I want to do define the following variable $url
$url = www.example.com/$link;
where $link is another predefined variable text string e.g. testpage.php
But the above doesn't work, how do I correct the syntax?
Thanks
Try this:
$url = "www.example.com/$link";
When string is in double quotes you can put variables inside it. Variable value will be inserted into string.
You can also use concatenation to join 2 strings:
$url = "www.example.com/" . $link;
Hate to duplicate an answer, but use single quotes to prevent the parser from having to look for variables in the double quotes. A few ms faster..
$url = 'www.example.com/' . $link;
EDIT: And yes.. where performance really mattered in an ajax backend I had written, replacing all my interpolation with concatenation gave me a 10ms boost in response time. Granted the script was 50k.
Needs double quotes:
$url = "www.example.com/$link";
Alternate way:
$url = "www.example.com/{$link}";
$url = "www.example.com/$link";
It'd be helpful if you included the erroneous output, but as far as I can tell, you forgot to add double quotes:
$url = "www.example.com/$link";
You will almost certainly want to prepend "http://" to that url, as well.
Related
<?
//SQL SELECT HERE
$result = mysql_query($sql);
$options = '';
while ($row = mysql_fetch_array($result)) {
$options .= '<option>Data: ' . $row['data'] .'</option>';
}
?>
$("#multiSelect").html("<?=$options?>");
The above is a PHP query inlined in a javascript function. It's goal is to populate a multiselect. The issue is that when $row['data'] contains something with double quotes jQuery doesn't like it and complains. When I remove the row containing double quotes it works fine.
How can I get around this? Is this normal behavior of jQuery.
Try to addslashes: http://php.net/manual/en/function.addslashes.php
It's because your call is being coming out as something like:
$("#multiSelect").html(""Hello"");
Most programming languages will have problems with that - they assume that the first quote you're adding ends the string you're passing in, and that the next text should be a valid piece of code.
You can get around it by escaping the quotes, removing them, or substituting them to something else:
$("#multiSelect").html("<?=addslashes($options)?>");
$("#multiSelect").html("<?=str_replace('"', '', $options)?>");
$("#multiSelect").html("<?=str_replace('"', '\'', $options)?>");
Depending on what the input text is likely to be.
WHY WHY WHY would you build the options with the code behind and than set it with jQuery? Why can't PHP just set it itself?
You need to escape the quotes with a \
"Man it is \"hot\" in here"
I have a problem with the "windows.location" command in JavaScript. I would like to add the php variable in the link windows.location. How can i do?
For example: I would like to transfer user to English page or Vietnamese Page by variable $lang
Here is my code
echo 'window.location="/B2C/$lang/confirm_fone.html"';
and the result in address bar is:
http://10.160.64.4:1234/B2C/$lang/confirm_fone.html
the $lang in address bar cannot be decode?
Variables in single-quoted strings don't get interpolated in PHP.
Use this instead:
echo 'window.location="/B2C/' . $lang . '/confirm_fone.html"';
Or use doublequotes:
echo "window.location='/B2C/$lang/confirm_fone.html'";
This is because the whole string is in single quotes.
You'll want to use double quotes for interpolation.
Otherwise, you can try:
echo 'window.location="/B2C/'.$lang.'/confirm_fone.html"';
If you put php variables within the string you should use Double Quotes .
echo "window.location='/B2C/$lang/confirm_fone.html'";
You have to concatenate the value, as follows :
echo 'window.location="/B2C/'.$lang.'/confirm_fone.html"';
Variables are not resolved by PHP in Strings when you use the ' as delimiter. Use " instead (and ' for the javascript command) or concatenate the String using ..
If you are in php-context:
echo "window.location=\"/B2C/"{$lang}"/confirm_fone.html\";';
If you are in HTML-Context (or better "outer-php-context"):
window.location="/B2C/<?php echo $lang ?>/confirm_fone.html";
Is it possible to append a parameter to a PHP Header Location? I'm having trouble getting it to work. Is this syntax actually allowed?
$qry = $_SERVER['QUERY_STRING'];
header('Location: http://localhost/blast/v2/?$qry ') ;
it just won't replace $qry wit its actual value....why??
in the browser it ends up looking like this:
http://localhost/blast/v2/?$qry
thanks
Change the single quotes to double quotes:
header("Location: http://localhost/blast/v2/?$qry");
A single quoted string in PHP is treated as a string literal, which is not parsed for variables. Double quoted strings are parsed for variables, so you will get whatever $qry contains appended, instead of literally $qry.
