$_GET and multiple spaces.
This is a discussion on $_GET and multiple spaces. within the PHP General forums, part of the PHP Programming Forums category; > -----Original Message----- > From: Andrés Robinet [mailto:agrobinet@bestplace.biz] > Sent: Tuesday, 15 January 2008 6:33 ...
|
|||||||
| FAQ | Members List | Calendar | Search | Today's Posts | Mark Forums Read |
01-14-2008
|
|||
|
|||
RE: [PHP] $_GET and multiple spaces.
> -----Original Message-----
> From: Andrés Robinet [mailto:agrobinet@bestplace.biz] > Sent: Tuesday, 15 January 2008 6:33 AM > To: php-general@lists.php.net > Subject: RE: [php] $_GET and multiple spaces. > Like this? > > $url = > htmlspecialchars('whatever.php?'.urlencode($name). '='.urlencode($value)); > > Regards, > > Rob > I'm now using urlencode on the values and htmlspecialchars on the entire url and it's working nicely. Thanks to everyone who helped. Craig. museumvictoria.com.au This e-mail is solely for the named addressee and may be confidential.You should only read, disclose, transmit, copy, distribute, act in relianceon or commercialise the contents if you are authorised to do so. If you are not the intended recipient of this e-mail, please notify postmaster@museum.vic.gov.au by e-mail immediately, or notify the sender and then destroy any copy of this message. Views expressed in this e-mailare those of the individual sender, except where specifically stated to be those of an officer of Museum Victoria. Museum Victoria does not represent,warrant or guarantee that the integrity of this communication has been maintained nor that it is free from errors, virus or interference. 
|
|
01-14-2008
|
|||
|
|||
|
RE: [PHP] $_GET and multiple spaces.
On Mon, January 14, 2008 1:33 pm, Andrés Robinet wrote:
>> -----Original Message----- >> From: Richard Lynch [mailto:ceo@l-i-e.com] >> Sent: Monday, January 14, 2008 2:11 PM >> To: Jochem Maas >> Cc: clive; Churchill, Craig; php-general@lists.php.net >> Subject: Re: [php] $_GET and multiple spaces. >> >> On Mon, January 14, 2008 3:17 am, Jochem Maas wrote: >> > I think actually the whole url should be urlencoded as a matter of >> > course, not >> > 100% sure about this (and it's way to early on a monday to bother >> > checking up ;-) ... >> > maybe someone else can chime in? >> >> Actually, after you urlencode() the values, you should htmlentities >> the whole URL, as it is being passed to HTML as a value to be output >> to HTML. >> >> The whole URL should *NOT* be URL-encoded, however. >> >> -- >> Some people have a "gift" link here. >> Know what I want? >> I want you to buy a CD from some indie artist. >> http://cdbaby.com/from/lynch >> Yeah, I get a buck. So? > > Like this? > > $url = > htmlspecialchars('whatever.php?'.urlencode($name). '='.urlencode($value)); Yes, but if your $name is weird enough to need to be urlencoded, you probably are doing something "Wrong" from a stylistic programming stand-point... I'm not even sure of the rules for what can be in a $name, come to think of it... -- Some people have a "gift" link here. Know what I want? I want you to buy a CD from some indie artist. http://cdbaby.com/from/lynch Yeah, I get a buck. So?
|
|
01-15-2008
|
|||
|
|||
|
Re: [PHP] $_GET and multiple spaces.
