Allow certain characters to pass through $_GET?

Question

I wrote a script that when you enter a textbox, it will open an invisible iframe to a .php file with $_GET of what they wrote into the textbox.

However, for example, if I type: '<3' in it, this is what happens.

PHP determins that the $_GET[s] is blank! Users cant put a simple <3 symbol without getting that error.

Another problem is quotes, if I write any quotes, it will end the entire SRC property.

What should I do? Should I do something with javascript, or even PHP? Please let me know!

Thanks!

Answer 1

It looks like your iframe is generated by JavaScript, so all those answers that include PHP functions are useless. The data isn't even reaching PHP, so how can any PHP function hope to help?

Instead, try using urlencode from PHPJS, since none of JS's functions really handle all cases well, and this makes it easy for you to use PHP's urldecode to retrieve the data.

Answer 2

Regarding double quotes, you can use this trick.

attr='Your string can "contain double quotes"'

or

attr="Your string can 'contain double quotes'"

but while specifying variable=values in url, you don't need to user double quotes, you can directly assign the values.

like

url="test.php?var1=123&var2=345"

rest about sending the <3 characters, you can check for url encoding in javascript & PHP whichever applicable!

Answer 3

You need to encode that character as <.

Answer 4

Use urlencode to encode the inputted string into a valid one for URL use.

Also be very cautious when allowing user input into your PHP script through the URL. Make sure you do proper checks/sanitization, especially if database operations are involved.