473,395 Members | 1,462 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

home > topics > php > questions > urlencode problems

Join Bytes to post your question to a community of 473,395 software developers and data experts.

urlencode problems

Hi,

I am having problems with running urlencode(select * from myfile where
field like '%0002%'), in particular the like section, what I get is...
like+%27%250002%25%27
....which is fine, but when i decode it I get...
like \'02\'
....I get backslashes before the single quotes and 2 of the leading
zeroes in 0002 are missing.

Does any have any clues?

Regards
Doug Johnston
Aug 26 '05 #1
3 2156
Doug Johnston wrote:
Hi,

I am having problems with running urlencode(select * from myfile where
field like '%0002%'), in particular the like section, what I get is...
like+%27%250002%25%27
...which is fine, but when i decode it I get...
like \'02\'
...I get backslashes before the single quotes and 2 of the leading
zeroes in 0002 are missing.

Does any have any clues?

Regards
Doug Johnston

Hi,

Not on my machine...
I made this little script to test.

<?
$astr = "select * from myfile where field like '%0002%'";
$enc = urlencode($astr);
$dec = urldecode($enc);

echo "astr = ".htmlentities($astr)."<br>";
echo "enc = ".htmlentities($enc)."<br>";
echo "dec = ".htmlentities($dec)."<br>";
?>

which produces:

astr = select * from myfile where field like '%0002%'
enc = select+%2A+from+myfile+where+field+like+%27%250002 %25%27
dec = select * from myfile where field like '%0002%'

Does it produce the same on your machine?

You must be adding slashes somewhere to make it 'safe'.
Maybe your php.ini settings are doing things you are not aware of?

by the way: Everybody can make their onw queries, and updates, if you pass
around SQL-commands like this...
Please reconsider your design...
Regards,
Erwin Moller
Aug 26 '05 #2
Hi Erwin,

Thanks for your reply. I have found strip slashes to work well for me,
but having to fudge the disappearing zeroes.

With regard to security apart from MySQL login and some unique client
data, the whole lot will be in a protected directory. Is this enough? I
guess if anyone wants to try hard enough they will get through anything.
Maybe there is something else I could do?

Regards
Doug Johnston

Erwin Moller wrote:
Doug Johnston wrote:

Hi,

I am having problems with running urlencode(select * from myfile where
field like '%0002%'), in particular the like section, what I get is...
like+%27%250002%25%27
...which is fine, but when i decode it I get...
like \'02\'
...I get backslashes before the single quotes and 2 of the leading
zeroes in 0002 are missing.

Does any have any clues?

Regards
Doug Johnston
Hi,

Not on my machine...

I made this little script to test.

<?
$astr = "select * from myfile where field like '%0002%'";
$enc = urlencode($astr);
$dec = urldecode($enc);

echo "astr = ".htmlentities($astr)."<br>";
echo "enc = ".htmlentities($enc)."<br>";
echo "dec = ".htmlentities($dec)."<br>";
?>

which produces:

astr = select * from myfile where field like '%0002%'
enc = select+%2A+from+myfile+where+field+like+%27%250002 %25%27
dec = select * from myfile where field like '%0002%'

Does it produce the same on your machine?

You must be adding slashes somewhere to make it 'safe'.
Maybe your php.ini settings are doing things you are not aware of?

by the way: Everybody can make their onw queries, and updates, if you pass
around SQL-commands like this...
Please reconsider your design...
Regards,
Erwin Moller

Aug 26 '05 #3
Doug Johnston wrote:
Hi Erwin,
Hi,

Thanks for your reply. I have found strip slashes to work well for me,
but having to fudge the disappearing zeroes.
Well, look deeper. :-)
The fact you cannot pass name/value pairs around the way you expect is a
sign something is wrong somewhere.
I think you might hit other issues later.
Can you pass around a random string with URL-encode via query-string?
Just make a samplescript, and see if it works.
If not, go check the documentation at php.net and check your php.ini
settings, etc. (use htmlentities to be sure you print a string as it is in
a webpage.)

In cases like this, always spend some extra time figuring it out.
Sometimes 'minor problems' return later on with an extra bite. :-(
Just mu advise of course. :-)

With regard to security apart from MySQL login and some unique client
data, the whole lot will be in a protected directory. Is this enough?
Hard to say. What is a protected directory? Like a .htaccess file?