Andrés Robinet schreef:
>> -----Original Message----- >> From: Richard Lynch [mailto:ceo@l-i-e.com] >> Sent: Monday, January 14, 2008 7:08 PM >> To: Andrés Robinet >> Cc: php-general@lists.php.net >> Subject: RE: [php] $_GET and multiple spaces. >> >> On Mon, January 14, 2008 1:33 pm, Andrés Robinet wrote: >>>> -----Original Message----- >>>> From: Richard Lynch [mailto:ceo@l-i-e.com] >>>> Sent: Monday, January 14, 2008 2:11 PM >>>> To: Jochem Maas >>>> Cc: clive; Churchill, Craig; php-general@lists.php.net >>>> Subject: Re: [php] $_GET and multiple spaces. >>>> >>>> On Mon, January 14, 2008 3:17 am, Jochem Maas wrote: >>>>> I think actually the whole url should be urlencoded as a matter of >>>>> course, not >>>>> 100% sure about this (and it's way to early on a monday to bother >>>>> checking up ;-) ... >>>>> maybe someone else can chime in? >>>> Actually, after you urlencode() the values, you should htmlentities >>>> the whole URL, as it is being passed to HTML as a value to be output >>>> to HTML. >>>> >>>> The whole URL should *NOT* be URL-encoded, however. >>>> >>>> -- >>>> Some people have a "gift" link here. >>>> Know what I want? >>>> I want you to buy a CD from some indie artist. >>>> http://cdbaby.com/from/lynch >>>> Yeah, I get a buck. So? >>> Like this? >>> >>> $url = >>> >> htmlspecialchars('whatever.php?'.urlencode($name). '='.urlencode($value) >> ); >> >> Yes, but if your $name is weird enough to need to be urlencoded, you >> probably are doing something "Wrong" from a stylistic programming >> stand-point... >> >> I'm not even sure of the rules for what can be in a $name, come to >> think of it... >> > > I think I can tell you what... it has just came to my mind (nirvana > moment)... how about this? > > $name = 'mylist[myindex]'; this is almost an invite to moan about how http_build_query() was 'fixed' in 5.1.3 to escape square brackets ... which makes php nolonger do one of the coolest, imho, with regard to incoming GET/POST values - namely auto-convert bracketed request var names into native arrays. at least if those strings are used in anything other than a URL context (form inputs anyone). I would have been nice to have the encoding as an optional switch/argument. /* since php5.1.3 http_build_query() urlencodes square brackets - this does not please us at all, * this function fixes the problem the encoding causes us when using http_build_query() output * in hidden INPUT field names. */ function inputPostQueryUnBorker($s) { // first version - slower? more code! /* return preg_replace('#(\?|&(?:amp;)?)([^=]*)=#eU', "'\\1'.str_replace(array('%5B','%5D'), array('[',']'), '\\2').'='", $s); //*/ // second version - faster? more compact! (should work identically to the above statement. return preg_replace('#%5[bd](?=[^&]*=)#ei', 'urldecode("\\0")', $s); } > >> -- >> Some people have a "gift" link here. >> Know what I want? >> I want you to buy a CD from some indie artist. >> http://cdbaby.com/from/lynch >> Yeah, I get a buck. So? > > Regards, > > Rob > > > Andrés Robinet | Lead Developer | BESTPLACE CORPORATION > 5100 Bayview Drive 206, Royal Lauderdale Landings, Fort Lauderdale, FL 33308 > | TEL 954-607-4207 | FAX 954-337-2695 > Email: info@bestplace.net | MSN Chat: best@bestplace.net | SKYPE: > bestplace | Web: http://www.bestplace.biz | Web: http://www.seo-diy.com >
|
|
01-15-2008
|
|||
|
|||
|
RE: [PHP] $_GET and multiple spaces.
