Jump to content

Recommended Posts

I have a problem with umlauts in the URL, I know that it probably has something to do with the htacces, but I'm not sure about that; Generally I have a problem with the umlauts. most of it is handled by "str_replace" and under control. As also for the formatting that takes place in normal declarations and outputs, but when i hand over a value by the $_GET handler after forwarding via header location; the problem emerges on a scale that exceeds my knowlege towards this issue;

 

Text before forwarding via header location:Ihre Email wurde erfolgreich verifiziert. Sie können nun fortfahren. #ENG: Your email has been verified, you can now proceed....

(https://www.vii7.eu/Register?rmsg=Ihre Email wurde erfolgreich verifiziert. Sie können nun fortfahren.)

Text after forwarding via header location: Ihre%252520Email%252520wurde%252520erfolgreich%252520verifiziert.%252520Sie%252520k%2525C3%2525B6nnen%252520nun%252520fortfahren.

(https://www.vii7.eu/Register?rmsg=Ihre%252520Email%252520wurde%252520erfolgreich%252520verifiziert.%252520Sie%252520k%2525C3%2525B6nnen%252520nun%252520fortfahren.)

Processing rmsg:
public function word($INPT, $ENCODE) { return htmlspecialchars(str_replace(chr(0), "" , str_replace("%2520", " ", trim(strip_tags($INPT)))), ENT_QUOTES | ENT_SUBSTITUTE, $ENCODE); }

Final Output text:

Ihre Email wurde erfolgreich verifiziert. Sie k%25C3%25B6nnen nun fortfahren.



Regards AzeS Edited by AzeS

Share this post


Link to post
Share on other sites

All those %25s means you're URL-encoding the text multiple times. In your case it's three: space becomes %20 (#1) which then becomes %2520 (#2) and then %252520 (#3).

 

Make sure the message is in UTF-8, then URL-encode it once. Your task is to figure out where and why the other two are happening.

Share this post


Link to post
Share on other sites

Thanks for your fast response requinix,

Can this be caused by meta Handlers ?

 <meta http-equiv="content-type" content="text/html; charset=utf-8">

Cause the message is sent to three sites; first to the clients mail server then via the word function to the activate.php and afterwards to the register page.

Share this post


Link to post
Share on other sites

Nope. Somewhere you're calling urlencode or rawurlencode three times when it should be just once. It's also possible the data is messed up that like to start with and you actually need to be decoding it, but that's not my guess.

 

So I guess it comes down to posting the rest of your code? At least where the messages are coming from.

Share this post


Link to post
Share on other sites

Yup, here we go...

Execute:

if (isset($_POST['exe_ema_val'])) {
              if ($crud->e_proof(trim(strip_tags($_POST['usr_dat_ema_for_val']))) != "Diese E-Mail wurde bereits verifiziert.") {
                if (!empty($_POST['usr_dat_ema_for_val'])) {
              $_SESSION['xxx'] = array('usr_usr' => trim(strip_tags($_POST['usr_dat_nam'])),
                                             'usr_ema' => trim(strip_tags($_POST['usr_dat_ema'])),
                                             'usr_pas' => trim(strip_tags($_POST['usr_dat_pas_pt1'])),
                                             'usr_bil_vor' => trim(strip_tags($_POST['usr_dat_adr_bil_fir'])),
                                             'usr_bil_nac' => trim(strip_tags($_POST['usr_dat_adr_bil_las'])),
                                             'usr_bil_str' => trim(strip_tags($_POST['usr_dat_adr_bil_str'])),
                                             'usr_bil_zip' => trim(strip_tags($_POST['usr_dat_adr_bil_zip'])),
                                             'usr_bil_cit' => trim(strip_tags($_POST['usr_dat_adr_bil_cit'])),
                                             'usr_bil_ema' => trim(strip_tags($_POST['usr_dat_adr_bil_ema'])),
                                             'usr_bil_pho' => trim(strip_tags($_POST['usr_dat_adr_bil_pho'])),
                                             'usr_bil_con' => trim(strip_tags($_POST['usr_dat_adr_bil_con'])),
                                             'usr_adr_vor' => trim(strip_tags($_POST['usr_dat_adr_fir'])),
                                             'usr_adr_nac' => trim(strip_tags($_POST['usr_dat_adr_las'])),
                                             'usr_adr_str' => trim(strip_tags($_POST['usr_dat_adr_str'])),
                                             'usr_adr_zip' => trim(strip_tags($_POST['usr_dat_adr_zip'])),
                                             'usr_adr_cit' => trim(strip_tags($_POST['usr_dat_adr_cit'])),
                                             'usr_adr_con' => trim(strip_tags($_POST['usr_dat_adr_con'])),
                                             'usr_bew' => trim(strip_tags($_POST['usr_dat_sel_bew'])));
              $res = $crud->e_check(trim(strip_tags($_POST['usr_dat_ema_for_val'])),5);
              $msg = $res;
           /*   if ($res == 1) {
                    $msg = "Eine email mit einem aktivierungslink wurde ihnen zugestellt.";
                  } else {
                    $msg = "Beim sende vorgang der email ist ein fehler unterlaufen, bitte versuchen sie es erneut oder wenden sie sich an den support.";
                  } */ 
              } else{
                $msg = "Bitte geben Sie eine gültige Em-Mail-Adresse an!";
              }
              } else {
                $msg = "Diese E-Mail wurde bereits verifiziert.";
              }
              
