John Davidson

php - To Use urldecode() or Not When Outputting User Submitted Details From Your Database?

0 comments
Message:


I am struggling to understand whether to use urldecode() or not as I read in tutorials that the browser auto url decodes encoded urls and so we don't have to urldecode().
I need to filter the user inputs before they submit their data to my Mysql database. And I need to secure filter too before displaying their data on my pages.


CODE A


<?php

function test_input($data)
{
$data = trim($data);
$data = stripslashes($data); //Strips only Backward Slashes. Not Forward Slashes.

$data = htmlspecialchars($data);
$data = strip_tags($data);
$data = urlencode($data);


return $data;
}

$input_2 = 'http://www.url.com/index.php';
$input_3 = '<a href="http://www.url.com/index.php">Link</a> *';

echo test_input($input_3);

?>

But why isn't the above echoing a decoded url if the browser auto decodes, that is ?


I get echoed:
%26lt%3Ba+href%3D%26quot%3Bhttp%3A%2F%2Fwww.url.com%2Findex.php%26quot%3B%26gt%3BLink%26lt%3B%2Fa%26gt%3B+%2A


And this code:
CODE B


<?php

function test_input($data)
{
$data = trim($data);
$data = stripslashes($data); //Strips only Backward Slashes. Not Forward Slashes.

$data = htmlspecialchars($data);
$data = strip_tags($data);
$data = urlencode($data);


return $data;
}

$input_2 = 'http://www.url.com/index.php';
$input_3 = '<a href="http://www.url.com/index.php">Link</a> *';

echo test_input(urldecode($input_3));

?>


Outputs this:
%26lt%3Ba+href%3D%26quot%3Bhttp%3A%2F%2Fwww.url.com%2Findex.php%26quot%3B%26gt%3BLink%26lt%3B%2Fa%26gt%3B+%2A


They both output the same. Note the 2nd code uses urldecode() while the 1st code doesn't. Hence, they shouldn't output the same. Correct ?


How to fix so url is echoed in decoded format ?
NOTE: The custom function is a filter that filters user's inputs. Trying to build a filter so users can submit the following details that get filtered before submission to my db and gets filtered before getting echoed or displayed on my pages.


<form method = 'POST' action = "$_SERVER['PHP_SELF']">
<label for='find'>Find</label>
<input type='text' name='find' id='find'>
<br>
Table:
<input type='radio' name='table' id='sale'><label for='table'>Businesses On Sale</label>
<input type='radio' name='table' id='sold'><label for='table'>Businesses Sold</label>
<br>
<label for="column">Column:</label>
<select name="column" id="column">
<option value=""></option>
<option value="business_submission_id">Business Submission Id</option>
<option value="business_submission_date_and_time">Business Submission Date & Time</option>
<option value="business_name">Business Name</option>
<option value="business_zip">Business Zip</option>
<option value="business_phone">Business Phone</option>
<option value="business_email">Business Email</option>
<option value="business_domain">Business Website Domain Name</option>
<option value="business_url">Business Website Url</option>
<option value="business_description">Business Description</option>
</select>
<button type='submit'>Submit!</button>
</form>
</body>
</html>


My Answer:
In your code, you are using urlencode() function which is encoding the data before returning it. This is why you are seeing the encoded URL in the output.

If you want to decode the URL before displaying it, you should use urldecode() function when outputting the data, not when filtering it. So, your CODE B is correct in using urldecode() when echoing the data.

Here is the corrected code:

php

function test_input($data)
{
$data = trim($data);
$data = stripslashes($data); //Strips only Backward Slashes. Not Forward Slashes.

$data = htmlspecialchars($data);
$data = strip_tags($data);

return $data;
}

$input_2 = 'http://www.url.com/index.php';
$input_3 = '<a href="http://www.url.com/index.php">Link</a> *';

echo test_input(urldecode($input_3));

?>


This code will output the decoded URL as expected. Remember to always filter user inputs before storing them in the database and then decode them before displaying them on your pages.

Rate this post

4 of 5 based on 5696 votes

Comments




© 2024 Hayatsk.info - Personal Blogs Platform. All Rights Reserved.
Create blog  |  Privacy Policy  |  Terms & Conditions  |  Contact Us