Cannot print full url text when there is slash in URL

Question

I have made a form where when i send values with a slash, in the same page i read the url value sent by my form input and prints it from $_POST request value. But something strange happens, if the sentence does not contain slashes it reads it all.If it contains one slash it reads the request until the slash and the rest part is not printed. I have used urldecode and stripslashes but always the rest part after slash is not printed.

   <form autocomplete='off' style='margin-left:8px;' method='POST' name='form'>
   <input type='hidden' value='$parameters2' name='de'>
   <input type='hidden' value='$parameters' name='ef'>
   <input type='hidden' value='$parameters4' name='dee'>
   <input autocomplete='off' id='text' type='text' name='query_string' size='17'   class='BodyCopy' style='border: none; width:89%; font-family:monospace; font-size:12px;'  autofocus></form>


     $parameters = $_POST['query_string'];
     $parameters3 = $_POST['de'];
     $parameters4 = $_POST['ef'];
     $parameters5 = $_POST['dee'];
     echo $parameters;
     echo $parameters3;
     echo $parameters4;
     echo $parameters5;

Answer 1

Ok i found the solution guys for my problem. I just had to replace apostrophe with the html code quote which is &#39 or a different kind of apostrophe;.Also i had to user stripslashes in order to remove the slash generated by the url.The form tag does not need to be changed. So the right code is:

 $parameters = stripslashes(str_replace("'", "'",$_POST['query_string']));
 $parameters2 = stripslashes(str_replace("'", "'",$_POST['de']));
 $parameters3 = stripslashes(str_replace("'", "'",$_POST['ef']));
 $parameters5 = stripslashes(str_replace("'", "'",$_POST['dee']));

Answer 2

if the slashes appear before the apostrophe it escapes it out so that it no longer terminates the attribute.

e.g.

Value now equals:

value='test\' name='

instead of:

value='test'

You can fix it by adding slashes which escapes the escaper!

<input type='hidden' value='addslashes($parameters)' name='de'>

     $parameters = stripslashes($_POST['query_string']);

     echo $parameters;

?>

Answer 3

The problem is not receiving the data (all data you enter in a POST form fields should arrive at the server 1:1 as given in input).

The problem might be displaying the data, or rather using that data incorrectly in HTML.

In your example you are setting variable values in hidden inputs. Doing that directly is wrong, since any character that has special meaning in HTML will break your HTML. Some examples are: $parameters2 containing:

foo' bar

=> your HTML will end up as:

<input type='hidden' value='foo' bar name='de'>

Which is not obviously what you want.

Try ramming your data through addslashes() and htmlentities() before embedding the data in a

<input type="hidden" value="..." />

Like this:

$parameters2 = addslashes(htmlentities($parameters2));

And only after that, embed the value in HTML.

If you are displaying the value outside of a HTML tag attribute, like this:

<p>$parameters2</p>

.. then you should only need htmlentities(). Addslashes is for when you need to embed the value in HTML tag attribute.

Note: the addslashes-htmlentities doesn't cover all cases. If I recall correctly, at least line breaks will still break your HTML inside tag attribute.

Answer 4

Let's assume that $parameters2 = "Hello, I'm Tom!".

Now let's take a look at our input field:

// This
<input type='hidden' value='$parameters2' name='de'>

// becomes this
<input type='hidden' value='Hello, I'm Tom!' name='de'>

Since the HTML is WRONG - we are not able to send the full string. But don't worry - addslashes() will save the day.

// This
<input type='hidden' value='addslashes($parameters2)' name='de'>

// becomes this
<input type='hidden' value='Hello, I\'m Tom!' name='de'>

// And to get the proper value..
$parameters2 = stripslashes($_POST['de']);