> -----Original Message-----
> From: Richard Lynch [mailto:ceo@l-i-e.com] > Sent: Monday, January 14, 2008 7:08 PM > To: Andrés Robinet > Cc: php-general@lists.php.net > Subject: RE: [php] $_GET and multiple spaces. > > On Mon, January 14, 2008 1:33 pm, Andrés Robinet wrote: > >> -----Original Message----- > >> From: Richard Lynch [mailto:ceo@l-i-e.com] > >> Sent: Monday, January 14, 2008 2:11 PM > >> To: Jochem Maas > >> Cc: clive; Churchill, Craig; php-general@lists.php.net > >> Subject: Re: [php] $_GET and multiple spaces. > >> > >> On Mon, January 14, 2008 3:17 am, Jochem Maas wrote: > >> > I think actually the whole url should be urlencoded as a matter of > >> > course, not > >> > 100% sure about this (and it's way to early on a monday to bother > >> > checking up ;-) ... > >> > maybe someone else can chime in? > >> > >> Actually, after you urlencode() the values, you should htmlentities > >> the whole URL, as it is being passed to HTML as a value to be output > >> to HTML. > >> > >> The whole URL should *NOT* be URL-encoded, however. > >> > >> -- > >> Some people have a "gift" link here. > >> Know what I want? > >> I want you to buy a CD from some indie artist. > >> http://cdbaby.com/from/lynch > >> Yeah, I get a buck. So? > > > > Like this? > > > > $url = > > > htmlspecialchars('whatever.php?'.urlencode($name). '='.urlencode($value) > ); > > Yes, but if your $name is weird enough to need to be urlencoded, you > probably are doing something "Wrong" from a stylistic programming > stand-point... > > I'm not even sure of the rules for what can be in a $name, come to > think of it... > I think I can tell you what... it has just came to my mind (nirvana moment)... how about this? $name = 'mylist[myindex]'; > -- > Some people have a "gift" link here. > Know what I want? > I want you to buy a CD from some indie artist. > http://cdbaby.com/from/lynch > Yeah, I get a buck. So? Regards, Rob Andrés Robinet | Lead Developer | BESTPLACE CORPORATION 5100 Bayview Drive 206, Royal Lauderdale Landings, Fort Lauderdale, FL 33308 | TEL 954-607-4207 | FAX 954-337-2695 Email: info@bestplace.net | MSN Chat: best@bestplace.net | SKYPE: bestplace | Web: http://www.bestplace.biz | Web: http://www.seo-diy.com
|
|
01-15-2008
|
|||
|
|||
|
Re: [PHP] $_GET and multiple spaces.
Andrés Robinet schreef:
>> -----Original Message----- .... >>> >>> $name = 'mylist[myindex]'; >> this is almost an invite to moan about how http_build_query() was >> 'fixed' >> in 5.1.3 to escape square brackets ... which makes php nolonger do one >> of >> the coolest, imho, with regard to incoming GET/POST values - namely >> auto-convert >> bracketed request var names into native arrays. at least if those >> strings >> are used in anything other than a URL context (form inputs anyone). >> I would have been nice to have the encoding as an optional >> switch/argument. > > Well, almost... the other part of the world that arguably wanted square > brackets escaped in http_build_query will be very pleased (let me tell you I > don't use http_build_query, but have my own as sometimes PHP 5 is not an > option...). > I guess they thought http_build_query would always be used in an URL > context. But yes... escaping square brackets could be made optional and we > get the best of both worlds. > > Anyway... my point was that names may need escaping, at least in some > contexts. But let me ask you because maybe I'm wrong: > > <a href="index.php?list%5Bindex%5D=value">Click</a> > > Wouldn't this be translating into $_GET['list']['index'] == 'value'? As far > as I've tested, it is... Also, it seems that "[" and "]" are unsafe > characters according to http://www.ietf.org/rfc/rfc1738.txt > .... > Maybe that's why they chose to escape square brackets. I'm not a standards > freak, but rather a pragmatic man. Just trying to prove a point. you are completely correct, and I agree. I am also pragmatic - it was pragmatism that got me using http_build_query in a non-url context ... I have a ORM-like tool with a generic frontend that creates very complex POST/GET values/strings that describe what I like to call a 'data path' .. which allows you to specify stuff like 'the list [or details] of