i have script
<?php
$to = $_GET["to"];
header("Location: $to");
?>
if i call script such
out.php?to=http://site.ru/page.php?param1=1¶m2=2
in param $to be only http://site.ru/page.php?param1=1&
how to fix? i want that $to = http://site.ru/page.php?param1=1¶m2=2
You can escape the URL at the site calling out.php:
Go to $to
& is a reserved character in an URI. When you access this URL, ¶m2=2
is interpreted as belonging to the current URL and not to the value of to.
If you want to transmit it literally, you have to encode it with %26:
http://site.ru/page.php?param1=1%26param2=2
Most programming languages provide a function to do so. (e.g. JavaScript, PHP). The best thing is to encode the whole URL.
$to must be urlencoded, but note that you giving a redirect script to anyone, so, any phisher can use it.
So, it would be better to store urls in the database and pass only an identifier.
try encoding the to URL in base64 and then in the example that u have shown decode it before you pass it to the header :)
urlencode it
urlencode($to)
I ran into the same problem before, this is what I did:
$arr=explode('?to=',$_SERVER['REQUEST_URI'],2);
$new_to=$arr[1];
Now you can use the $new_to variable.
Of course if you're using this for production environment, I would recommend encoding the url as the other answers advised. I was using it for testing curl script. getting the variable this way has lots of flaws, so be careful.
You can use a Function called "html_entity_decode"
Click Here for more information about this function
or use md5 function to encrypt the URL and then decrypt it when you put it into a varriable.
I hope this can help you
Related
I want to use the GET method to send a string to the receive page, but if the string includes '#', the receiver page can only get the sub string before the '#'.
As the following example:
test
When I click the 'test' link to open the 'test.php' page, which has the following code:
<?php
if(isset($_GET["q"])) {
echo $_GET["q"];
}
?>
It only display 'string1' on the page, '#string2' is missing.
So I want to know what happened to the string, and how to fix this problem.
Thank you for any help!
=======Update===========
With the help of #Eric Shaw and #JP Dupéré, I know how to fix this problem.
The simplest way is encoding the string before using the get method.
To encode the query string, you can:
use urlencode() in PHP, and urldecode() can decode the string.
use encodeURIComponent() in JavaScript, and decodeURIComponent() can decode the string.
Try
urlencode("string1#string2")
before calling GET.
The #foo is used to jump to an <a name="foo"/> tag on the page, rather than viewing the top of the page when the browser loads it.
The stuff after the # is processed by the browser and NOT sent to the server.
You can escape the # and the escaped version will be sent to the server, i.e.
test
will do what you want I think
This escaping is also a common technique to get the # passed along in the URL for redirectors.
Ho you all, I've got a script in a Wordpress post that sends the value of 4 variable to a URL.
The fact is that since natively WordPress converts & to &, the URL that is meant to recive those variable cannot get them, since the final URL will be
http://localhost/php/add.php?a=VALUE1&b=VALUE2&c=VALUE3&d=VALUE4
instead of http://localhost/php/add.php?a=VALUE1&b=VALUE2&c=VALUE3&d=VALUE4
Now I know that it is possible to fix this problem by commenting to lines in wp-includes/formatting.php, but I'm looking for a PHP function that can convert the URL with '&' to an URL with just '&'.
Is it possible? Thanks!
You will need to use htmlspecialchars_decode(). Consider this example:
$url = 'http://localhost/php/add.php?a=VALUE1&b=VALUE2&c=VALUE3&d=VALUE4';
$url = htmlspecialchars_decode($url);
echo $url;
// http://localhost/php/add.php?a=VALUE1&b=VALUE2&c=VALUE3&d=VALUE4
I am trying to Integrate an SMS service into my website. I need to make a HTTP call with a param named "msg" (urlencoded).
Currently, I am constructing the entire URL with msg param being urlencoded (i.e $msg = urlencode($msg)), and I am sending the SMS.
