Variables in links! Help!

Leozack

Eek! I've been building a site in my spare time for a number of months now. I SO want to finish it! (yaknow the feeling?!)
Well I've just hit a problem that I'm not sure what to do about, and it's all around user input I guess.

Basically I have an input validation system. I have a bunch of filters (preg patterns at heart) that I pass input through, depending on what it is. I have types for alphanumeric, filenames, url, email, text etc. They work fine as far as I've tested. However ... the problem I've come across is just cos a char is allowed in it's field type, doens't mean it's allowed in a url!

Basically, I found that if I this blows up IE in a link :
!#%&()+,.;=@~ -
but this doesn't.
+=@~-
so ... which of the deleted ones causes it? It appears the following aren't allowed in a url
(), .;
and ! crashes it and % crashes it if not followed by a number, eg %20

So I thought ... if they're allowed in things (eg text) but not in a url, I can't ever use a variable in a link if it contains any of those!
URLENCODE() then URLDECODE() I hear you cry! But I always thought that if I did that I would end up decoding something that was never encoded with urlencode(), or something like that, like stripping slashes that weren't added with addslashes().

So I thought ... I should have a variable in a session, that holds an array of the variablenames and variablename values of any variables I want to send in a link. Then I just read them back into variable named variables on the enxt page and have them as they were - simple! But what a lot of hastle it will be for me to do that now, before every link adding the arguments into the array then reading them off on later pages =(

Can anyone help? I'm fed up of doing this website on my own with no help. It's hard enough that I don't have MySQL and I'm having to use flatfiles for this whole thing! It means I don't use ID numbers or anyhting anywhere and all content must be referenced with a bunch of variables (the folder it's in, it's title, it's foramts, it's author etc)

Argh! 🙁

Weedpacket

No, really, [man]urlencode[/man]. (a) Think about what you're encoding and decoding in advance (and urlencode anything you're writing in a URL), and (b) if it's not urlencoded (whether the by the browser inserting it from user input or your putting it in the link explicitly) it would get corrupted anyway.

Leozack

ok, I've now found out I shouldn't even try and develop PHP. Why? BEcause those IE crashes I spoke of don't happen for others testing my code, and not even on my other PC! It appears only my PC is doomed to crash on my testing code, whereas other people get the following results :

title = This is such a great game, I can't help but love it!
author = Load of ["\/\ a-z0-9!#£$%&'()*+,.:;=?@_{}~-]
formats = Gamecube_PC

URL Encoded :

title = This+is+such+a+great+game%2C+I+can%27t+help+but+love+it%21
author = Load+of+%5B%22%5C%2F%5C%5C+a-z0-9%21%23%A3%24%25%26%27%28%29%2A%2B%2C.%3A%3B%3D%3F%40_%7B%7D%7E-%5D
formats = Gamecube_PC

After URL Encoding and linking (on 2nd page) :

title = This is such a great game, I can\'t help but love it!
author = Load of [\"\/\\ a-z0-9!#£$%&\'()*+,.:;=?@_{}~-]
formats = Gamecube_PC

URL Decoded (on 2nd page) :

title = This is such a great game, I can\'t help but love it!
author = Load of [\"\/\\ a-z0-9!#£$%&\'()* ,.:;=?@_{}~-]
formats = Gamecube_PC

And the full hyperlink, that crashes my PC but not my other PC (or other peoples when they link through to my PC) :

http://jazzpc:8000/test/urlencode2.php?title=This+is+such+a+great+game%2C+I+can%27t+help+but+love+it%21&author=Load+of+%5B%22%5C%2F%5C%5C+a-z0-9%21%23%A3%24%25%26%27%28%29%2A%2B%2C.%3A%3B%3D%3F%40_%7B%7D%7E-%5D&formats=Gamecube_PC

Leozack

Ok ... on my amtes pc's and on my second PC, it seems if I URL encode even the biggest load of crap :

$author = "Load of [\"\/\\ a-z0-9!#£$%&'()*+,.:;=?@_{}~-]";
$author = urlencode($author);

then use it in a link:

href=urlencode2.php?author=$author

Then URL decode it (which doens't need to be done, it seems to have done t automatically anyway) and more importantly - stripslashes() it, then it is all as planned, and $author once again == "Load of [\"\/\\ a-z0-9!#£$%&'()*+,.:;=?@_{}~-]".

But on my PC? Using urlencode or rawurlencode, if I link like that it blows up that IE window. Crash. Boom. Weee. I hoped urlencoding might be my solution as you say, but, well, now I'm rather stuffed aren't I cos I can't even use it on my development PC O_o I know it is unstable (graphics drivers etc) but I'm delaying a format while I afford an upgraded core (cpu, mobo, ram, graphics card). Besides, php works fine apart from these things, I guess it could just be an IE error on my PC but I dunno what I can do about it, it's not like I don't have the latest version and patches.