You can also add multiple parameters via a header like:
$divert=$row['id']."¶m1=".($param1)."¶m2=".($param2);
header("Location:showflagsab.php?id=$divert");
which adds the two additional paramaters to the original id
These can be extracted using the $get method at their destination
I know this is a very old post, but please, do not do this. Parameters in a header are XSS vulnerable. You can read more about XSS'ing here: owasp.org/index.php/Cross-site_Scripting_(XSS)
wiles How to Fix the XSS attack on header location
$param = $_REQUEST['bcd'];
header("Location: abc.php/?id=$param");
I have a URL like:
http://www.google.com/test.html?d=1232&u=32
and I want to add it as a part of a GET query string like:
http://www.mysite.com/index.html?a=123&d=http://www.google.com/test.html?d=1232&u=32
Note the double "d" used. I want the URL sent to be just a url and not be read for it's query string...
What is the best way to do this to avoid problems?
You can use the urlencode() function.
Example:
$url = 'http://www.mysite.com/index.html?a=123&d='
. urlencode('http://www.google.com/test.html?d=1232&u=32');
You can use urlencode() to put that in the URL without having it interfere with anything else you have in there.
URL-encode the second url:
http://mysite.com/index.html?a=123&d=<?php echo urlencode('http://google.com/etc..'); ?>
You can assign a url to a variable and have it be query-string safe by using urlencode() (http://us3.php.net/urlencode). So you could do:
$url = 'http://www.mysite.com/index.html?a=123&d=' . urlencode('http://www.google.com/test.html?d=1232&u=32');
In this example the query-string var 'd' now houses all the contents of the second url. You will have to urldecode() it on the receiving end in order to extrapolate the data.
I get a string, from an external clientside script, which must later be attached as part of an url. Now I am wondering what is the best way to santitize such data?
The string I get will have a structure like this:
dynamicVal#staticVal:dynamicVal
This value will then be added to an url:
http://the-page.com/dynamicVal#staticVal:dynamicVal
The url is then used as followed:
$link = htmlspecialchars("http://external-page.com/dynamicVal#staticVal:dynamicVal", ENT_QUOTES);
$var = "'Open URL'";
Problem is, htmlspecialchars wont help to prevent execution of random javascript code, e.g. by adding this alert to the value:
dynamicVal#staticVal:dynamicVal'+alert(\"breakout\")+'
Using rawurlencode wont help either, because it is not a value of a parameter but a real part of the url.
So what is the best way to sanitize the passed string when concatenating to the url?
Thanks in advance.
Edit:
Using rawurlencode only on the dynamic parts actually also didn't solve the issue, the javascript still got executed.
Test snippet:
$splitVal = "#staticVal:";
$tmpArr = explode($splitVal, "dynamicVal#staticVal:dynamicVal'+alert(\"breakout\")+'");
$link = htmlspecialchars(sprintf("http://external-page.com/"."%s$splitVal%s", rawurlencode($tmpArr[0]), rawurlencode($tmpArr[1])), ENT_QUOTES);
echo "'Open URL'";
Edit2:
Using json_encode when passing the string as javascript argument didn't help either.
Adapted test snippet:
$splitVal = "#staticVal:";
$tmpArr = explode($splitVal, "dynamicVal#staticVal:dynamicVal\"+alert('breakout')+\"");
$link = htmlspecialchars(sprintf("http://external-page.com/"."%s$splitVal%s", rawurlencode($tmpArr[0]), rawurlencode($tmpArr[1])), ENT_QUOTES);
echo "'Open URL'";
Adaptions done:
Switched the quotes in the malicous JS.
Moved htmlspecialchars around json_encode, because a double quoted string gets returned which would break the html otherwise.
You should use urlencode() for this. Not on the whole string but on the dynamic parts only.
$link = sprintf('http://external-page.com/%s#staticVal:%s', urlencode('dynamicVal'), urlencode('dynamicVal'));
$var = "'Open URL'";
EDIT:
OK - I see your problem. I didn't realize that you insert the code into a JavaScript function call. You'll have to ensure that the JavaScript interpreter treats your link as a string argument to window.open():
$link = sprintf('http://external-page.com/%s#staticVal:%s', urlencode('dynamicVal'), urlencode('dynamicVal'));
$var = "'Open URL'";
For completenes, I was able to solve that issue by simply putting addslashes on the dynamic part before using rawurlencode.
Both function calls are needed to prevent breaking out. Using addslashes prevents normal quotes (',") and rawurlencode prevents already encoded quotes (%29,%22) to cause harm.
So final solution looks like this:
$splitVal = "#staticVal:";
$tmpArr = explode($splitVal, "dynamicVal#staticVal:dynamicVal'+alert(\"breakout\")+'");
$link = htmlspecialchars(sprintf("http://external-page.com/"."%s$splitVal%s", rawurlencode(addslashes($tmpArr[0])), rawurlencode(addslashes($tmpArr[1]))), ENT_QUOTES);
echo "'Open URL'";