AzeS Posted November 11, 2017 Share Posted November 11, 2017 (edited) I have a problem with umlauts in the URL, I know that it probably has something to do with the htacces, but I'm not sure about that; Generally I have a problem with the umlauts. most of it is handled by "str_replace" and under control. As also for the formatting that takes place in normal declarations and outputs, but when i hand over a value by the $_GET handler after forwarding via header location; the problem emerges on a scale that exceeds my knowlege towards this issue; Text before forwarding via header location:Ihre Email wurde erfolgreich verifiziert. Sie können nun fortfahren. #ENG: Your email has been verified, you can now proceed....(https://www.vii7.eu/Register?rmsg=Ihre Email wurde erfolgreich verifiziert. Sie können nun fortfahren.)Text after forwarding via header location: Ihre%252520Email%252520wurde%252520erfolgreich%252520verifiziert.%252520Sie%252520k%2525C3%2525B6nnen%252520nun%252520fortfahren.(https://www.vii7.eu/Register?rmsg=Ihre%252520Email%252520wurde%252520erfolgreich%252520verifiziert.%252520Sie%252520k%2525C3%2525B6nnen%252520nun%252520fortfahren.)Processing rmsg: public function word($INPT, $ENCODE) { return htmlspecialchars(str_replace(chr(0), "" , str_replace("%2520", " ", trim(strip_tags($INPT)))), ENT_QUOTES | ENT_SUBSTITUTE, $ENCODE); } Final Output text: Ihre Email wurde erfolgreich verifiziert. Sie k%25C3%25B6nnen nun fortfahren.Regards AzeS Edited November 11, 2017 by AzeS Quote Link to comment Share on other sites More sharing options...
requinix Posted November 12, 2017 Share Posted November 12, 2017 All those %25s means you're URL-encoding the text multiple times. In your case it's three: space becomes %20 (#1) which then becomes %2520 (#2) and then %252520 (#3). Make sure the message is in UTF-8, then URL-encode it once. Your task is to figure out where and why the other two are happening. Quote Link to comment Share on other sites More sharing options...
AzeS Posted November 13, 2017 Author Share Posted November 13, 2017 Thanks for your fast response requinix, Can this be caused by meta Handlers ? <meta http-equiv="content-type" content="text/html; charset=utf-8"> Cause the message is sent to three sites; first to the clients mail server then via the word function to the activate.php and afterwards to the register page. Quote Link to comment Share on other sites More sharing options...
requinix Posted November 13, 2017 Share Posted November 13, 2017 Nope. Somewhere you're calling urlencode or rawurlencode three times when it should be just once. It's also possible the data is messed up that like to start with and you actually need to be decoding it, but that's not my guess. So I guess it comes down to posting the rest of your code? At least where the messages are coming from. Quote Link to comment Share on other sites More sharing options...
AzeS Posted November 14, 2017 Author Share Posted November 14, 2017 Yup, here we go...Execute: if (isset($_POST['exe_ema_val'])) { if ($crud->e_proof(trim(strip_tags($_POST['usr_dat_ema_for_val']))) != "Diese E-Mail wurde bereits verifiziert.") { if (!empty($_POST['usr_dat_ema_for_val'])) { $_SESSION['xxx'] = array('usr_usr' => trim(strip_tags($_POST['usr_dat_nam'])), 'usr_ema' => trim(strip_tags($_POST['usr_dat_ema'])), 'usr_pas' => trim(strip_tags($_POST['usr_dat_pas_pt1'])), 'usr_bil_vor' => trim(strip_tags($_POST['usr_dat_adr_bil_fir'])), 'usr_bil_nac' => trim(strip_tags($_POST['usr_dat_adr_bil_las'])), 'usr_bil_str' => trim(strip_tags($_POST['usr_dat_adr_bil_str'])), 'usr_bil_zip' => trim(strip_tags($_POST['usr_dat_adr_bil_zip'])), 'usr_bil_cit' => trim(strip_tags($_POST['usr_dat_adr_bil_cit'])), 'usr_bil_ema' => trim(strip_tags($_POST['usr_dat_adr_bil_ema'])), 