I'm POSTing the contents of a form field via AJAX to a PHP script and using JavaScript to escape(field_contents). The problem is that any plus signs are being stripped out and replaced by spaces. How can I safely 'encode' the plus sign and then appropriately 'decode' it on the PHP side?
Use encodeURIComponent() in JS and in PHP you should receive the correct values.
Note: When you access $_GET, $_POST or $_REQUEST in PHP, you are retrieving values that have already been decoded.
Example:
In your JS:
// url encode your string
var string = encodeURIComponent('+'); // "%2B"
// send it to your server
window.location = 'http://example.com/?string='+string; // http://example.com/?string=%2B
On your server:
echo $_GET['string']; // "+"
It is only the raw HTTP request that contains the url encoded data.
For a GET request you can retrieve this from the URI. $_SERVER['REQUEST_URI'] or $_SERVER['QUERY_STRING']. For a urlencoded POST, file_get_contents('php://stdin')
NB:
decode() only works for single byte encoded characters. It will not work for the full UTF-8 range.
eg:
text = "\u0100"; // Ā
// incorrect
escape(text); // %u0100
// correct
encodeURIComponent(text); // "%C4%80"
Note: "%C4%80" is equivalent to: escape('\xc4\x80')
Which is the byte sequence (\xc4\x80) that represents Ā in UTF-8. So if you use encodeURIComponent() your server side must know that it is receiving UTF-8. Otherwise PHP will mangle the encoding.
In JavaScript try:
encodeURIComponent()
and in PHP:
urldecode($_POST['field']);
The hexadecimal value you are looking for is %2B
To get it automatically in PHP run your string through urlencode($stringVal). And then run it rhough urldecode($stringVal) to get it back.
If you want the JavaScript to handle it, use escape( str )
Edit
After #bobince's comment I did more reading and he is correct.
Use encodeURIComponent(str) and decodeURIComponent(str). Escape will not convert the characters, only escape them with \'s
To make it more interesting and to hopefully enable less hair pulling for someone else.
Using python, built dictionary for a device which we can use curl to configure.
Problem: {"timezone":"+5"} //throws an error " 5"
Solution: {"timezone":"%2B"+"5"} //Works
So, in a nutshell:
var = {"timezone":"%2B"+"5"}
json = JSONEncoder().encode(var)
subprocess.call(["curl",ipaddress,"-XPUT","-d","data="+json])
Thanks to this post!
If you have to do a curl in php, you should use urlencode() from PHP but individually!
strPOST = "Item1=" . $Value1 . "&Item2=" . urlencode("+")
If you do urlencode(strPOST), you will bring you another problem, you will have one Item1 and & will be change %xx value and be as one value, see down here the return!
Example 1
$strPOST = "Item1=" . $Value1 . "&Item2=" . urlencode("+") will give Item1=Value1&Item2=%2B
Example 2
$strPOST = urlencode("Item1=" . $Value1 . "&Item2=+") will give Item1%3DValue1%26Item2%3D%2B
Example 1 is the good way to prepare string for POST in curl
Example 2 show that the receptor will not see the equal and the ampersand to distinguish both value!
my problem was with the accents (á É ñ ) and the plus sign (+) when i to try to save javascript "code examples" to mysql:
my solution (not the better way, but it works):
javascript:
function replaceAll( text, busca, reemplaza ){
while (text.toString().indexOf(busca) != -1)
text = text.toString().replace(busca,reemplaza);return text;
}
function cleanCode(cod){
code = replaceAll(cod , "|", "{1}" ); // error | palos de explode en java
code = replaceAll(code, "+", "{0}" ); // error con los signos mas
return code;
}
function to save:
function save(pid,code){
code = cleanCode(code); // fix sign + and |
code = escape(code); // fix accents
var url = 'editor.php';
var variables = 'op=save';
var myData = variables +'&code='+ code +'&pid='+ pid +'&newdate=' +(new Date()).getTime();
var result = null;
$.ajax({
datatype : "html",
data: myData,
url: url,
success : function(result) {
alert(result); // result ok
},
});
} // end function
function in php:
<?php
function save($pid,$code){
$code= preg_replace("[\{1\}]","|",$code);
$code= preg_replace("[\{0\}]","+",$code);
mysql_query("update table set code= '" . mysql_real_escape_string($code) . "' where pid='$pid'");
}
?>
Related
I have some javascript code that gets the value of two html form input fields. I escaped the values to allow users to enter in special characters and then placed them into an array that is stringified and then posted.
