From what I have been able to understand, hash marks (#) aren't sent to the server, so it doesn't seem likely that I will be able to use raw PHP to parse data like in the URL below:
index.php?name=Ben&address=101 S 10th St Suite #301
I'm looking to pre-populate form fields with this $_GET data. How would I do this with Javascript (or jQuery), and is there a fallback that wouldn't break my form for people not using Javascript? Currently if there is a hash (usually in the address field), everything after that is not parsed in or stored in $_GET.
You can encode the hash as you should urlencode(in php) or encodeURIComponent(in JavaScript).
The "hash" is not part of the request, which is why your script never sees it.
Like webdestroya said, you'll need to send a request with the URL
index.php?name=Ben&address=101%20S%2010th%20St%20Suite%20%23301
If you're using HTML forms, then the string value will be auto-urlencoded when you submit the form.
the user will be clicking a link from an email and will want to see the hash mark rendered in the email
You need to encode the link to what Ben quoted before you stick it in the e-mail. What you currently have is not a URL at all.
You can optionally encode a space to + instead of %20 in the context of query parameters but you absolutely cannot include a raw space, because it is a defining characteristic of URLs that they don't have spaces in. If you type a space in a URL in a web browser it will quietly fix up the mistake, but an e-mail client can't pick out a URL from plain text if it's full of spaces.
There is sometimes an alternative function which encodes spaces to + instead of %20. Normally this is best avoided as + isn't valid in all circumstances, but if prefer:
index.php?name=Ben&address=101+S+10th+St+Suite+%23301
then you'd use PHP's urlencode function instead of the more standard rawurlencode.
Either way, you must encode the hash to %23, because otherwise a hash in an HTTP URL means the fragment identifier (the part of the page to scroll the browser to). This is not part of the address of the page itself; it is not even passed from the browser to the server, so you certainly cannot retrieve it—from $_GET or any other interface.
There are many other characters in a component like an address that must be %-encoded before being inserted into a URL string, or they'll leave you with an invalid or otherwise non-functional URL. If all that %23 business looks funny in a URL... well, you'll have to live with it. That's what URLs have always looked like.
I usually store the hash on a cookie onunload
ej:
window.unload = function(){
if(document.location.hash) setCoockie('myhash',document.location.hash);
};
Related
I have a site that allows users to create a page based on user input example.com/My Page
The problem is if they create a url like example.com/H & E Photos or example.com/#1 Fan Club
Once php decodes the url, it tries to parse those characters into a hash (or a query string in the case of ?)
In my .htacess I am doing this ([^/]+?)
What is the typical way of handling a situation like this? Ideally, without going to an id system (example.com/131234121). Poor planning on my part :(
EDIT. Talking about PHP here. url is encoded when it hits the server, php decodes before parse regex and url
If you are using PHP to create/handle storing entries for user-entered-URLs then use htmlentities on the string before trying to handle it.
https://www.php.net/manual/en/function.htmlentities.php
https://www.w3schools.com/php/func_string_htmlentities.asp
Apparently, what I was looking for was a rewrite flag.
http://httpd.apache.org/docs/2.2/mod/mod_rewrite.html#rewriteflags
B Escape non-alphanumeric characters before applying the transformation.
This allows you to send percent-encoded strings to the URL without them being decoded beforehand.
So it was actually an apache thing and not PHP. Sorry for the misleading question.
I'm working with injections and tricks behind them so I came across with the way of commenting MySQL queries by #.
As all we know about using named anchors in HTML, in this case of injecting to URL, # works like an HTML named anchor and doesn't mean harmful for running the query.
The question is why this happens and why PHP doesn't include # as the rest of the input directly? (e.g. ?id=2547#)
Hashes are handled locally by the browser, not sent to the server. E.g. if you write a URL
http://yourdomain.com/script.php?param=foo#id=1234#
the browser just sends GET /script.php?param=foo to the server. When the response comes back, it searches for the id=1234 anchor in the HTML and scrolls down to it.
If you want to send the comment to the server, it needs to be percent-encoded:
http://yourdomain.com/script.php?param=foo%23id=1234%23
Since the browser considers it a special character and it's not url encoded, when the browser encounters the # it assumes that the previous GET parameter (if it existed) has ended.
If it is url encoded and the input is not properly sanitized then it does in fact pose an injection threat, otherwise if the user input is properly sanitized I would not worry about this.
Edit:
If the database allows for such input (e.g. varchar2) and the html-special-chars get properly escaped during input, then of course the database will save the user input as they will in fact be just symbols and will not have any special meaning.
This is a little out of the blue and it's mostly curiosity. I hope it's not a waste pf time and space.
I was writing a little script to validate accounts with a link so I decided to send an email with a link to the php script and in the link I would put two variables to get with the _GET array. A key and the email. Then I would just search the database with that email and key and change it's activated status to true... No prob. Easy enough even though it may not be very elegant..
I used a script for the generation of the key that I used elsewhere in the site for generating a new password (to reset it for instance) but sometimes it didn't work and after a lot of tries I noticed (and I felt stupid then) that the array my password generation function drew from was this:
'0123456789_!##$%&*()-=+abcdfghjkmnpqrstvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
So naturally I deleted the & character that is used for separating variables in the url... Then in another try I noticed that the link in the email was not recognized whole and stopped after the '#' character as well which I then remembered is used for references in an html so I deleted that as well. In the end I decided to leave only alphanumeric characters to be sure but I am curious; Are ther any more characters that are not 'valid' for url's using utilizing _GET and is there any way to use those characters anyway (maybe ulr encode or somwething)
There are plenty of characters that are invalid. Use urlencode to convert them to URL safe encodings. (Always run that function over any data you are inserting into a URL).
You have to use urlencode() before sending the values to $_GET.
You could use url_encode and url_decode but I would stay away from & # ? these are normal URL characters.
Also when it comes to passwords : dont stress about an algorithm, use sha1 crypt or something along those lines with a salt. These algorithms will be much stronger than your homemade ones.
I have one url with one code.
http://www.example.com/exam.php?id=rteter#443545
Now when I click this URL, the value of the id is rteter, means it returns me only portion of code before #.
I have not sent the link with urlencode so please do not give that solutions. Links are already sent, is they any way by which I can get the full value in my php code?
Martha
The # character indicates the start of the fragment identifier and is handled client side. You need to represent it as %23 if you want it sent to the server.
If you are generating query string parameters programatically in PHP, use the urlencode function.
Check out this post on stackoverflow:
Can I read the hash portion of the URL on my server-side application (PHP, Ruby, Python, etc.)?
It might cover your question.
use url quote
http://www.example.com/exam.php?id='rteter%23443545'
http://php.net/manual/en/function.urlencode.php
How can I post a full URL in PHP?
For example:
I have a form allowing individuals to submit a long url. The resultant page is /index.php?url=http://www.example.com/
This is fine for short URLs, but for very long and complex URLs (like those from Google Maps) I need to know how to keep all of the data associated with variable url.
You need to percent encode the string — otherwise characters which have special meaning in URIs will have that special meaning instead of being treated as data.
http://php.net/urlencode
If users submit this data via a form, then it will be automatically encoded.
If you plan to include the URI in a link in an HTML document, then don't forget to convert special characters to HTML entities.
You sort of answer your own question:
How can I post a full URL in PHP?
If very long URLs are getting truncated by the users' browsers, your only option is to re-work your system to POST the URL to your script, as opposed to passing it in the query string.
If there is some condition that frustrates the use of a POST request, you should update your question with more detail about what your system does.