   
}

Process/send:

public function e_check($EMAIL,$TYPE) {
	$code = substr(str_shuffle(str_repeat("0123456789abcdefghijklmnopqrstuvwxyz", 5)), 0, 5);
	$header  = "MIME-Version: 1.0\r\n";
	$header .= "Content-type: text/html; charset=iso-8859-1\r\n";
	$header .= "From: no-reply@VII7.eu";
	$header .= "Reply-To: no-reply@VII7.eu\r\n";
	$header .= "X-Mailer: PHP ". phpversion();
	$mailtext = "<html>
		<head>
    		<title>Ihr Code ist: " . $code . "</title>
    		<meta http-equiv='content-type' content='text/html; charset=utf-8'>
		</head>
		<body>
 			<h1>Zur Bestätigung klicken Sie den folgenden Link:</h1>
 			<a href='www.VII7.eu/activate.php?type=" . $TYPE . "&email=" . $EMAIL . "&code=" . $code . "'>www.VII7.eu/activate.php</a>
		</body>
		<footer>
		Vollmer Impex imports:
		+49 (0) 8732 / 37 99 985
		Frontenhausenerstr. 9
		Marklkofen 84163
		DE
		</footer>
		</html>
		";
	if ($this->send_mail($EMAIL,'Ihre E-Mail Bestätigung bei VII7.',$mailtext,$header) == 1) {
	$sql = $this->Db->prepare("INSERT INTO e_sys(email,code) VALUES (:e,:f)");
	try {
	$sql->execute(array(':e' => $EMAIL, ':f' => md5($code)));
	} catch (PDOException $ex) {
 				$this->report($ex->getMessage());
 				return "Es ist ein Fehler unterlaufen. Versuchen Sie es später noch einmal oder wenden Sie sich an den Support.";	
 	}	
	return "Eine E-Mail mit bestätigungslink wurde Ihnen gesendet, bitte überprüfen sie auch Ihren Spam-Ordner.";
	} else {
		$this->report("e_check" . " type sending error");
		return "Es ist ein Fehler unterlaufen. Versuchen Sie es später noch einmal oder wenden Sie sich an den Support.";	
	}

}

Recieve:

<?php  
require_once 'CORE/dbconnect.php';
 ini_set('display_errors', 'Off');  
 ob_start();
 session_start();
if (isset($_GET['type'])) {
	#var_dump(trim(strip_tags($_GET['type'])));
	switch (trim(strip_tags($_GET['type']))) {
				case 5: 
					$res = $crud->e_proof(trim(strip_tags($_GET['email'])),trim(strip_tags($_GET['code'])));
					#var_dump($res);
					header("Location: Register.php?rmsg=" . $crud->word($res, 'UTF-8'));
					exit();
					break;
				default:
					# code...
					break;
			}		
}
?>

Display(MSG):

   if ( isset($_GET['rmsg']) ) {
    $msg = $crud->word(trim(strip_tags($_GET['rmsg'])), 'UTF-8');
   }
 
      if (isset($msg)) {
        echo "<p>" . $crud->word($msg, 'UTF-8') . "</p>";
      }
 

Func:word
 

public function word($INPT, $ENCODE) { return htmlspecialchars(str_replace(chr(0), "" , str_replace("%2520", " ", trim(strip_tags($INPT)))), ENT_QUOTES | ENT_SUBSTITUTE, $ENCODE); }

Thank you for going through all that code Requinix, Thats kind from you.

Share this post


Link to post
Share on other sites

Going backwards from the point where the problem is apparent, I see

$res = $crud->e_proof(trim(strip_tags($_GET['email'])),trim(strip_tags($_GET['code'])));
that. What is the code for e_proof?