I
guess if anyone wants to try hard enough they will get through anything.
Yes and No.
Do not take this the wrong, but that is no valid argument.
If you open a can with topquality crackers, I expect that they can break a
lot of systems.
But that is no excuse for being sloppy and making things easy for the less
talented.
The easier the crack/hack the more people will see it.
I mean: Every webprogrammer immediately recognizes that URL as a
securityhole. (That goes for method POST in a form too by the way.)
I think it is a bad habit to pass queries around like that.

The question is of course is if the receiving script will execute the query.
If it does not (and only stores it somewhere in a logfile eg), the situation
is less serious of course. :-)

Sorry, if I sound patrionizing. (slap me. :P)

Maybe there is something else I could do?
I always add things like this:
The script that receives the SQL-query should start with checking the
session to be sure the one logged in has accesss to that script.
eg: $_SESSION["admin"] should contain "Y"
if not: terminate the script and scoff the user.

Good luck

Reagrds,
Erwin Moller


Regards
Doug Johnston

Aug 26 '05 #4
New Post

This thread has been closed and replies have been disabled. Please start a new discussion.

Similar topics

6
.Redirect - Concant. problems
by: jason | last post by:
I'm having trouble incantenating this string what is the best way to do this if the string is extremely long especially for response.redirect... I tried switching between asp and html to make it...
ASP / Active Server Pages
3
My problem with Server.URLEncode as used here
by: George Hester | last post by:
http://support.microsoft.com/default.aspx?scid=kb;en-us;301464 Look down at the MyPage.asp example. You will see that Microsoft does this: 'Costruct the URL for the current page s = "http://"...
ASP / Active Server Pages
2
Problems posting with urlencode
by: Joseph Chase | last post by:
I have the following form : <form action="/auction/create/" method="post"><p><label for="auction_created">Created</label><br /></p> <p><label for="auction_user">User</label><br /><input...
Python
8
Some characters causing problems in HttpWebRequest
by: Peter Afonin | last post by:
Hello, I've created the domain registration system in ASP.NET. I'm using HttpWebRequest to post the data to the registrar's server. So in the Post string I'm passing the data like name, address,...
C# / C Sharp
6
Filename problems when downloading
by: Henke | last post by:
I have a web application that is used to transfer files to and from a database. The files are streamed and stored in the database that is. From one page I can download the files to the client, by...
ASP.NET
27
urlencode and $_GET
by: meltedown | last post by:
urlencode turns # into %23 When I sent it thru $_GET, it dissapears, along with anything that comes after it. for example: urlencode turns HOYDM_EXC_#4_NAT into HOYDM_EXC_%234_NAT When I...
PHP
1
UTF-8 and Server.URLEncode
by: burnsy2000 | last post by:
We are running ASP classic on IIS 5 on W2k SP4. We recently added <% Response.charset="utf-8"%to the top of all our pages (as suggested by validator.w3.org). A problem arose on a page which applies...
ASP / Active Server Pages
1
Problems with dynamic links in Datalist
by: mister-Ed | last post by:
I am displaying subcategories in my datalist, and now I have a bizarre thing happen when I add a new subcategory record in my sql database, the new subcategory link does not click into the next...
ASP.NET
0
Problems Posting to an XML REST API from VB.Net
by: Solius | last post by:
I have been struggling for 4 days to write a connection to an XML REST API. I can't figure out what is wrong with my code that it won't connect propertly. The goal is to make a web service that...
.NET Framework
0
Batch import of multiple excel files into the database
by: ryjfgjl | last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
Data Management
0
Merging data from multiple Excel files
by: ryjfgjl | last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
Data Management
1
Looking to do Android software development, any suggestions? Is flutter better?
by: nemocccc | last post by:
hello, everyone, I want to develop a software for my android phone for daily needs, any suggestions?
General
0
How to build RAID in BIOS?
by: Hystou | last post by:
There are some requirements for setting up RAID: 1. The motherboard and BIOS support RAID configuration. 2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
Computer Hardware
0
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However,...
General
0
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
Windows Server
0
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers,...
C / C++
0
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
Online Marketing
0
tracyyun
Discussion: How does Zigbee compare with other wireless protocols in smart home applications?
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes:
Post a Job
Sponsored Posts
Platinum & Gold Sponsors
Hire Now!