REQUEST['eq']);
echo $eq;
?>
Don't run urldecode, the data in $_REQUEST is automatically decoded for you.
A plus sign, in a URL, is an encoded space. PHP decodes the hex value to a + automatically. Then, by running the result through urldecode, you are manually (and incorrectly) decoding the + to a .
Try using the function rawurldecode() instead of urldecode()
I encode it in JavaScript with encodeURIComponent() and decode it in PHP with rawurldecode() and it encodes/decodes properly for me, including the "+", but NOT with urldecode()
I've got a string that is in my database like 中华武魂 when I post my request to retrieve the data via my website I'm getting the data to the server in the format %E4%B8%AD%E5%8D%8E%E6%AD%A6%E9%AD%82
What decoding steps to I have to take in order to get it back to the usable form?
While also cleaning the user input to ensure they're not going to try an SQL injection attack?
(escape string before or after encoding?)
EDIT:
rawurldecode(); // returns "ä¸åŽæ¦é‚"
urldecode(); // returns "ä¸åŽæ¦é‚"
public function utf8_urldecode($str) {
$str = preg_replace("/%u([0-9a-f]{3,4})/i","&#x\\1;",urldecode($str));
return html_entity_decode($str,null,'UTF-8');
}
// returns "ä¸åŽæ¦é‚"
... which actually works when I try and use it in an SQL statement.
I think because I was doing an echo and die(); without specifying a header of UTF-8 (thus I guess that was reading to me as latin)
Thanks for the help!
When your data is actually that percent-encoded form, you just have to call rawurldecode:
$data = '%E4%B8%AD%E5%8D%8E%E6%AD%A6%E9%AD%82';
$str = rawurldecode($data);
This suffices as the data already is encoded in UTF-8: 中 (U+4E2D) is encoded with the byte sequence 0xE4B8AD in UTF-8 and that is encoded with %E4%B8%AD when using the percent-encoding.
That your output does not seem to be as expected is probably because the output is interpreted with the wrong character encoding, probably Windows-1252 instead of UTF-8. Because in Windows-1252, 0xE4 represents ä, 0xB8 represents ¸, 0xAD represents å, and so on. So make sure to specify the output character encoding properly.
Use PHP's urldecode:
http://php.net/manual/en/function.urldecode.php
You have choices here: urldecode or rawurldecode.
If you had encoded your string using urlencode, you must use urldecode because of the way spaces are handled. While urlencode converts spaces to +, it is not the same with rawurlencode.
Is it safe to pass raw base64 encoded strings via GET parameters?
There are additional base64 specs. (See the table here for specifics ). But essentially you need 65 chars to encode: 26 lowercase + 26 uppercase + 10 digits = 62.
You need two more ['+', '/'] and a padding char '='. But none of them are url friendly, so just use different chars for them and you're set. The standard ones from the chart above are ['-', '_'], but you could use other chars as long as you decoded them the same, and didn't need to share with others.
I'd recommend just writing your own helpers. Like these from the comments on the php manual page for base64_encode:
function base64_url_encode($input) {
return strtr(base64_encode($input), '+/=', '._-');
}
function base64_url_decode($input) {
return base64_decode(strtr($input, '._-', '+/='));
}
No, you would need to url-encode it, since base64 strings can contain the "+", "=" and "/" characters which could alter the meaning of your data - look like a sub-folder.
Valid base64 characters are below.
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/=
#joeshmo Or instead of writing a helper function, you could just urlencode the base64 encoded string. This would do the exact same thing as your helper function, but without the need of two extra functions.
$str = 'Some String';
$encoded = urlencode( base64_encode( $str ) );
$decoded = base64_decode( urldecode( $encoded ) );
Introductory Note I'm inclined to post a few clarifications since some of the answers here were a little misleading (if not incorrect).
The answer is NO, you cannot simply pass a base64 encoded parameter within a URL query string since plus signs are converted to a SPACE inside the $_GET global array. In other words, if you sent test.php?myVar=stringwith+sign to
//test.php
print $_GET['myVar'];
the result would be:
stringwith sign
The easy way to solve this is to simply urlencode() your base64 string before adding it to the query string to escape the +, =, and / characters to %## codes.
For instance, urlencode("stringwith+sign") returns stringwith%2Bsign
When you process the action, PHP takes care of decoding the query string automatically when it populates the $_GET global.
For example, if I sent test.php?myVar=stringwith%2Bsign to
//test.php
print $_GET['myVar'];
the result would is:
stringwith+sign
You do not want to urldecode() the returned $_GET string as +'s will be converted to spaces.
In other words if I sent the same test.php?myVar=stringwith%2Bsign to
//test.php
$string = urldecode($_GET['myVar']);
print $string;
the result is an unexpected:
stringwith sign
It would be safe to rawurldecode() the input, however, it would be redundant and therefore unnecessary.
Yes and no.
The basic charset of base64 may in some cases collide with traditional conventions used in URLs. But many of base64 implementations allow you to change the charset to match URLs better or even come with one (like Python's urlsafe_b64encode()).
Another issue you may be facing is the limit of URL length or rather — lack of such limit. Because standards do not specify any maximum length, browsers, servers, libraries and other software working with HTTP protocol may define its' own limits.
Its a base64url encode you can try out, its just extension of joeshmo's code above.
function base64url_encode($data) {
return rtrim(strtr(base64_encode($data), '+/', '-_'), '=');
}
function base64url_decode($data) {
return base64_decode(str_pad(strtr($data, '-_', '+/'), strlen($data) % 4, '=', STR_PAD_RIGHT));
}
I don't think that this is safe because e.g. the "=" character is used in raw base 64 and is also used in differentiating the parameters from the values in an HTTP GET.
If you have sodium extension installed and need to encode binary data, you can use sodium_bin2base64 function which allows you to select url safe variant.
for example encoding can be done like that:
$string = sodium_bin2base64($binData, SODIUM_BASE64_VARIANT_URLSAFE);
and decoding:
$result = sodium_base642bin($base64String, SODIUM_BASE64_VARIANT_URLSAFE);
For more info about usage, check out php docs:
https://www.php.net/manual/en/function.sodium-bin2base64.php
https://www.php.net/manual/en/function.sodium-base642bin.php
In theory, yes, as long as you don't exceed the maximum url and/oor query string length for the client or server.
In practice, things can get a bit trickier. For example, it can trigger an HttpRequestValidationException on ASP.NET if the value happens to contain an "on" and you leave in the trailing "==".
For url safe encode, like base64.urlsafe_b64encode(...) in Python the code below, works to me for 100%
function base64UrlSafeEncode(string $input)
{
return str_replace(['+', '/'], ['-', '_'], base64_encode($input));
}
I am attempting to open a page with window.open and it's not working. The path shown is like xyz/a%20b%20c%20.pdf, but it is supposed to be xyz/abc.pdf. If I remove the % and 20 manually, it works, how can I remove these characters using PHP?
Use urldecode:
(PHP 4, PHP 5)
urldecode — Decodes URL-encoded string
Description
string urldecode ( string $str )
Decodes any %## encoding in the given string. Plus symbols ('+') are decoded to a space character.
Example
echo urldecode('xyz/a%20b%20c%20.pdf');
This is known as URL Encoding. You need to decode the string. If you are using jQuery you should check out the URL Encode plug in.
You need to urldecode (as stated above).
However, you say that you can remove the %20 and it will work. I would say you need them, they decode to spaces. Check it out using this online url decoder:
http://www.convertstring.com/EncodeDecode/UrlDecode
it decodes to:
xyz/a b c .pdf
not
xyz/abc.pdf