'usr_bil_pho' => trim(strip_tags($_POST['usr_dat_adr_bil_pho'])), 'usr_bil_con' => trim(strip_tags($_POST['usr_dat_adr_bil_con'])), 'usr_adr_vor' => trim(strip_tags($_POST['usr_dat_adr_fir'])), 'usr_adr_nac' => trim(strip_tags($_POST['usr_dat_adr_las'])), 'usr_adr_str' => trim(strip_tags($_POST['usr_dat_adr_str'])), 'usr_adr_zip' => trim(strip_tags($_POST['usr_dat_adr_zip'])), 'usr_adr_cit' => trim(strip_tags($_POST['usr_dat_adr_cit'])), 'usr_adr_con' => trim(strip_tags($_POST['usr_dat_adr_con'])), 'usr_bew' => trim(strip_tags($_POST['usr_dat_sel_bew']))); $res = $crud->e_check(trim(strip_tags($_POST['usr_dat_ema_for_val'])),5); $msg = $res; /* if ($res == 1) { $msg = "Eine email mit einem aktivierungslink wurde ihnen zugestellt."; } else { $msg = "Beim sende vorgang der email ist ein fehler unterlaufen, bitte versuchen sie es erneut oder wenden sie sich an den support."; } */ } else{ $msg = "Bitte geben Sie eine gültige Em-Mail-Adresse an!"; } } else { $msg = "Diese E-Mail wurde bereits verifiziert."; } } Process/send: public function e_check($EMAIL,$TYPE) { $code = substr(str_shuffle(str_repeat("0123456789abcdefghijklmnopqrstuvwxyz", 5)), 0, 5); $header = "MIME-Version: 1.0\r\n"; $header .= "Content-type: text/html; charset=iso-8859-1\r\n"; $header .= "From: no-reply@VII7.eu"; $header .= "Reply-To: no-reply@VII7.eu\r\n"; $header .= "X-Mailer: PHP ". phpversion(); $mailtext = "<html> <head> <title>Ihr Code ist: " . $code . "</title> <meta http-equiv='content-type' content='text/html; charset=utf-8'> </head> <body> <h1>Zur Bestätigung klicken Sie den folgenden Link:</h1> <a href='www.VII7.eu/activate.php?type=" . $TYPE . "&email=" . $EMAIL . "&code=" . $code . "'>www.VII7.eu/activate.php</a> </body> <footer> Vollmer Impex imports: +49 (0) 8732 / 37 99 985 Frontenhausenerstr. 9 Marklkofen 84163 DE </footer> </html> "; if ($this->send_mail($EMAIL,'Ihre E-Mail Bestätigung bei VII7.',$mailtext,$header) == 1) { $sql = $this->Db->prepare("INSERT INTO e_sys(email,code) VALUES (:e,:f)"); try { $sql->execute(array(':e' => $EMAIL, ':f' => md5($code))); } catch (PDOException $ex) { $this->report($ex->getMessage()); return "Es ist ein Fehler unterlaufen. Versuchen Sie es später noch einmal oder wenden Sie sich an den Support."; } return "Eine E-Mail mit bestätigungslink wurde Ihnen gesendet, bitte überprüfen sie auch Ihren Spam-Ordner."; } else { $this->report("e_check" . " type sending error"); return "Es ist ein Fehler unterlaufen. Versuchen Sie es später noch einmal oder wenden Sie sich an den Support."; } } Recieve: <?php require_once 'CORE/dbconnect.php'; ini_set('display_errors', 'Off'); ob_start(); session_start(); if (isset($_GET['type'])) { #var_dump(trim(strip_tags($_GET['type']))); switch (trim(strip_tags($_GET['type']))) { case 5: $res = $crud->e_proof(trim(strip_tags($_GET['email'])),trim(strip_tags($_GET['code']))); #var_dump($res); header("Location: Register.php?rmsg=" . $crud->word($res, 'UTF-8')); exit(); break; default: # code... break; } } ?> Display(MSG): if ( isset($_GET['rmsg']) ) { $msg = $crud->word(trim(strip_tags($_GET['rmsg'])), 'UTF-8'); } if (isset($msg)) { echo "<p>" . $crud->word($msg, 'UTF-8') . "</p>"; } Func:word public function word($INPT, $ENCODE) { return htmlspecialchars(str_replace(chr(0), "" , str_replace("%2520", " ", trim(strip_tags($INPT)))), ENT_QUOTES | ENT_SUBSTITUTE, $ENCODE); } Thank you for going through all that code Requinix, Thats kind from you. Quote Link to comment Share on other sites More sharing options...
requinix Posted November 14, 2017 Share Posted November 14, 2017 Going backwards from the point where the problem is apparent, I see $res = $crud->e_proof(trim(strip_tags($_GET['email'])),trim(strip_tags($_GET['code'])));that. What is the code for e_proof? Quote Link to comment Share on other sites More sharing options...