all subitems belonging to the 3 selected subitems of the item with keyfield values ,Y and Z'. this is done using a structure which is a nested array that translates accross requests nicely using http_build_query() - but it means the resulting request parameters names are used in a GET context and in POST context which means using the parameter names in the context of INPUT tag names, and in such cases the encoding is not wanted - it maybe the that encoding is required by certain standards in such a context BUT php doesn't recognise urlencoded square brackets in the way one wants ... namely one doesn't get a neat nesed array in $_POST but rather stuff like: $_POST["e[f][n]"] = "entityname" (as opposed to:) $_POST["e"["f"]["n"] = "entityname" (which is what my ORM-like generic thingy was expecting.) the function I showed isn't name 'inputPost*' for nothing :-) it was specifically written for the task of making request parameter names as generated by http_build_query() usable in the name attribute of input tags and have them behave as they would if found in a GET query string. the only reason I remember all this about http_build_query() is because it: a) totally broke my app/tool at a time when I didn't have control of the php version and didn't have time to actually fix (well I had to make time :-) b) it was quite a headache getting the regexp in question to do exactly what I wanted (e.g. that only square brackets encountered in request variable names should be decoded and those found in request variable values should be left encoded, etc, etc). sometimes it's fun to reminisce :-P > >> /* since php5.1.3 http_build_query() urlencodes square brackets - >> this does not please us at all, >> * this function fixes the problem the encoding causes us when >> using http_build_query() output >> * in hidden INPUT field names. >> */ >> function inputPostQueryUnBorker($s) >> { >> // first version - slower? more code! >> /* >> return preg_replace('#(\?|&(?:amp;)?)([^=]*)=#eU', >> "'\\1'.str_replace(array('%5B','%5D'), >> array('[',']'), '\\2').'='", >> $s); >> //*/ >> >> // second version - faster? more compact! (should work >> identically to the above statement. >> return preg_replace('#%5[bd](?=[^&]*=)#ei', >> 'urldecode("\\0")', $s); >> } > ....
|
|
01-15-2008
|
|||
|
|||
|
RE: [PHP] $_GET and multiple spaces.
> -----Original Message-----
> From: Jochem Maas [mailto:jochem@iamjochem.com] > Sent: Monday, January 14, 2008 8:34 PM > To: Andrés Robinet > Cc: php-general@lists.php.net > Subject: Re: [php] $_GET and multiple spaces. > > Andrés Robinet schreef: > >> -----Original Message----- > >> From: Richard Lynch [mailto:ceo@l-i-e.com] > >> Sent: Monday, January 14, 2008 7:08 PM > >> To: Andrés Robinet > >> Cc: php-general@lists.php.net > >> Subject: RE: [php] $_GET and multiple spaces. > >> > >> On Mon, January 14, 2008 1:33 pm, Andrés Robinet wrote: > >>>> -----Original Message----- > >>>> From: Richard Lynch [mailto:ceo@l-i-e.com] > >>>> Sent: Monday, January 14, 2008 2:11 PM > >>>> To: Jochem Maas > >>>> Cc: clive; Churchill, Craig; php-general@lists.php.net > >>>> Subject: Re: [php] $_GET and multiple spaces. > >>>> > >>>> On Mon, January 14, 2008 3:17 am, Jochem Maas wrote: > >>>>> I think actually the whole url should be urlencoded as a matter > of > >>>>> course, not > >>>>> 100% sure about this (and it's way to early on a monday to bother > >>>>> checking up ;-) ... > >>>>> maybe someone else can chime in? > >>>> Actually, after you urlencode() the values, you should > htmlentities > >>>> the whole URL, as it is being passed to HTML as a value to be > output > >>>> to HTML. > >>>> > >>>> The whole URL should *NOT* be URL-encoded, however. > >>>> > >>>> -- > >>>> Some people have a "gift" link here. > >>>> Know what I want? > >>>> I want you to buy a CD from some indie artist. > >>>> http://cdbaby.com/from/lynch > >>>> Yeah, I get a buck. So? > >>> Like this? > >>> > >>> $url = > >>> > >> > htmlspecialchars('whatever.php?'