urlencode problems

Re: urlencode problems

Doug Johnston wrote:
[color=blue]
> Hi,
>
> I am having problems with running urlencode(selec t * from myfile where
> field like '%0002%'), in particular the like section, what I get is...
> like+%27%250002 %25%27
> ...which is fine, but when i decode it I get...
> like \'02\'
> ...I get backslashes before the single quotes and 2 of the leading
> zeroes in 0002 are missing.
>
> Does any have any clues?
>
> Regards
> Doug Johnston[/color]


Hi,

Not on my machine...
I made this little script to test.

<?
$astr = "select * from myfile where field like '%0002%'";
$enc = urlencode($astr );
$dec = urldecode($enc) ;

echo "astr = ".htmlentities( $astr)."<br>";
echo "enc = ".htmlentities( $enc)."<br>";
echo "dec = ".htmlentities( $dec)."<br>";
?>

which produces:

astr = select * from myfile where field like '%0002%'
enc = select+%2A+from +myfile+where+f ield+like+%27%2 50002%25%27
dec = select * from myfile where field like '%0002%'

Does it produce the same on your machine?

You must be adding slashes somewhere to make it 'safe'.
Maybe your php.ini settings are doing things you are not aware of?

by the way: Everybody can make their onw queries, and updates, if you pass
around SQL-commands like this...
Please reconsider your design...


Regards,
Erwin Moller

Re: urlencode problems

Hi Erwin,

Thanks for your reply. I have found strip slashes to work well for me,
but having to fudge the disappearing zeroes.

With regard to security apart from MySQL login and some unique client
data, the whole lot will be in a protected directory. Is this enough? I
guess if anyone wants to try hard enough they will get through anything.
Maybe there is something else I could do?

Regards
Doug Johnston



Erwin Moller wrote:[color=blue]
> Doug Johnston wrote:
>
>[color=green]
>>Hi,
>>
>>I am having problems with running urlencode(selec t * from myfile where
>>field like '%0002%'), in particular the like section, what I get is...
>>like+%27%2500 02%25%27
>>...which is fine, but when i decode it I get...
>>like \'02\'
>>...I get backslashes before the single quotes and 2 of the leading
>>zeroes in 0002 are missing.
>>
>>Does any have any clues?
>>
>>Regards
>>Doug Johnston[/color]
>
>
>
> Hi,
>
> Not on my machine...[/color]
[color=blue]
> I made this little script to test.
>
> <?
> $astr = "select * from myfile where field like '%0002%'";
> $enc = urlencode($astr );
> $dec = urldecode($enc) ;
>
> echo "astr = ".htmlentities( $astr)."<br>";
> echo "enc = ".htmlentities( $enc)."<br>";
> echo "dec = ".htmlentities( $dec)."<br>";
> ?>
>
> which produces:
>
> astr = select * from myfile where field like '%0002%'
> enc = select+%2A+from +myfile+where+f ield+like+%27%2 50002%25%27
> dec = select * from myfile where field like '%0002%'
>
> Does it produce the same on your machine?
>
> You must be adding slashes somewhere to make it 'safe'.
> Maybe your php.ini settings are doing things you are not aware of?
>
> by the way: Everybody can make their onw queries, and updates, if you pass
> around SQL-commands like this...
> Please reconsider your design...
>
>
> Regards,
> Erwin Moller[/color]

Re: urlencode problems

Doug Johnston wrote:
[color=blue]
> Hi Erwin,[/color]

Hi,
[color=blue]
>
> Thanks for your reply. I have found strip slashes to work well for me,
> but having to fudge the disappearing zeroes.[/color]

Well, look deeper. :-)
The fact you cannot pass name/value pairs around the way you expect is a
sign something is wrong somewhere.
I think you might hit other issues later.


Can you pass around a random string with URL-encode via query-string?
Just make a samplescript, and see if it works.
If not, go check the documentation at php.net and check your php.ini
settings, etc. (use htmlentities to be sure you print a string as it is in
a webpage.)

In cases like this, always spend some extra time figuring it out.
Sometimes 'minor problems' return later on with an extra bite. :-(
Just mu advise of course. :-)

[color=blue]
> With regard to security apart from MySQL login and some unique client
> data, the whole lot will be in a protected directory. Is this enough?[/color]

Hard to say. What is a protected directory? Like a .htaccess file?

[color=blue]
> I
> guess if anyone wants to try hard enough they will get through anything.[/color]

Yes and No.
Do not take this the wrong, but that is no valid argument.
If you open a can with topquality crackers, I expect that they can break a
lot of systems.
But that is no excuse for being sloppy and making things easy for the less
talented.
The easier the crack/hack the more people will see it.
I mean: Every webprogrammer immediately recognizes that URL as a
securityhole. (That goes for method POST in a form too by the way.)
I think it is a bad habit to pass queries around like that.

The question is of course is if the receiving script will execute the query.
If it does not (and only stores it somewhere in a logfile eg), the situation
is less serious of course. :-)

Sorry, if I sound patrionizing. (slap me. :P)

[color=blue]
> Maybe there is something else I could do?[/color]

I always add things like this:
The script that receives the SQL-query should start with checking the
session to be sure the one logged in has accesss to that script.
eg: $_SESSION["admin"] should contain "Y"
if not: terminate the script and scoff the user.

Good luck

Reagrds,
Erwin Moller

[color=blue]
>
> Regards
> Doug Johnston
>[/color]