$(document).ready(function() {
$("#submit").click(function() {
var BuilderName = escape($('[name=BuilderName]').val());
var OwnersName = escape($('[name=OwnersName]').val());
var arraydata = [BuilderName, OwnersName];
$.post("DCF_Update_Query.php", {
data: JSON.stringify(arraydata)
}, function() {
alert('Successful');
}).fail(function() {
alert('Failed');
});
});
});
In my PHP file I retrieve and decode the array and insert it into my database.
$data = json_decode($_POST['data']);
mysqli_query($conn,"INSERT INTO dcf (BuilderName, OwnersName)
VALUES ('$data[0]','$data[1]')");
My problem is that the escaped characters are entering in the database as %26, %27, etc.. How can I un-escape those characters and then re-escape them using mysqli_real_escape_string(). Also, I've heard that json_decode() automatically escapes special characters. If this is the case, then do I even need to escape them with mysqli_real_escape_string()? I'd greatly appreciate any help, Thanks!
You really, really, REALLY need a prepared statement here. No escaping needed
$prep = $conn->prepare("INSERT INTO dcf (BuilderName, OwnersName) VALUES (?, ?)");
$prep->bind_param('ss', $data[0], $data[1]);
$prep->execute();
Try passing the contents of your $data variable through the urldecode function:
$data = urldecode(json_decode($_POST['data']));
I have a pretty complex problem.
I'm using PHP to parse a CSV file to an array and then
var array = <?php echo json_encode( $array ) ?>;
to pass it to the Javascript array.
array is 2-dimensional, like so:
var array = [["\/\\ssa","14104","26","2113","0","867","28083","15","43695"],
["Yee","8661","24","2215","0","991","25245","15","49086"],...]
Now sometimes there seems to be a problem with backslash escapes in the username when it is structured like this:
["username\","sth","sth",...], so when the username ends with a backslash \ .
The output will be:
username", sth, sth, ...
But this is only the first element of the sub-array, the other 8 places are empty.
I have already tried to fix it with a loop replace, but I don't know how to add \" as search value. Is this impossible to do in JS since \" always escapes? Already tried charAt() to compare the last character with the backslash, but no success. Do I have to replace it before passing it to JS, in PHP?
The Parse function is this, if it's important:
<?php>
$url = "data.csv";
$csvData = file_get_contents($url);
$lines = explode(PHP_EOL, $csvData);
$array = array();
foreach ($lines as $line) {
$array[] = str_getcsv($line);
?>
Here a JSfiddle you can play with: https://jsfiddle.net/cLmbe0qf/
You just need to replace backslashes by an html special character :
foreach ($lines as $line) {
$line = str_replace("\\", "\", $line);
// ...
}
This is a little bit more tricky since you have to parse the javascript into an object/array. Anytime you do this, the backslash is parsed out. To avoid doing this you need to store the value in the HTML page or use String.raw to get the literal version of the string.
One way to implement it is to put the the string in the html and get the value of a hidden textarea. (you could store it anywhere, i just chose textarea). You then pass it through this javascript function slashParse which will replace all slashes with ~{}~ then run the javascript parsing algorithm, then replace the ~{}~ back to the backslashes.
function slashParse(target) {
var value = document.getElementById(target).value;
var replacedVal = value.replace(/\\/g, '~{}~');
var parsedVal = JSON.parse(replacedVal);
var mappedVal = parsedVal.map(function(item) {
return item.replace(/~{}~/g, '\\');
});
return mappedVal;
}
var parsed = slashParse('input');
console.log(parsed)
document.getElementById("test").innerText = parsed;
<body>
<div id="test"></div>
</body>
<textarea style="display:none" id="input">["use\rna</textarea><textarea>me\\","2","3","4"]</textarea>
What echoing it out onto the page might look like would be like this.
<textarea style="display:none" id="php-part">
<?=json_encode(htmlentities($array,ENT_NOQUOTES))?>
</textarea>
This is only one solution of a few more. Another option is to do more parsing on the php side of things. The problem you will run into, is that at some point you need to run the string through the JavaScript parsing program. When that happens you cannot have any backslashes. Then after you run it through the parsing, you will have to convert all hidden backslashes back to backslashes.
The one problem with this method is that if there is anywhere EVER where ~{}~ is being placed in the string, it will be converted to backslashes afterwards. Something you can do in order to make it more aloof is to make the string backslashes get turn into even more obfuscated. Such as ~{BACKSLASH_ESCAPE}~
I have a textarea created for a personal message, with a subject. It is passed to a Javascript/jQuery function, which passes it to a PHP file to store in the database. However, when special characters such as the ampersand, less than, greater than, apostrophe, plus sign, and quotations are used, it doesn't store correctly in my database. So without saying, when I retrieve the data, the data is not displayed properly.
