Retrieving the data from htmlspecialchars(http_build_query($string))?

[phpf]

Hello, I'm learning PHP, so a completely noob, right now. First to the question itself, I want to know how to retrieve the data(variables & it's values) from the url, which was made or generated(or whatever right word is) by using http_build_query() in php. I created a querystring($string) with certain variables & dynamic values that I'm passing to a url

http://www.example.com/example.php?.http_build_query($string)

That's working fine, I'm able to echo or retrieve the variables & it's dynamic values(the values changes as the variables aren't defined with constant values), by using $_GET on the ending page. But when I try to sanitize the data by using htmlspecialchars, in which case the url becomes like this

http://www.example.com/example.php?.htmlspecialchars(http_build_query($string))

I'm only able to retrieve or echo out the value of first variable. I understood the reason to be that htmlspecialchars converts '&'(the variable seperator) to '&'. But I don't know the solution. So, in this case(presuming what I'm doing is right!) how to retrieve the data(or the values of the variables) at the end page. What is the best way of retrieving the data in this type of cases?. I would be grateful, if some one can provide me a simple example on how to do this. I did search on Internet, all examples of retrieving data on internet are laid out using a format(with constant values for variables) but no generic examples for dynamic urls(if I can call so). As I said, I'm too noobish to get a grasp of those.

[ginerjm]

1 - the two lines of code you show do not make sense to me.  These are not proper url strings, nor are they proper php code.  Please show the entire line in your script that generates this if that is what you are showing us.

 

2 - When you say you can echo stuff and see correct stuff, just where and when are you doing that echo?  In the same script that creates it or in the script you are calling with this url?

 

3 - retrieving the data from the url?  I assume you are now talking about doing this in the script that you mention in the url itself (as you have showed us).  $_SERVER['QUERY_STRING'] would be the value you can use for that I believe.  Perhaps with a urldecode command added to the result also.

Edited August 6, 2014 by ginerjm

[Jacques1]

There seem to be some general misunderstandings about escaping.

 

You're dealing with two layers here: On the one hand, you have the URL itself with its specific syntax. On the other hand, this URL is embedded in an HTML document which has its own syntax.

 

You start with a valid URL. The http_build_query() function is indeed helpful for this, because it automatically takes care of encoding reserved characters, setting the right delimiters etc. Let's say your result is this:

https://example.com/page?foo=bar&qux=quux

Now you want to embed the URL in an HTML document (as a href attribute, for example). Using the raw URL would be a bad idea, because this might lead to a cross-site scripting attack. The ampersand is also more or less reserved for HTML entities and shouldn't be used as a literal character.

 

So the URL (the entire URL!) needs to be HTML-escaped before it can be embedded into the HTML document. The result will be something like this:

https://example.com/page?foo=bar&qux=quux

Note that the “&” entity only affects the HTML parser. Once your browser has interpreted the HTML markup, it “sees” the real URL with its literal ampersand:

https://example.com/page?foo=bar&qux=quux

All parameters are intact. If they aren't, there's some other problem. What does the URL look like in the browser bar after you've clicked on the link?

 

 

 

It's very important to understand those two stages (many people don't). The “&” entitiy does not change or even break the URL. It merely helps the browser parse the HTML document. Once this step is done, you have a literal ampersand again.

 

Also note that you're using htmlspecialchars() incorrectly. If you only give it an input string, how is it supposed to know what this strings means? A string by itself is just a bunch of bytes. To map those bytes to actual characters, the function needs to know the character encoding you're using. ASCII? ISO 8859-1? UTF-8? Something else?

 

Specify the character encoding as the third parameter. It's also strongly recommended that you use the ENT_QUOTES flag so that single quotes will be escaped as well. Otherwise, single-quoted attributes will be entirely unprotected. If you're using UTF-8, you should also specify the ENT_SUBSTITUTE. This will replace faulty byte sequences with a special error character instead of returning an empty string.

 

So you want something like this:

htmlspecialchars($input, ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8');

Edited August 6, 2014 by Jacques1

[phpf]

ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8'Ok, I'll better explain myself. 

 

1) Lets say there is a page, www.example.com/example1.php and I created a '$string' in that page like below.

