Codeigniter - htmlspecialchars() on input not working - codeigniter

I'm using htmlspecialchars() on input field for user last name to prevent xss, but it's not working..
Let's say $user_data->user_last_name; is my user last name, so I did:
htmlspecialchars( $user_data->user_last_name, ENT_QUOTES, 'UTF-8' );
When I try to save user last name as 'Lastname<script>alert("xss")</script>', I get JS alert with 'xss' message.
Any clue maybe?

Try this, may work:
$string = htmlentities($user_data->user_last_name, ENT_QUOTES, 'ISO-8859-15');
While retrieving the input you should use:
$value = $this->input->post('input_name', true);
Here, true will clean the input value of xss.

It works, but The output is interpreted by your browser as HTML
// use That Simple Line Above Your Code To See The Real output
<?php
header('Content-Type: text/plain');
?>

Related

Codeigniter %B4 how to validate/filter

I am having an issue where if a post variable has %B4 in it, it will be urldecoded into a char that cannot be saved into the database without an error. (Even if I access via $_POST).
What is the best way to validate a field so these chars. cannot be saved?
I think that maybe prey_match can help you.
<?php
$subject = "abcdef";
$pattern = '/^def/';
preg_match($pattern, substr($subject,3), $matches, PREG_OFFSET_CAPTURE);
print_r($matches);
?>

Passing parameters through URL in CodeIgniter

I'm having a problem regarding passing parameter from url. The function I use sometimes give the correct result and sometimes not.
here is my controller functions:
public function link_gen(){
$text = "i have lost my password please help me";
$encrypted_text = $this->encrypt->encode($text);
$encrypted_url = urlencode($encrypted_text);
echo $encrypted_url. br();
echo br(). $this->retrive(urldecode($encrypted_url));
echo anchor('encryption/ret_back?username='.$encrypted_url, 'click me');
// echo anchor('encryption/ret_back/'.$encrypted_url, 'click me');
}
public function ret_back(){
// echo br(). $this->retrive(urldecode($str));
$user = $this->input->get('username');
echo br(). $this->retrive(urldecode($user));
echo $user. br();
echo "hellooooo". br();
}
For the sake of testing I'm encrypting a text then encode it in URL using urlencode(), then I pass this string to another function using URL, and then decode in the string in URL using urldecode() and then decode the text. But when I run this, sometimes the decoded text appears and sometimes it does not.
Can anybody tell me the reason and solution for this?
I want to use this in a 'forgot password' module.
It depends on how you create your links and how do you retrieve the data from url.
Anyway these are simple examples to get url data:
get from $_GET[] (http://site.com/?q=hello+world)
in this case you get the param q with echo $this->input->get('q',true);
get data from uri segments (http://site.com/id/230)
in this case you get id value via echo $this->uri->segment(2);
Then, if data in url exists it is not possible that the system didn't get that, so be sure data is in your url when opening url.

var_dump says String of 75 characters, can't echo it and doesn't json_decode()

I am posting some data to a PHP page with AJAX, but I can't decode it. json_decode() returned NULL. So I figured that if I'd echo it I could run it through jsonlint. But nothing showed up. To find out if the data reaches the PHP page I tried to var_dump() the data. Strange enough it showed:
string(75) "{\"title\":\"fds\",\"body\":\"fds\",\"tags\":\"fds\",\"type\":\"question\"}"
So the data reaches the page. I ran it through jsonlint after removing the backslashes and it said the JSON was valid. How is this possible?
I got a valid JSON string of 75 characters according to var_dump() and jsonlint, but I can't echo it or json_decode() it.
EDIT:
Apparently I did something wrong, I can echo it now (I probably made a typo in the $_POST array key). It echoes this:
{\"title\":\"tre\",\"body\":\"tre\",\"tags\":\"tre\",\"type\":\"question\"}
Once again, without backslashes JSONLint tells me it is valid JSON.
EDIT 2:
Here's the PHP code:
// code to check if the user is logged in
$post = json_decode($_POST['q']);
echo "var_dump(\$_POST['q']): ";
var_dump($_POST['q']);
echo "<BR /><BR />";
echo "var_dump(\$post): ";
var_dump($post);
Ouput:
var_dump($_POST['q']): string(74) "{\"title\":\"gfd\",\"body\":\"gf\",\"tags\":\"gfd\",\"type\":\"question\"}"
var_dump($post): NULL
JS code:
var simpleObj = {title: "rew", body: "rew", tags: "rew", type: "question"};
$.post('savepost.php', "q=" + JSON.stringify(simpleObj), function(data) {
$('#resultDiv').html("DATA: " + data);
});
Final edit:
I finally solved it myself. I actually discovered the problem even before I asked, but thought it was 'harmless' and didn't think that could cause this problem.
I found out the answer! When I ran it through jsonlint.com it said it was invalid because of the backslashes. I thought these were just there to mark the quotes in the JSON as normal quotes, not string ending and starting quotes and I thought they were 'harmless'.
I then thought of the function addslashes(), and figured there should be a reversed one too. I found stripslashes() and that solved the problem.
New code:
// code to check if the user is logged in
$post = json_decode(stripslashes($_POST['q']));
echo "var_dump(\$_POST['q']): ";
var_dump($_POST['q']);
echo "<BR /><BR />";
echo "var_dump(\$post): ";
var_dump($post);