$msg = urlencode("Hello World");
Although what I receive on my phone is "Hello+World" and NOT "Hello World".
So is there an issue with file_get_contents ?
Also, is there anyway, I can see the string "file_get_contents" finally sends out ?
Try using rawurlencode() instead.
The principal difference (although there are others) is that it encodes spaces as %20 instead of +. This is quite likely the source of your problem.
I figured what was the issue:
I was using http_build_query to create the query string, and I was passing a urlencode'd param to it. Hence it was being encoded twice.
So is there an issue with file_get_contents ?
No.
Also, is there any way, I can see the string file_get_contents finally sends out ?
Yes, with a network sniffer.
You need to use urldecode() after retrieving data and then display to user
I've been visiting stackoverflow.com for a long time and always found the solution to my problem. But this time it's different. That's why I'm posting my first question here.
The situation looks like this: My website provides a directory explorer which allows users to download whole directory as a zip file. The problem is I end up with error when I want to download a dir containg special characters in it's name, i.e. 'c++'. I don't want to force users to NOT name their folders with those special chars, so I need a clue on this one. I noticed that the whole problem comes down to GET protocol. I use ajax POST for example to roll out the directory content, but for making a .zip file and downloading it I need GET:
var dir_clicked = $(e.target).attr('path'); //let's say it equals '/c++'
window.location = 'myDownloadSite.php?directory_path='+dir_clicked;
I studied whole track of dir_clicked variable, step by step, and it seems that the variable in adress is sent correctly (I see the correct url in browser) but typing:
echo $_GET['directory_path']
in myDownloadSite.php prints
'/c'
instead of
'/c++'
Why the GET protocol is cutting my pluses?
You can use:
encodeURIComponent() //to get the url then use
decodeURIComponent() //to decode and access ur filename.
Use urlencode() and urldecode() on server side.
Try encoding your URI with encodeURI(url) JavaScript function.
window.location = encodeURI('myDownloadSite.php?directory_path=' + dir_clicked);
Maybe use encodeURIComponent() and then remove all %xx occurrences?
When the information is posted it is encoded with special chars, sounds like you just need to decode them before using the information.
You can use php function urldecode() to decode the folder names before using them...
$_GET[directory_path]=urldecode($_GET[directory_path]);
I have an HTML form POSTing to a PHP page.
I can read in the data using the $_POST variable on the PHP.
However, all the data seems to be escaped.
So, for example
a comma (,) = %2C
a colon (:) = %3a
a slash (/) = %2
so things like a simple URL of such as http://example.com get POSTed as http%3A%2F%2Fexample.com
Any ideas as to what is happening?
Actually you want urldecode. %xx is an URL encoding, not a html encoding. The real question is why are you getting these codes. PHP usually decodes the URL for you as it parses the request into the $_GET and $_REQUEST variables. POSTed forms should not be urlencoded. Can you show us some of the code generating the form? Maybe your form is being encoded on the way out for some reason.
See the warning on this page: http://us2.php.net/manual/en/function.urldecode.php
Here is a simple PHP loop to decode all POST vars
foreach($_POST as $key=>$value) {
$_POST[$key] = urldecode($value);
}
You can then access them as per normal, but properly decoded. I, however, would use a different array to store them, as I don't like to pollute the super globals (I believe they should always have the exact data in them as by PHP).
This shouldn't be happening, and though you can fix it by manually urldecode()ing, you will probably be hiding a basic bug elsewhere that might come round to bite you later.
Although when you POST a form using the default content-type ‘application/x-www-form-encoded’, the values inside it are URL-encoded (%xx), PHP undoes that for you when it makes values available in the $_POST[] array.
If you are still getting unwanted %xx sequences afterwards, there must be another layer of manual URL-encoding going on that shouldn't be there. You need to find where that is. If it's a hidden field, maybe the page that generates it is accidentally encoding it using urlencode() instead of htmlspecialchars(), or something? Putting some example code online might help us find out.