Here is the HTML:
<input id="pmsubject" placeholder="Subject"><br />
<textarea id="pmtext" placeholder="Send a private message"></textarea>
<button id="pmBtn" onclick="postPm(pmsubject,pmtext)">Send</button>
Here is the Javascript/jQuery (partial):
function postPm(subject,textarea){
var data = $("#textarea").val();
var data2 = $("#subject").val();
I do some error checking and handling then send my information with AJAX:
type: "POST",
url: "pm_system.php",
data:"data="+data+"&data2="+data2,
So far so good right? Here is the pm_system.php portion where I store the code:
$data = htmlentities($_POST['data']);
$data = mysqli_real_escape_string($db_con, $data);
$data2 = htmlentities($_POST['data2']);
$data2 = mysqli_real_escape_string($db_con, $data2);
$sql = "INSERT INTO pm(subject, message)
VALUES('$data2','$data')";
$query = mysqli_query($db_con, $sql);
mysqli_close($db_con);
So if I write a message that says, I'm a big fan of cats + dogs & "sometimes" birds. My output would be:
I\'m a big fan of cats dogs
It always puts slashes in front of quotations and apostrophes, always replaces + sign with a space, and nothing follows after an ampersand sign. I've tried replacing the characters like this in Javascript:
data = data.replace(/\"/g, '"'); //Just using one for example
But that doesn't work either. How do I save these characters from a textarea in a database, unaltered?
I would guess, that the data you receive through your JavaScript function is already escaped. So when you enter I'm a big fan of cats dog you get I\'m a big fan of cats dogs in your PHP script. When you than use mysqli_real_escape() you are adding another escape character.
So you might want to replace the escape character before:
$data = stripslashes($_POST['data']);
$data = mysqli_real_escape_string($db_con, $data);
$data2 = stripslashes($_POST['data2']);
$data2 = mysqli_real_escape_string($db_con, $data2);
$sql = "INSERT INTO pm(subject, message)
VALUES('$data2','$data')";
$query = mysqli_query($db_con, $sql);
mysqli_close($db_con);
I would not recommend to use htmlentities() but save the data "as is" into the database as otherwise things like full text searches don't work correctly.
The issue with the + sign is probably because you send the values as a query string data:"data="+data+"&data2="+data2 and in a URL, a + sign is used for a space. To fix that, you should rather pass the data as an object:
type: "POST",
url: "pm_system.php",
data: { "data": data, "data2": data2 },
That should fix also most of the other problematic characters.
I'd suggest trying htmlspecialchars() instead of htmlentities(). I've had some troubles with htmlentities() and outputting the data in the past. Using htmlspecialchars() solved it.
I want to get the first character of a string in PHP. But it returns some unknown character like �. Why does that happen?
$text = "अच्छी ाqस्थति में"; // Hindi String
$char = $text[0]; // $text{0}; also try here .
echo $char; // output like �
//expected Output अ
//Below code also used
$char = substr($text , 0 , 1); // Getting same output
If I used javascript I found that I get perfect output:
var text = "अच्छी ाqस्थति में"; // Hindi String
var char = text.charAt(0);
console.log(char) // output like अ
Please anyone tell me about that and a solution to this problem? Why these error if charAt & substr work the same way?
You should use mbstring for unicode strings.
$char = mb_substr($text, 0, 1, 'UTF-8'); // output अ
You can replace 'UTF-8' with any other encoding, if you need it.
PHP does not support unicode by default. Do note that you need mbstring enabled if you want to use this. You can check by checking if extension is loaded:
if (extension_loaded('mbstring')) {
// mbstring loaded
}
I have the following Javascript/Mootools code:
var str = self.tI.get('value').replace(/\s/g,'+'),
data = 'action=getplaces&str=' + str + '&latLng=' + $('coords').get('value'),
r = new Request({
url: 'action.php',
method: 'get',
link: 'cancel',
onSuccess: function (response) {
/* Do Stuff */
}
}).send(data);
console.log(str);
On the first line I replace any spaces with + signs. When I log the value of str in the console, I get the appropriate value (ie: 'blabla+bla')
However, when I send the request, my request fails. If I look at the headers and the query string, the + sign is simply replaced again with a space (ie: 'blabla bla')
What's up with that? And is there a way around it?
For anybody wondering, my problem ended up being server side. Once the data got to the server side, I was trying to incorporate it in another URL but the server had already parsed the %20 and the +'s to spaces. So had to do some string manipulation on the server side.
You need to escape plus as it's a reserved character in HTML Url's
replace it with +