NYCPHP Meetup

[Dan Cech]

Ok,

1. proper url encoding

Say you have 2 items to go into the url:

$item1 = 'this & that';
$item2 = 'example at example.org';

Now, in order to get them into a url string, you want to urlencode (or 
rawurlencode) the values, so it will look like:

$urlstring = 'whatever.php?item1='. urlencode($item1) .'&item2='. 
urlencode($item2);

so urlstring now contains:

whatever.php?item1=this+%26+that&item2=example%40example.org

or, if you used rawurlencode:

whatever.php?item1=this%20%26%20that&item2=example%40example.org

This is now fine to enter into the location bar of your browser, but 
that & in the middle will wreak havoc on your html.  One answer is to 
replace it with ; and change the arg_separator, but an easier solution 
is to do that same to it as you would for any other piece of data you're 
going to insert into your html page, run it through htmlentities

echo '<a href="'. htmlentities($urlstring) .'">a link</a>';

will result in:

<a 
href="whatever.php?item1=this+%26+that&amp;item2=example%40example.org">a 
link</a>

As you can see that pesky & is converted to a nice &amp; and your url 
will work 100% plus help you protect against XSS attacks, regardless of 
the arg separator you're using.

Here is a handy little function to take an array and turn it into a 
query string, ready to go into a header or curl call, or through 
htmlentities and into html:

function query_string($vars)
{
     $arg_sep = ini_get('arg_separator.output');
     if (empty($arg_sep)) {
         $arg_sep = '&';
     }

     foreach ($vars as $key => $val) {
         $vars[$key] = urlencode($key) .'='. urlencode($val);
     }

     return implode($arg_sep,$vars);
}

2. If you do want to set the arg_separator.input and/or .output to 
something else, use the php_value (not php_admin_value) and throw the 
directive into the .htaccess file at the root of your php scripts

Dan

michael wrote:
> net-www/apache-2.0.55
> dev-lang/php-5.0.5-r1
> 
> I have a developemnt box running several sites.  I'm having difficulty
> with one of them.  Some of the GET variables have legit ampersands in
> them. I tried escaping them then rescaping them but got unexpected
> results.  I changed all the separators in the urls to be &amp;, but
> that didn't seem to work for me either.
> 
> As per the PHP docs, the W3C recommends arg_separator to be ";" instead
> of "&".  Ah, I thought, there is my answer.
> 
> I did some poking around and found arg_separator *should* be able to be
> set on a per directory basis.  I didn't want to do it site wide because
> that would entail changing every site I have on my development box AND
> all the production servers upstream.  I just wanted to do it for this
> one site (for now) So, I left the default in the php.ini and in the
> apache vhost conf <Directory> I added 
> 
> php_admin_value arg_separator.input ;
> 
> But it does not seem to be picking that up.  I must be missing
> something.. any ideas?
> 
>