passing a large string through url in codeigniter

how do i pass a large string as a variable in codeigniter? i am trying show the user an article, if the article has more than 800 characters and less than 3044 characters i am showing it in a jquery pop up window, and if the article is more than 3044 charcters i want to pass the article body and title through the url to a controller function.
here is what i have tried:
<?php
if(strlen($home_content[1]['content'])>800 && strlen($home_content[1]['content'])<3044)
{
$substr=substr($home_content[1]['content'],0,786);
echo $substr.'<p id="button"><i>read more...</i></p>';
}
else if(strlen($home_content[1]['content'])<800)
{
echo $home_content[1]['content'];
}
else
{
$substr=substr($home_content[1]['content'],0,786);
echo $substr.'<br/>';
echo anchor('site/read_article/'.$home_content[1]['title'].$home_content[1]['content'],'<i>read more...</i>');
}
?>
and this is the url after passing the data:
http://192.168.1.111/my_project/site/read_article/title%20mid%20left%3Cp%3Etesttesthave%20already%20arrivesafOnly%20True%20Light,%20reflected%20in%20a%20True%20Mirror,%20can%20come%20to%20lBut%20we%20have%20already%20arrivesafOnly%20True%20Light,%20reflected%20in%20a%20True%20Mirror,%20can%20come%20to%20life.ife.testtesthave%20already%20arrivesafOnly%20True%20Light,%20reflected%20in%20a%20True%20Mirror,%20can%20come%20to%20lBut%20we%20have%20already%20arrivesafOnly%20True%20Light,%20reflected%20in%20a%20True%20Mirror,%20can%20come%20to%20life.ife.testtesthave%20already%20arrivesafOnly%20True%20Light,%20reflected%20in%20a%20True%20Mirror,%20can%20come%20to%20lBut%20we%20have%20already%20arrivesafOnly%20True%20Light,%20reflected%20in%20a%20True%20Mirror,%20can%20come%20to%20life.ife.testtesthave%20already%20arrivesafOnly%20True%20Light,%20reflected%20in%20a%20True%20Mirror,%20can%20come%20to%20lBut%20we%20have%20already%20arrivesafOnly%20True%20Light,%20reflected%20in%20a%20True%20Mirror,%20can%20come%20to%20lifesafOnly%20True%20Light,%20reflected%20in%20a%20True%20Mirror,%20can%20come%20to%20life.ife.testtesthave%20already%20arrivesafOnly%20True%20Light,%20reflected%20in%20a%20True%20Mirror,%20can%20come%20to%20lBut%20we%20have%20already%20arrivesafOnly%20True%20Light,%20reflected%20in%20a%20True%20Mirror,%20can%20come%20to%20lifesafOnly%20True%20Light,%20reflected%20in%20a%20True%20Mirror,%20can%20come%20to%20life.ife.testtesthave%20already%20arrivesafOnly%20True%20Light,%20reflected%20in%20a%20True%20Mirror,%20can%20come%20to%20lBut%20we%20have%20already%20arrivesafOnly%20True%20Light,%20reflected%20in%20a%20True%20Mirror,%20can%20come%20to%20life.ife.%20True%20Mirror,%20can%20come%20to%20life.ife.%20True%20Mirror,%20can%20come%20to%20life.ife.%3C/p%3E%3Cp%3E%C2%A0%3C/p%3E%3Cp%3Etesttesthave%20already%20arrivesafOnly%20True%20Light,%20reflected%20in%20a%20True%20Mirror,%20can%20come%20to%20lBut%20we%20have%20already%20arrivesafOnly%20True%20Light,%20reflected%20in%20a%20True%20Mirror,%20can%20come%20to%20life.ife.testtesthave%20already%20arrivesafOnly%20True%20Light,%20reflected%20in%20a%20True%20Mirror,%20can%20come%20to%20lBut%20we%20have%20already%20arrivesafOnly%20True%20Light,%20reflected%20in%20a%20True%20Mirror,%20can%20come%20to%20life.ife.testtesthave%20already%20arrivesafOnly%20True%20Light,%20reflected%20in%20a%20True%20Mirror,%20can%20come%20to%20lBut%20we%20have%20already%20arrivesafOnly%20