I've got an issue whereby PHP is escaping where I really don't want it to in this code:
$url_ = stripslashes(((substr(strtolower($url),0,7)!="http://")? "http://".$url:$url));
$host = $this->googleDomains[mt_rand(0,count($this->googleDomains)-1)];
$target = "/search?";
$querystring = sprintf("client=navclient-auto&ch=%s&features=Rank&q=%s",
$this->CheckHash($this->HashURL($url_)),urlencode("info:".$url_));
$contents="";
$this->debugRes("host", $host);
$this->debugRes("query_string", $querystring);
$this->debugRes("user_agent", $this->userAgent);
thus producing a URL like this which causes the script to fail:
{"urls":[{"url":"hostcule.com","converted_url":"http:\/\/toolbarqueries.google.com\/search??client=navclient-auto&ch=74451333464&features=Rank&q=info%3Ahttp%3A%2F%2Fhostcule.com"}]}
How do I stop it?
Magic Quotes are Off.
Here's the $url comes from:
foreach (preg_split('#[\r\n]+#', $_POST['urls']) as $url) {
$url = trim($url);
if ($url)
$_SESSION['converted_urls'][] = array('url' => $url, 'converted_url' => $pr->GetPR($url, true, true));
}
At this stage, $_POST['urls'] looks like:
{"urls":[{"url":"hostcule.com","converted_url":"http:\/\/www.google.com\/search??client=navclient-auto&ch=74451333464&features=Rank&q=info%3Ahttp%3A%2F%2Fhostcule.com"}]}
whilst $url looks like
{"urls":[{"url":"hostcule.com","converted_url":"http:\/\/www.google.com\/search??client=navclient-auto&ch=74451333464&features=Rank&q=info%3Ahttp%3A%2F%2Fhostcule.com"}]}
There is nothing in that code that would produce the code you quote.
My suspicion is that $url already contains the garbled http\/\/, and therefore your http:// recognizing mechanism never triggers.
You need to step back and look where $url comes from. There is where your problem will be.
The code you have there doesn't do any escaping at all. You'll need to post what you do to that $url_ after this line.
use ' instead of "
Related
may not have explained this properly but here we go.
I have a URL that looks like http://www.test.co.uk/?page=2&area[]=thing&area[]=thing2
Multiple "area"s can be added or removed from the URL via links on the site. on each addition of n "area" I wanted to remove the "page" part of the URL. so it can be reset to page1. I used parse_url to take that bit out.
Then I built an http query so it could generate the URL properly without "page"
this resulted in "area%5B0%5D=" "area%5B1%5D=" instead of "area[]="
When I use urldecode, now it shows "area[0]=" and "area[1]="
I need it to be "[]" because when using a link to remove an area, it checks for the "[]=" - when it's [0] it doesn't recognise it. How do I keep it as "[]="?
See code below.
$currentURL = currentURL();
$parts = parse_url($currentURL);
parse_str($parts['query'], $query);
unset($query['page']);
$currenturlfinal = http_build_query($query);
urldecode($currenturlfinal);
$currentURL = "?" . urldecode($currenturlfinal);
This is what I've done so far - it fixes the visual part in the URL - however I don't think I've solved anything as I've realised that what represents 'area' and 'thing' is not recognised as $key or $val as a result of what I think is parsing or reencoding the url in accordance with the code below. So I still can't remove 'areas' using the links
$currentURL_with_QS2 = currentURL();
$parts = parse_url($currentURL_with_QS2);
parse_str($parts['query'], $query);
unset($query['page']);
$currenturlfinal = http_build_query($query);
$currenturlfinal = preg_replace('/%5B[0-9]+%5D/simU', '[]', $currenturlfinal);
urldecode($currenturlfinal);
$currentURL_with_QS = "?" . $currenturlfinal;
$numQueries = count(explode('&', $_SERVER['QUERY_STRING']));
$get = $_GET;
if (activeCat($val)) { // if this category is already set
$searchString = $key . '[]= ' . $val; // we build the query string to remove
I'm using Wordpress as well may I add - maybe there's a way to reset the pagination through Wordpress. of course even then - when I go to page 2 on any page it still changes the "[]" to "5b0%5d" etc....
EDIT: this is all part of a function that refers to $key (the area/category) and $val (name of area or category) which is echoed in the link itself
EDIT2: It works now!
I don't know why but I had to use the original code and make the adjustments I did before again and now it works exactly how I want it to! Yet I couldn't see any visible differences in both codes afterwards. Strange...
As far as I know, there is no built-in way to do this.
You could try with:
$currenturlfinal = http_build_query($query);
Where $query is querystring part w/o area parameters and then:
foreach ($areas as $area) {
$currenturlfinal .= '&area[]='.$area;
}
UPD:
you could try with:
$query = preg_replace('/%5B[0-9]+%5D/simU', '%5B%5D', $query);
just place it right after http_build_query call.
The following code lives on one of my servers:
$curl = curl_init();
$url = "http://www.example.com/controller/action?param1=" . $value1 . "¶m2=" . $value2;
$url = str_replace(" ","%20",$url);
curl_setopt_array($curl, array(
CURLOPT_RETURNTRANSFER => 1,
CURLOPT_URL => $url
));
$result = curl_exec($curl);
Most of the time, this works just fine. However, today in example.com's access logs, I noticed an entry where the second parameter was completely missing. Not just the value, the entire parameter. So the log line was
GET /controller/action?param1=36838242 HTTP/1.1
I can't think of any condition what would cause param2 to be completely missing from the querystring. However, obviously it happened. And there is only one block of code that makes this curl call, so this is definitely the code responsible for the access log entry.