$string = array(
'name' => 'some thing'
'city' => 'some thing1'
'country' => 'some thing2'
'email' =>'email@email.com'
);

And on the same page(example1.php)I used http_build_query() like this

$redirect = 'http://www.example.com/example2.php?'.http_build_query($string);

As you can see, I've not used htmlspecialchars(), in this case, I'm being redirected to the 'example2.php' page along with the variable information. In this case the resulted url(on the example2.php) looks like this

http://www.example.com/example2.php?name=value1&city=value2&country=value3&email=email%40email.com

So, I'm just echoing the values on the example2.php like this

echo $_GET['name'];
echo $_GET['city'];
echo $_GET['country'];
echo $_GET['email'];

and the page outputting all the correct values of respective variables. But the problem starts when I add htmlspecialchars(). 

 

On example1.php page I'm just adding htmlspecialchars() like this

$redirect = 'http://www.example.com/example2.php?'.htmlspecialchars(http_build_query($string)); 
                         or
$redirect = 'http://www.example.com/example2.php?'.htmlspecialchars(http_build_query($string), ENT_QUOTES | ENT_SUBSTITUTE, 'UTF-8'); (as suggested by @Jacques1)

no matter how I add htmlspecialchars(), I end up getting same type of url like this

http://www.example.com/example2.php?name=value1&city=value2&country=value3;email=email%40email.com

As you can see, the only difference between the two urls(one I got before or without using 'htmlspecialchars' & other one after using 'htmlspecialchars'), is that '&'(the variable separator) in the url becomes '&' if I use htmlspecialchars(), and I guess because of that only the variable value(in the above example, the value of 'name') is possible to be retrieved or echo'd. For the remaining echos(of other variables), I get undefined index.

 

On the second page(example2.php) I've not changed the code, just same echoing of variables as mentioned above.  

 

I hope I explained myself litter better now.

[phpf]

I would like to edit my above(previous) post as it contains some mistakes as well as now the issue is not that one, but I can't seem to find a way to do so. So, if the moderators(presuming the forum rules permits) can replace the text of above(or previous) post of mine with the following the thread would look great(concise) & straight to the point(the above post is entirely unnecessary as it explains same thing as OP but in a lengthy manner, I posted it before trying the suggestion made by @ginerjm). 

 

$_SERVER['QUERY_STRING'] has worked for me, & now I've to strip it into different variables. And it seems there is lot of divided opinion on using parse_str(across the internet, some recommend & some don't). Can some body let me know what is the best method to strip $_SERVER['QUERY_STRING'] into an array of variables it contains?. 

[Jacques1]

I've already understood the problem the first time, you don't need to explain it twice.

 

But now it seems you're not embedding the link in your HTML document but rather use it in a header() call for a redirect. Then of course you must not HTML-escape it. As I've already tried to explain above, the whole purpose of htmlspecialchars() is to allow you to embed the URL in an HTML document. If that was never your intention, then why on earth would you HTML-escape it?

[phpf]

I've already understood the problem the first time, you don't need to explain it twice.

 

But now it seems you're not embedding the link in your HTML document but rather use it in a header() call for a redirect. Then of course you must not HTML-escape it. As I've already tried to explain above, the whole purpose of htmlspecialchars() is to allow you to embed the URL in an HTML document. If that was never your intention, then why on earth would you HTML-escape it?

 

Yeah, I understand that my second post is entirely unnecessary(that's why I left a message to moderator in my previous post to replace that entire text of it with what I posted in my previous post, you can read my message to moderator in the first paragraph of my previous post) but moderator didn't seem to be read that message or forum rules may not allow to edit text once it is posted(I still can't find a way to edit my posts in this forum, otherwise I would have edited myself).

 

And coming to your query of why on earth I'm doing all this?, is for learning!! as I stated in the first line of my first post. Apparently, there is a small website of my friend, which I volunteered myself to work on(it's already live, but just need few personalizations) so that I can few things of PHP in the process. And by the way, I'm doing all this on my local WAMP server on my pc itself(so not messing with live site either!). 

[ginerjm]

You can use explode to split up the query string into each "var=value" component.  Then loop thru the resulting array and explode each of them into the var name and the value.

 

 

$args = explode("&",$the_url_string);
foreach ($args as $arg)
{
    list($var,$val) = explode("=",$arg);
     (do something with this var/val pair)
}

[CroNiX]

@ginerjm, why do that manually when you could just use

parse_str($_SERVER['QUERY_STRING'], $qs);

$qs now contains a urldecoded array of key => value pairs.

[Jacques1]

You do realize that PHP has a $_GET superglobal which contains all URL parameters, right?

 

The OP simply didn't know when and when not to escape URLs.