Passing strange text as variables via post method in php

Question

I have an odd problem. Our company collects data and we use a HORRIBLE piece of software to handle all of our phone interviewing. It uses binary files instead of SQL and uses no compression. As of right now we have to manually run all reports for the clients. I am working on building a web interface to our data and common reports.

Now I need to pass whats called a "select statement" from the web to the server and I do this with php post method. The problem is that web browsers don't seem to like some of the characters that have to be used in select statements. I have tried encoding them but then the browsers auto uncode them back to plain text when they are hyperlinks.

Here are some example select statements.

[3023.2#1] 
[3023.2$] = "1"
[3023.2<>1]
[500.10$] = "Name"

And the url would look something like

CustomReport.php?type=1&select="[3023.2#1]"

The problem I have is that different select statements break the website depending on quotes used. select=[3023.2<>1] wont work but select="[3023.2<>1]" does. BUT if I do select=[3023.2#1] it will work and using quotes will break it. And when it breaks it neither WebDev toolbar nor FireBug report any errors but its obvious my DIVs are all messed up.

I should also add that nowhere is the select statement displayed on the site, it is only used in php as part of an exec command so I'm really confused as to why this breaks my site.

/Ropes End
//Probably something stupid

Answer 1

And you have tried url-encoding only the select part?

$queryString = 'select=' . urlencode($select);

Answer 2

For each of the parameters, you should use urlencode to escape the characters:

$select = urlencode("[3023.2#1]");

via http://us2.php.net/urlencode

Answer 3

Try using the urlencode/urldecode functions on your select strings. This should encode all the weird characters correctly.

also be careful with the exec command. Its convenient but dangerous.

Answer 4

You could also forgo using POST. Instead, store the statement in a session variable, database, or temp file, then retrieve for processing on the next page.

If you use a database, use a binary type text field with utf8 encoding, which should allow you to handle strange characters.

Answer 5

You want to research rawurlencode and htmlentities. They should help you immensely.

Aside: The note from anonymous to be cautious passing executable commands over urls MUST be heeded. It sounds like your application is not on the public web, but if it is you need to be mindful of the security issues associated with that.

<?php 

$select_statements = array(
    '[3023.2#1]',
    '[3023.2$] = "1"',
    '[3023.2<>1]',
    '[500.10$] = "Name"',
);

foreach ($select_statements as $ss) {
    print htmlentities($ss);
    print "<br>";
    $url = $_SERVER['PHP_SELF'] . "?type=1&amp;select=" . rawurlencode($ss);
    print "<a href=\"{$url}\">{$url}</a>"; 
    print "<br>";
    print "<br>";
}

print htmlentities($_GET['select']);

?>

Results (for me):

[3023.2#1] /CustomReport.php?type=1&select=%5B3023.2%231%5D

[3023.2$] = "1" /CustomReport.php?type=1&select=%5B3023.2%24%5D%20%3D%20%221%22

[3023.2<>1] /CustomReport.php?type=1&select=%5B3023.2%3C%3E1%5D

[500.10$] = "Name" /CustomReport.php?type=1&select=%5B500.10%24%5D%20%3D%20%22Name%22

And if I click on a link I will also see whichever select I put in. Properly put into html entities, of course.

Answer 6

Why are you using the values on the GUI to build your query statement directly? You should have all of these "queries" hiding on the server in a map to sane values and only except the sane values from the web client:

 $queries = Array(
       'meaningfulname1' => '[3023.2#1]',
       'meaningfulname2' => '[3023.2$] = "1"',
       'meaningfulname3' => '[3023.2<>1]',
       'meaningfulname4' => '[500.10$] = "Name"',
 );

Then your URL is simply

 CustomReport.php?type=1&select=meaningfulname1

Now you can easily translate "meaningfulname1" into the proper code sequence needed by your software and you aren't exposing the backend craziness to the browser. This also means if you somehow fix your backend to use some other query language (like SQL) you don't need to recode the GUI layer. It still requests meaningfulname1.