08-24-2008
Shell script is kind of brittle when it comes to proper quoting of user-specified arguments etc so you need to be really careful here. Perhaps wrapping the call in PHP is not such a bad idea (although PHP too has a bit of a track record when it comes to security problems .... /me ducks) and make really really sure you use proper quoting everywhere in the script and in everything which invokes it. And keep in mind that security checks in JavaScript are ineffective; somebody could simply be connecting directly to the CGI script, without going through your form (or with JavaScript disabled).
As such, it's not very hard to split on & with IFS='&'.
IFS=& query_string - Google Search brings up some matches but I would regard all of them with extreme suspicion. If you see a variable interpolation without double quotes around it, run away.
Last edited by era; 08-24-2008 at 02:13 PM..
Reason: Note that JavaScript input checking is ineffective
10 More Discussions You Might Find Interesting
1. Shell Programming and Scripting
Hi, i got this script but when i hit reset i loose the times in the form box. Can someone please edit this script so when i hit reset i dont loose the times in the form box's and also have a button to reset everything, including the form boxs
<script language="javascript">
// stopwatch... (1 Reply)
Discussion started by: perleo
1 Replies
2. Shell Programming and Scripting
All
I want to call a KORN shell script inside a javascript. Is it possible ? Please
help me to do this. I want to return or read from shell script in javascript.
Thanx in advance
Regards
Deepak Xavier (1 Reply)
Discussion started by: DeepakXavier
1 Replies
3. Shell Programming and Scripting
i want use ssh on the host01 to execute autoexec.sh on the host02 like following :
host01> ssh host02 autoexec.sh
autoexec.sh include nohup command like follwing :
nohup /home/jack/deletedata.sh &
after i execute ssh host02 autoexec.sh one the host01. i can't found deletedata.sh... (1 Reply)
Discussion started by: orablue
1 Replies
4. Web Development
I am just wondering why do programmers are using this when programming the web? When you making a joomla templates and the more focus in your mind is to target the search engines then java is very important.Not to use that. (2 Replies)
Discussion started by: Anna Hussie
2 Replies
5. Shell Programming and Scripting
<html>
<head>
<title>Weather & Aviation Page - METAR decoder</title>
<meta name="Title" content="Weather & Aviation Page - METAR decoder">
<meta name="Keywords" content="METAR decoder">
<meta name="Publisher" content="SkyStef">
<meta name="Description" content="SkyStefs weather and aviation... (4 Replies)
Discussion started by: anuajay1988
4 Replies
6. Shell Programming and Scripting
Hi
Need help...I have wrritten one code for html through shell scripting in that i am using java scripts to validate some condition and open the html page without clicking the button....
Code Details
echo "<script type="text/javascript">"
echo "function exec_refresh()"
echo "{"
... (4 Replies)
Discussion started by: l_gshankar24
4 Replies
7. Shell Programming and Scripting
I have a shell script (.sh) and I want to pass a parameter value to the awk command but I am getting exception, please assist.
diff=$1$2.diff
id=$2 new=new_$diff
echo "My id is $1"
echo "I want to sync for user account $id"
##awk command I am using is as below
cat $diff | awk... (2 Replies)
Discussion started by: Ashunayak
2 Replies
8. Web Development
I have found this bit of code that nearly does what I want.
Basically 3 input fields, I want to copy t2 to t3 as it's typed but only if t1 contains data AND t3 is empty:
<input type="text" id="t1" />
<input type="text" id="t2" />
<input type="text" id="t3" />
<script> var t2 =... (4 Replies)
Discussion started by: barrydocks
4 Replies
9. Shell Programming and Scripting
Dear Unix gurus,
We have a config shell script file which has 30 variables which needs to be passed to master unix shell script that invokes oracle database sessions. So those 30 variables need to go through the database sessions (They are inputs) via a shell script. one of the variable name... (1 Reply)
Discussion started by: dba1981
1 Replies
10. Shell Programming and Scripting
I want to navigate through a webpage and save that page in my system local automatically. How can I do that by using JavaScript in a Unix shell script. Any suggestions are welcome! (3 Replies)
Discussion started by: abhi3093
3 Replies
LEARN ABOUT PHP
urlencode
URLENCODE(3) 1 URLENCODE(3)
urlencode - URL-encodes string
SYNOPSIS
string urlencode (string $str)
DESCRIPTION
This function is convenient when encoding a string to be used in a query part of a URL, as a convenient way to pass variables to the next
page.
PARAMETERS
o $str
- The string to be encoded.
RETURN VALUES
Returns a string in which all non-alphanumeric characters except -_. have been replaced with a percent ( %) sign followed by two hex dig-
its and spaces encoded as plus ( +) signs. It is encoded the same way that the posted data from a WWW form is encoded, that is the same way
as in application/x-www-form-urlencoded media type. This differs from the RFC 3986 encoding (see rawurlencode(3)) in that for historical
reasons, spaces are encoded as plus (+) signs.
EXAMPLES
Example #1
urlencode(3) example
<?php
echo '<a href="mycgi?foo=', urlencode($userinput), '">';
?>
Example #2
urlencode(3) and htmlentities(3) example
<?php
$query_string = 'foo=' . urlencode($foo) . '&bar=' . urlencode($bar);
echo '<a href="mycgi?' . htmlentities($query_string) . '">';
?>
NOTES
Note
Be careful about variables that may match HTML entities. Things like &, © and £ are parsed by the browser and the
actual entity is used instead of the desired variable name. This is an obvious hassle that the W3C has been telling people about for
years. The reference is here: http://www.w3.org/TR/html4/appendix/notes.html#h-B.2.2.
PHP supports changing the argument separator to the W3C-suggested semi-colon through the arg_separator .ini directive. Unfortu-
nately most user agents do not send form data in this semi-colon separated format. A more portable way around this is to use &
instead of & as the separator. You don't need to change PHP's arg_separator for this. Leave it as &, but simply encode your URLs
using htmlentities(3) or htmlspecialchars(3).
SEE ALSO
urldecode(3), htmlentities(3), rawurlencode(3), rawurldecode(3), RFC 3986.
PHP Documentation Group URLENCODE(3)