So my question is, under what condition could part of a concatenation fail, but have the rest of the code continue running? Since the code works 99% of the time, I'd love to write it off as a fluke, but this is really bugging me.
As others have pointed out, the string concatenation cannot fail.
I'm going to guess that $value1 contains a some non-printable character that is not being properly encoded. Your str_replace is only handling spaces. You would be much safer doing something like this:
$params = array( 'param1' => $value1,
'param2' => $value2 );
$url = 'http://www.example.com/controller/action?' . http_build_query($params);
And dropping the current call to str_replace.
Cut some word from php available ?
First access to page for example
www.mysite.com/test.php?ABD_07,_oU_876.00/8999&message=success
From my php code, i will get $curreny_link_redirect = test.php?ABD_07,_oU_876.00/8999&message=success
And i want to get $curreny_link_redirect_new = test.php?ABD_07,_oU_876.00/8999
( Cut &message=success )
How can i do ?
<?PHP
$current_link = "$_SERVER[REQUEST_URI]";
$curreny_link_redirect = substr($current_link,1);
$curreny_link_redirect_new = str_replace('', '&message=success', $curreny_link_redirect);
echo $curreny_link_redirect_new;
?>
Your str_replace call is inverse of what it should be. What you want to replace should be the first parameter, not the second.
//Wrong
$curreny_link_redirect_new = str_replace('', '&message=success', $curreny_link_redirect);
//Right
$curreny_link_redirect_new = str_replace('&message=success','', $curreny_link_redirect);
While simple way to do this is to use regex (or even static with str_replace()), I recommend to use built-in functions for url handling. This may be useful when working with complex parameters or multiple parameters:
$data = 'www.mysite.com/test.php?ABD_07,_oU_876.00/8999&message=success';
$url = parse_url($data);
parse_str($url['query'], $url['query']);
//now, do something with parameters:
unset($url['query']['message']);
$url['query'] = http_build_query($url['query']);
$url = http_build_url($url);
-please, note, that http_build_url() is a PECL function (pecl_http to be precise). The way above may look more complex, but it has benefits - first, as I've already mentioned, this will be easy to modify for working with complex parameters or multiple parameters. Second, it will produce valid url - i.e. encode such things as slashes, spaces, e t.c. - in result. Thus, result will always be correct url.
Do like this
<?php
$str = "http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";
echo $str = array_shift(explode('&',$str));
Try this:
$current_link_path = substr($_SERVER['PHP_SELF'], 1);
$params = $_GET;
if ($params['message'] == 'success') {
unset($params['message']);
}
$current_link_redirect = $current_link_path . '?' . http_build_query($params);
Maybe not an answer, but a disclaimer for future visitors:
1) I would strongly recommend the function: http://pl1.php.net/parse_url.
And in that case:
$current_link = "$_SERVER[REQUEST_URI]";
$arguments = explode('&', parse_url($current_link, PHP_URL_QUERY));
print_r($arguments);
2) To build new url, use http://pl1.php.net/manual/en/function.http-build-url.php. This is the best, future modifications ready solution I think.
In that case this solution is a little overkill, but these functions are really great, and worth to introduce here.
Best regards
I would like to read a url. www.domain.com?cookie=set&redirect=yes
Now I want to use $ _SERVER['REQUEST_URI'] but this does not work with strip_tags and htmlspecialchars.
Also many I read that you should watch for XSS.
Does anyone know how to save a URL can be used by GET?
$url = "http://'.$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI];
$url = strip_tags($url);//doesnt work
$url = htmlspecialchars($url);//doesnt work
Thanks!
Edit to (doesnt work):
$url = "http://".$_SERVER[HTTP_HOST]."".$_SERVER[REQUEST_URI];
$url = strip_tags($url);
echo $url;
for example
www.domain.com?cookie=set&redirect=yes
output => index.php?cookie=se%3Cscript%3Et&re%3Cb%3Ed%3C/b%3Eirect=yes
This line
$url = "http://'.$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI];
Needs to be either
$url = "http://{$_SERVER['HTTP_HOST']}{$_SERVER['REQUEST_URI']}";
or
$url = "http://".$_SERVER['HTTP_HOST'].$_SERVER['REQUEST_URI'];
The way you are currently doing it will not concatenate the data correctly.
Issues with the your line:
Your mixing quotes around the protocol " to open and ' to close
You are not quoting the $_SERVER params e.g $_SERVER['PARAM']
You are not joining the 2 $_SERVER vars with anything so you'll get a syntax error
I'm a bit of a PHP newbie, and I'm trying to do what I believe is quite a complicated operation on a website. So I need your help :)
What I want to do is request a specific page for each client, the only URL variables involved are at the end, as normal.
Basically my variables have been set previously in the script, what I want to say is;
The URL is http://site.com/index.php?image=$clientnumber Somehow.
if you guys could give me some insight on how to do this, that would be great!
You can use the sprintf function to do this:
$url = sprintf('http://site.com/index.php?image=%s', $clientnumber);
PHP String Operators
$new_url = "http://site.com/index.php?image=$clientnumber";
or
$new_url = 'http://site.com/index.php?image=' . $clientnumber;
$data = array('foo'=>'bar',
'baz'=>'boom',
'cow'=>'milk',
'php'=>'hypertext processor');
echo http_build_query($data) . "\n";
Results in:
foo=bar&baz=boom&cow=milk&php=hypertext+processor
For your needs:
$data = array('image'=> $clientnumber);
echo 'index.php?' . $data;
Will give you:
index.php?image=878787283