True%20Light,%20reflected%20in%20a%20True%20Mirror,%20can%20come%20to%20life.ife.testtesthave%20already%20arrivesafOnly%20True%20Light,%20reflected%20in%20a%20True%20Mirror,%20can%20come%20to%20lBut%20we%20have%20already%20arrivesafOnly%20True%20Light,%20reflected%20in%20a%20True%20Mirror,%20can%20come%20to%20lifesafOnly%20True%20Light,%20reflected%20in%20a%20True%20Mirror,%20can%20come%20to%20life.ife.testtesthave%20already%20arrivesafOnly%20True%20Light,%20reflected%20in%20a%20True%20Mirror,%20can%20come%20to%20lBut%20we%20have%20already%20arrivesafOnly%20True%20Light,%20reflected%20in%20a%20True%20Mirror,%20can%20come%20to%20lifesafOnly%20True%20Light,%20reflected%20in%20a%20True%20Mirror,%20can%20come%20to%20life.ife.testtesthave%20already%20arrivesafOnly%20True%20Light,%20reflected%20in%20a%20True%20Mirror,%20can%20come%20to%20lBut%20we%20have%20already%20arrivesafOnly%20True%20Light,%20reflected%20in%20a%20True%20Mirror,%20can%20come%20to%20life.ife.%20True%20Mirror,%20can%20come%20to%20life.ife.%20True%20Mirror,%20can%20come%20to%20life.ife.%3C/p%3E%3Cp%3Etesttesthave%20already%20arrivesafOnly%20True%20Light,%20reflected%20in%20a%20True%20Mirror,%20can%20come%20to%20lBut%20we%20have%20already%20arrivesafOnly%20True%20Light,%20reflected%20in%20a%20True%20Mirror,%20can%20come%20to%20life.ife.testtesthave%20already%20arrivesafOnly%20True%20Light,%20reflected%20in%20a%20True%20Mirror,%20can%20come%20to%20lBut%20we%20have%20already%20arrivesafOnly%20True%20Light,%20reflected%20in%20a%20True%20Mirror,%20can%20come%20to%20life.ife.testtesthave%20already%20arrivesafOnly%20True%20Light,%3C/p%3E.html
and i get this error message:
An Error Was Encountered
The URI you submitted has disallowed characters.
how do i do it correctly? the url looks very messy, how do pass the string and still have a clean url? please help me with it.
Why not pass the article ID instead? You could then access the article through the controller function, count the characters and decide the method of display.
Alternatively, you could use CI's Session Flashdata to pass the article title/body to the next controller and access it that way.
The URI is failing as security is set up to deny specific characters being passed in the URL. This is for your protection, but, although not recommended, could be disabled in the config files if required.

How to exctract a string from the following HTML page using PHP

Got stuck at some stuff. In short, I need to extract some certain data from a webpage.
Basically, I need to extract /title/tt0118615/ from
Anaconda"
by using preg_match() or whatever other ways. That's a piece of the code from the page which is extracted by the php code below:
<?php
$url = "http://www.imdb.com/find?s=tt&q=Anaconda";
$raw = file_get_contents($url);
echo preg_match ("/^(href=\"\/title\/tt)\"$/", $raw, $data);
echo "data: $data[1]";
?>
I know I'm wrong at the pattern, so that's why I'm posting my question here.
Thanks in advance.
I think this pattern will work in your case:
preg_match("/a href=\"([^\"]*)\"/", $raw, $data);
$data will be an array containing your results, $data[1] is the one you're looking for
$url = "http://www.imdb.com/find?s=tt&q=Anaconda";
$raw = file_get_contents($url);
preg_match_all('%b\.gif\?link=(/title/.*?)\'%i', $raw, $imdbcode, PREG_PATTERN_ORDER);
$imdbcode = $imdbcode[1][0];
echo $imdbcode; #echo's /title/tt0118615/

Resources