Share this post


Link to post
Share on other sites

Oh sorry, I thought this section was not relevant, how foolish of me, this code is there to confirm the E-Mailadress in the database. so to Say: to check the code. ^^'

 

public function e_proof($EMAIL,$CODE) {
	$sql = $this->Db->prepare("SELECT * FROM e_sys WHERE email=:e");
	$sql->execute(array(':e' => $EMAIL));
	$res = $sql->fetch(PDO::FETCH_ASSOC);
	if (count($res)) {
		if ($res['valid'] == 1) {
			return "Diese E-Mail wurde bereits verifiziert.";
		}
		if ($res['tries'] == 0) {
			return "Diese E-Mail wurde aufgrund des Verdachts von Missbrauch gesperrt. Bitte wenden Sie sich an den Support.";
		}
		if ($res['code'] == md5($CODE)) {
			$sql = $this->Db->prepare("UPDATE e_sys SET valid=:e WHERE email=:f");
			$sql->execute(array(':e' => 1, ':f' => $EMAIL));
			return "Ihre Email wurde erfolgreich verifiziert. Sie können nun fortfahren.";
		} else {
			$sql = $this->Db->prepare("UPDATE e_sys SET tries=:e WHERE email=:f");
			$newtry = $res['tries'] - 1;
			$sql->execute(array(':e' => $newtry, ':f' => $EMAIL));
			$this->report("e_proof" . " error type nomatch.");
			return "Dieser Code stimmt nicht mit dem in unserer Datenbank überein.";
			
		}
	} else {
		$this->report("e_proof" . " abuse t:notfound POS:url !:REQ:" . $EMAIL . ":CODE:" . $CODE);
		return "Es ist kein Eintrag unter dieser Email vorhanden.";	
	}

}

Share this post


Link to post
Share on other sites

Next, and possibly final, question is about the code for $crud->word().

Share this post


Link to post
Share on other sites

 

Processing rmsg:

public function word($INPT, $ENCODE) { return htmlspecialchars(str_replace(chr(0), "" , str_replace("%2520", " ", trim(strip_tags($INPT)))), ENT_QUOTES | ENT_SUBSTITUTE, $ENCODE); }

Here we go ^^

Share this post


Link to post
Share on other sites

Then I don't see where the encoding is happening: as far as I can tell, the message starts as a hard-coded string and only goes through a couple simple functions before being used in the redirect...

Share this post


Link to post
Share on other sites

In case that the error is in the htaccess i post the code below: 

 

#DirectoryIndex index.php
Options +FollowSymLinks -Multiviews
RewriteEngine On
RewriteCond %{REQUEST_METHOD} ^TRACE
RewriteRule ^ - [F]


# Redirect non-www to www:
RewriteCond %{HTTP_HOST} !^www\. [NC]
RewriteRule ^(.*)$ http://www.%{HTTP_HOST}/$1 [R=301,L]


# Unless directory, remove trailing slash
RewriteEngine On
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule ^([^/]+)/$ http://www.vii7.eu/$1 [R=301,L]

# Redirect external .php requests to extensionless url
RewriteCond %{THE_REQUEST} ^(.+)\.php([#?][^\ ]*)?\ HTTP/
RewriteRule ^(.+)\.php$ http://www.vii7.eu/$1 [R=301,L]

# add extension if the php file exists:
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME}\.php -f
RewriteRule ^(.*)$ $1.php [L]

# add extension if the png file exists:
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME}\.png -f
RewriteRule ^(.*)$ $1.png [L]

# add extension if the txt file exists:
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME}\.txt -f
RewriteRule ^(.*)$ $1.txt [L]

# add extension if the html file exists:
RewriteCond %{REQUEST_FILENAME} !-d
RewriteCond %{REQUEST_FILENAME}\.html -f
RewriteRule ^(.*)$ $1.html [L]

# etc.

# finally, route to profile.php if all else fails
#RewriteCond %{REQUEST_FILENAME} !-f
#RewriteCond %{REQUEST_FILENAME} !-d
#RewriteRule ^([a-zA-Z0-9-_.]*)$ /profile.php?id=$1 [L]

Share this post


Link to post
Share on other sites

I don't think so. It would have to be in one of the external redirects, and that would be easy to check with browser tools (by watching the network requests).

 

Set up a debugger like XDebug and follow the actual execution to see what's happening. If there's a lot of code then set up a breakpoint at the final line of code (the redirect), run, then look at the call stack and set up breakpoints before each of the function calls.

Share this post


Link to post
Share on other sites

Well yes, you can decode it, but wouldn't it be better if you didn't have to? Wouldn't it be better to fix the cause of the problem rather than add more code to hide the fact that it's still there?

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.