AzeS Posted November 15, 2017 Author Share Posted November 15, 2017 Oh sorry, I thought this section was not relevant, how foolish of me, this code is there to confirm the E-Mailadress in the database. so to Say: to check the code. ^^' public function e_proof($EMAIL,$CODE) { $sql = $this->Db->prepare("SELECT * FROM e_sys WHERE email=:e"); $sql->execute(array(':e' => $EMAIL)); $res = $sql->fetch(PDO::FETCH_ASSOC); if (count($res)) { if ($res['valid'] == 1) { return "Diese E-Mail wurde bereits verifiziert."; } if ($res['tries'] == 0) { return "Diese E-Mail wurde aufgrund des Verdachts von Missbrauch gesperrt. Bitte wenden Sie sich an den Support."; } if ($res['code'] == md5($CODE)) { $sql = $this->Db->prepare("UPDATE e_sys SET valid=:e WHERE email=:f"); $sql->execute(array(':e' => 1, ':f' => $EMAIL)); return "Ihre Email wurde erfolgreich verifiziert. Sie können nun fortfahren."; } else { $sql = $this->Db->prepare("UPDATE e_sys SET tries=:e WHERE email=:f"); $newtry = $res['tries'] - 1; $sql->execute(array(':e' => $newtry, ':f' => $EMAIL)); $this->report("e_proof" . " error type nomatch."); return "Dieser Code stimmt nicht mit dem in unserer Datenbank überein."; } } else { $this->report("e_proof" . " abuse t:notfound POS:url !:REQ:" . $EMAIL . ":CODE:" . $CODE); return "Es ist kein Eintrag unter dieser Email vorhanden."; } } Quote Link to comment Share on other sites More sharing options...
requinix Posted November 15, 2017 Share Posted November 15, 2017 Next, and possibly final, question is about the code for $crud->word(). Quote Link to comment Share on other sites More sharing options...
AzeS Posted November 16, 2017 Author Share Posted November 16, 2017 Processing rmsg: public function word($INPT, $ENCODE) { return htmlspecialchars(str_replace(chr(0), "" , str_replace("%2520", " ", trim(strip_tags($INPT)))), ENT_QUOTES | ENT_SUBSTITUTE, $ENCODE); } Here we go ^^ Quote Link to comment Share on other sites More sharing options...
requinix Posted November 16, 2017 Share Posted November 16, 2017 Then I don't see where the encoding is happening: as far as I can tell, the message starts as a hard-coded string and only goes through a couple simple functions before being used in the redirect... Quote Link to comment Share on other sites More sharing options...
AzeS Posted November 16, 2017 Author Share Posted November 16, 2017 Release is at November 23th Quote Link to comment Share on other sites More sharing options...
AzeS Posted November 16, 2017 Author Share Posted November 16, 2017 In case that the error is in the htaccess i post the code below: #DirectoryIndex index.php Options +FollowSymLinks -Multiviews RewriteEngine On RewriteCond %{REQUEST_METHOD} ^TRACE RewriteRule ^ - [F] # Redirect non-www to www: RewriteCond %{HTTP_HOST} !^www\. [NC] RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L] # Unless directory, remove trailing slash RewriteEngine On RewriteCond %{REQUEST_FILENAME} !-d RewriteRule ^([^/]+)/$ http://www.vii7.eu/$1 [R=301,L] # Redirect external .php requests to extensionless url RewriteCond %{THE_REQUEST} ^(.+)\.php([#?][^\ ]*)?\ HTTP/ RewriteRule ^(.+)\.php$ http://www.vii7.eu/$1 [R=301,L] # add extension if the php file exists: RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_FILENAME}\.php -f RewriteRule ^(.*)$ $1.php [L] # add extension if the png file exists: RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_FILENAME}\.png -f RewriteRule ^(.*)$ $1.png [L] # add extension if the txt file exists: RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_FILENAME}\.txt -f RewriteRule ^(.*)$ $1.txt [L] # add extension if the html file exists: RewriteCond %{REQUEST_FILENAME} !-d RewriteCond %{REQUEST_FILENAME}\.html -f RewriteRule ^(.*)$ $1.html [L] # etc. # finally, route to profile.php if all else fails #RewriteCond %{REQUEST_FILENAME} !-f #RewriteCond %{REQUEST_FILENAME} !-d #RewriteRule ^([a-zA-Z0-9-_.]*)$ /profile.php?id=$1 [L] Quote Link to comment Share on other sites More sharing options...
requinix Posted November 17, 2017 Share Posted November 17, 2017 I don't think so. It would have to be in one of the external redirects, and that would be easy to check with browser tools (by watching the network requests). Set up a debugger like XDebug and follow the actual execution to see what's happening. If there's a lot of code then set up a breakpoint at the final line of code (the redirect), run, then look at the call stack and set up breakpoints before each of the function calls. Quote Link to comment Share on other sites More sharing options...
Solution AzeS Posted November 17, 2017 Author Solution Share Posted November 17, 2017 REQUINIX I FOUND IT http://php.net/manual/en/function.urldecode.php Quote Link to comment Share on other sites More sharing options...
requinix Posted November 17, 2017 Share Posted November 17, 2017 Well yes, you can decode it, but wouldn't it be better if you didn't have to? Wouldn't it be better to fix the cause of the problem rather than add more code to hide the fact that it's still there? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.