How to prevent %20 from being passed

[ERuiz]

I am passing a URL variable which is a username, but since the username includes a first and last name separated by a space, the url being passed looks like this:

/login.php?btnSubmit=Login&username=Efrain%20Ruiz

The space is being converted to %20 before it reaches login.php, so the script is giving a user not found error.

How can I prevent %20 from being added? Or is there a way for the login.php file to strip that %20 before it accepts the username variable?

Regards,

ERuiz

[Jessica]

url_decode

[ERuiz]

Thanks for the reply, Jesirose. But, how would I implement that url_decode? Sorry for my ignorance...  :-\

[trq]

[code=php:0]
$username = url_decode($_GET['username']);
[/code]

[ERuiz]

[quote author=thorpe link=topic=122208.msg503830#msg503830 date=1168664395]
[code=php:0]
$username = url_decode($_GET['username']);
[/code]
[/quote]

Hi Thorpe,

Ok, here is the code which I believe gets the username from the URL:

[code]if(@$_REQUEST["username"] || @$_GET["username"])
$smarty->assign("value_username","value=\"".htmlspecialchars(postvalue("username"))."\"");
else
$smarty->assign("value_username","value=\"".htmlspecialchars(refine(@$_COOKIE["username"]))."\"");[/code]

How would I employ this url_decode into this?

Thanks!

ERuiz

[trq]

Honestly... if you didn't write the code your in the wrong place. Here...

[code=php:0]
$smarty->assign("value_username","value=\"".htmlspecialchars(postvalue(url_decode("username")))."\"");
[/code]

[ERuiz]

Thorpe,

I gave it a try and it didn't work. And honestly, I am way out of my league here! hahahaahah Sorry to bother you guys, but I just wanted to get this script working as I needed it to.

Don't want to take a look at the whole code snippet and see what is wrong? It's ok if you say no, I won't mind...  :)

[trq]

We'd need to see the postvalue() function as that is not a native php function. Find it, and post it. It'll look something like...

[code=php:0]
function postvalue ($str) {
  // contents
}
[/code]

it might not be within the script itself, but one of the includes.

[ERuiz]

Here is the entire code for the login.php file. I looked at a file called dbconnection which has all function calls and no reference is made to postvalues.

[code]
<?php
ini_set("display_errors","1");
ini_set("display_startup_errors","1");
set_magic_quotes_runtime(0);

include("include/dbcommon.php");

if(@$_REQUEST["a"]=="logout" || @$_GET["a"]=="logout")
{
session_unset();
setcookie("username","",time()-365*1440*60);
setcookie("password","",time()-365*1440*60);
header("Location: login.php");
exit();
}
if(!@$_SESSION["MyURL"])
session_unset();

include('libs/Smarty.class.php');
$smarty = new Smarty();


$myurl=@$_SESSION["MyURL"];
unset($_SESSION["MyURL"]);

$defaulturl="";
$defaulturl="pirep_list.php";




$strMessage="";

if(@$_COOKIE["username"] || @$_COOKIE["password"])
$smarty->assign("checked"," checked");

if (@$_REQUEST["btnSubmit"] == "Login")
{
if(@$_REQUEST["remember_password"] == 1)
{
setcookie("username",postvalue("username"),time()+365*1440*60);
setcookie("password",postvalue("password"),time()+365*1440*60);
$smarty->assign("checked"," checked");
}
else
{
setcookie("username","",time()-365*1440*60);
setcookie("password","",time()-365*1440*60);
$smarty->assign("checked","");
}
//  username and password are stored in the database
$conn=db_connect();
$strUsername = (string)postvalue("username");
$strPassword = (string)postvalue("password");
$sUsername=$strUsername;
$sPassword=$strPassword;
$rstemp=db_query("select * from `jos_users` where 1=0",$conn);

if(FieldNeedQuotes($rstemp,$cUserNameField))
$strUsername="'".db_addslashes($strUsername)."'";
else
$strUsername=(0+$strUsername);
if(FieldNeedQuotes($rstemp,$cPasswordField))
$strPassword="'".db_addslashes($strPassword)."'";
else
$strPassword=(0+$strPassword);
$strSQL = "select * from `jos_users` where ".AddFieldWrappers($cUserNameField).
"=".$strUsername." and ".AddFieldWrappers($cPasswordField).
"=".$strPassword;
if(function_exists("BeforeLogin"))
if(!BeforeLogin(postvalue("username"),postvalue("password")))
$strSQL="select * from `jos_users` where 1<0";

$rs=db_query($strSQL,$conn);
$data=db_fetch_array($rs);
  if($data && @$data[$cUserNameField]==$sUsername && @$data[$cPasswordField]==$sPassword)
{
$_SESSION["UserID"] = postvalue("username");
  $_SESSION["AccessLevel"] = ACCESS_LEVEL_USER;
$_SESSION["OwnerID"] = $data["id"];
$_SESSION["GroupID"] = "";
if(function_exists("AfterSuccessfulLogin"))
AfterSuccessfulLogin();
if($myurl)
header("Location: ".$myurl);
else
header("Location: ".$defaulturl);
return;
  }
else
{
if(function_exists("AfterUnsuccessfulLogin"))
AfterUnsuccessfulLogin();
$strMessage = "Invalid Login";
}
}

$_SESSION["MyURL"]=$myurl;
if($myurl)
$smarty->assign("url",$myurl);
else
$smarty->assign("url",$defaulturl);


if(@$_REQUEST["username"] || @$_GET["username"])
$smarty->assign("value_username","value=\"".htmlspecialchars(postvalue("username"))."\"");
else
$smarty->assign("value_username","value=\"".htmlspecialchars(refine(@$_COOKIE["username"]))."\"");


if(@$_REQUEST["password"])
$smarty->assign("value_password","value=\"".htmlspecialchars(postvalue("password"))."\"");
else
$smarty->assign("value_password","value=\"".htmlspecialchars(refine(@$_COOKIE["password"]))."\"");


if(@$_GET["message"]=="expired")
$strMessage = "Your session has expired. Please login again.";


$smarty->assign("message",$strMessage);

$smarty->display("login.htm");
?>
[/code]

[ERuiz]

Here is the info! It was in a file called commonfunctions.php  ;)

[code]

// return refined POST or GET value - single value or array
function postvalue($name)
{
if(array_key_exists($name,$_POST))
$value=$_POST[$name];
else if(array_key_exists($name,$_GET))
$value=$_GET[$name];
else
return "";
if(!is_array($value))
return refine($value);
$ret=array();
foreach($value as $key=>$val)
$ret[$key]=refine($val);
return $ret;
}

[/code]

[ERuiz]

This code appears BEFORE the code above:

[code]// refine value passed by POST or GET method
function refine($str)
{
$ret=$str;
if(get_magic_quotes_gpc())
$ret=stripslashes($str);
return html_special_decode($ret);
}[/code]