.urlencode($name). '='.urlencode($value) > >> ); > >> > >> Yes, but if your $name is weird enough to need to be urlencoded, you > >> probably are doing something "Wrong" from a stylistic programming > >> stand-point... > >> > >> I'm not even sure of the rules for what can be in a $name, come to > >> think of it... > >> > > > > I think I can tell you what... it has just came to my mind (nirvana > > moment)... how about this? > > > > $name = 'mylist[myindex]'; > > this is almost an invite to moan about how http_build_query() was > 'fixed' > in 5.1.3 to escape square brackets ... which makes php nolonger do one > of > the coolest, imho, with regard to incoming GET/POST values - namely > auto-convert > bracketed request var names into native arrays. at least if those > strings > are used in anything other than a URL context (form inputs anyone). > I would have been nice to have the encoding as an optional > switch/argument. Well, almost... the other part of the world that arguably wanted square brackets escaped in http_build_query will be very pleased (let me tell you I don't use http_build_query, but have my own as sometimes PHP 5 is not an option...). I guess they thought http_build_query would always be used in an URL context. But yes... escaping square brackets could be made optional and we get the best of both worlds. Anyway... my point was that names may need escaping, at least in some contexts. But let me ask you because maybe I'm wrong: <a href="index.php?list%5Bindex%5D=value">Click</a> Wouldn't this be translating into $_GET['list']['index'] == 'value'? As far as I've tested, it is... Also, it seems that "[" and "]" are unsafe characters according to http://www.ietf.org/rfc/rfc1738.txt "Unsafe: Characters can be unsafe for a number of reasons. The space character is unsafe because significant spaces may disappear and insignificant spaces may be introduced when URLs are transcribed or typeset or subjected to the treatment of word-processing programs. The characters "<" and ">" are unsafe because they are used as the delimiters around URLs in free text; the quote mark (""") is used to delimit URLs in some systems. The character "#" is unsafe and should always be encoded because it is used in World Wide Web and in other systems to delimit a URL from a fragment/anchor identifier that might follow it. The character "%" is unsafe because it is used for encodings of other characters. Other characters are unsafe because gateways and other transport agents are known to sometimes modify such characters. These characters are "{", "}", "|", "\", "^", "~", "[", "]", and "`". All unsafe characters must always be encoded within a URL...." Maybe that's why they chose to escape square brackets. I'm not a standards freak, but rather a pragmatic man. Just trying to prove a point. > > /* since php5.1.3 http_build_query() urlencodes square brackets - > this does not please us at all, > * this function fixes the problem the encoding causes us when > using http_build_query() output > * in hidden INPUT field names. > */ > function inputPostQueryUnBorker($s) > { > // first version - slower? more code! > /* > return preg_replace('#(\?|&(?:amp;)?)([^=]*)=#eU', > "'\\1'.str_replace(array('%5B','%5D'), > array('[',']'), '\\2').'='", > $s); > //*/ > > // second version - faster? more compact! (should work > identically to the above statement. > return preg_replace('#%5[bd](?=[^&]*=)#ei', > 'urldecode("\\0")', $s); > } Thanks a lot! I'll surely give it a try. > > > > >> -- > >> Some people have a "gift" link here. > >> Know what I want? > >> I want you to buy a CD from some indie artist. > >> http://cdbaby.com/from/lynch > >> Yeah, I get a buck. So? > > > > Regards, > > > > Rob > > > > > > Andrés Robinet | Lead Developer | BESTPLACE CORPORATION > > 5100 Bayview Drive 206, Royal Lauderdale Landings, Fort Lauderdale, > FL 33308 > > | TEL 954-607-4207 | FAX 954-337-2695 > > Email: info@bestplace.net | MSN Chat: best@bestplace.net | SKYPE: > > bestplace | Web: http://www.bestplace.biz | Web: http://www.seo- > diy.com > > Regards, Rob Andrés Robinet | Lead Developer | BESTPLACE CORPORATION 5100 Bayview Drive 206, Royal Lauderdale Landings, Fort Lauderdale, FL 33308 | TEL 954-607-4207 | FAX 954-337-2695 Email: info@bestplace.net | MSN Chat: best@bestplace.net | SKYPE: bestplace | Web: http://www.bestplace.biz | Web: http://www.seo-diy.com
|
Linear Mode
