tags:

views:

57

answers:

3

hi, I've got an issue whereby PHP is escaping where I really don't want it to in this code:

        $url_ = stripslashes(((substr(strtolower($url),0,7)!="http://")? "http://".$url:$url));
        $host = $this->googleDomains[mt_rand(0,count($this->googleDomains)-1)];
        $target = "/search?";
        $querystring = sprintf("client=navclient-auto&ch=%s&features=Rank&q=%s",
            $this->CheckHash($this->HashURL($url_)),urlencode("info:".$url_));
        $contents="";

        $this->debugRes("host", $host);
        $this->debugRes("query_string", $querystring);
        $this->debugRes("user_agent", $this->userAgent);

thus producing a URL like this which causes the script to fail:

{"urls":[{"url":"hostcule.com","converted_url":"http:\/\/toolbarqueries.google.com\/search??client=navclient-auto&ch=74451333464&features=Rank&q=info%3Ahttp%3A%2F%2Fhostcule.com"}]}

How do I stop it?

Magic Quotes are Off.

Here's the $url comes from:

foreach (preg_split('#[\r\n]+#', $_POST['urls']) as $url) {
        $url = trim($url);
        if ($url)
            $_SESSION['converted_urls'][] = array('url' => $url, 'converted_url' => $pr->GetPR($url, true, true));
    }

At this stage, $_POST['urls'] looks like:

{"urls":[{"url":"hostcule.com","converted_url":"http:\/\/www.google.com\/search??client=navclient-auto&ch=74451333464&features=Rank&q=info%3Ahttp%3A%2F%2Fhostcule.com"}]}

whilst $url looks like

 {"urls":[{"url":"hostcule.com","converted_url":"http:\/\/www.google.com\/search??client=navclient-auto&ch=74451333464&features=Rank&q=info%3Ahttp%3A%2F%2Fhostcule.com"}]}
+2  A: 

There is nothing in that code that would produce the code you quote.

My suspicion is that $url already contains the garbled http\/\/, and therefore your http:// recognizing mechanism never triggers.

You need to step back and look where $url comes from. There is where your problem will be.

Pekka
wouldpreg_split('#[\r\n]+#', $_POST['urls'])trip it?Yes it would? but then why?
Shamil
+1  A: 

The code you have there doesn't do any escaping at all. You'll need to post what you do to that $url_ after this line.

mattbasta
A: 

use ' instead of "

jpabluz
This won't make the slightest difference.
Yacoby