PHP escape quotes and urlencode for facebook sharer link - url-encoding

I use Facebook sharer links on my website to publish articles on Facebook.
For some links it works and for others, it doesn't.
The titles and texts that are passed through the links are in french (lot of quotes and special chars) and the page treating the link is in UTF8.
I managed to succeed in making all the FB links work, simply by using "mysql_real_escape_string" before I urlencode the content and create a link out of it.
Why "mysql_real_escape_string"?
It was a test because "htmlentities", "htmlspecialchars" and "addslashes" never worked.
The obvious downside is that the "mysql_real_escape_string" function has nothing to do there because it's just not related to the database.
And indeed, I get an error message telling me that this function "is denied for the user...".
Anyway, I don't plan to use this function but what's weird is that it makes the Facebook sharer link work 100% of the time while "addslashes" doesn't.
I thought that addslashes was the pure PHP version of "mysql_real_escape_string" but there is something different about it, otherwise, it should work just the same but it doesn't.
Any pure PHP replacement solution to my problem?

The url encode is based on the RFC 1738 standard. The current standard for url encoding has changed to. RFC 3986. The function you want is rawurlencode($string); or a write a function yourself. the characters you want to replace are:
'!', '*', "'", "(", ")", ";", ":", "#", "&", "=", "+", "$", ",", "/", "?", "%", "#", "[", "]"

Related

Apostrophe (valid char) is percent-encoded - but only sometimes

Try to use Google to find Wikipedia article about De Morgan's laws.
Click the link, and see the URL. At least in Chrome, it will be
https://en.wikipedia.org/wiki/De_Morgan%27s_laws
' is percent-encoded as %27, despite it is a valid URL character (and even more, if you manually change it in address bar from %27 to ', it will work). Why?
While aposthrope may be valid char, URL-encoded version is also equally valid!
Not sure if there is a hard reason, so this is kinda "soft" answer: Aposthrope (and/or double quote) needs to be escaped somehow if URL is ever put into for example JSON or XML. URL encoding them as part of sanitizing URLs solves this one way, and protects against poor JSON/XML handling and programmer errors. It's just pragmatic.
Decoding these certain valid chars in HTTP responses' headers etc (so browser shows them "right") should be possible and maybe nice, but extra work and code. Note that there are also chars where decoding would not be ok, so this would have to be selective! So at least in this case it just wasn't done I guess. So if a char gets URL-encoded at any step of the whole page loading operation chain, they stay that way.

How to rewrite URLs split by hyphens?

I am getting confused while writing URLs with hyphens. It is conflicting with GET parameters.
For instance, I have a long book name in URL, with spaces replaced by hyphens, like the-famous-world-records-of-athletics. After this I am getting error in pagination also separated with hyphens.
Please suggest how I can write URLs in given stage:
example.com/vc.php?book=the-famous-world-records-of-athletics
example.com/vc.php?book=the-famous-world-records-of-athletics&page=1
example.com/vc.php?book=the-famous-world-records-of-athleticstopic=jumping-and-racing&page=2
Wishing to write as:
example.com/the-famous-world-records-of-athletics.html
example.com/the-famous-world-records-of-athletics-1.html
example.com/the-famous-world-records-of-athletics-jumping-and-racing-2.html
A minus is perfectly valid in an URL, it is a so-called 'unreserved' character.
https://en.wikipedia.org/wiki/Percent-encoding
If you really need to replace them, I'd replace them with %2D, just like you would replace a space with %20.

url escaping in ruby

There are many discussion about URL escaping in Ruby, but unfortunately I didn't find an appropriate solution.
In general, URI.escape should do the job, but looks like it doesn't support all characters, for example it doesn't escape "[".
URI.parse(URI.escape("1111{3333"))
works well.
URI.parse(URI.escape("1111[3333"))
raises an exception.
I understand that "[" is not an eligible character in URL according to RFC, but when I enter it into the browser it takes it, and renders the page, so I need exactly the same behavior.
Do know any ready solution for escaping in Ruby?
I typically use
CGI.escape
to escape URI parameters.
require 'cgi'.
CGI.escape('1111[3333')
=> "1111%5B3333"
The character [ is a uri delimiter character and does not require escaping.
http://www.ietf.org/rfc/rfc2396.txt
section 2.4.3. Excluded US-ASCII Characters

slashes in url variables

I have set up my coldfusion application to have dynamic urls on the page, such as
www.musicExplained/index.cfm/artist/:VariableName
However my variable names will sometimes contain slashes, such as
www.musicExplained/index.cfm/artist/GZA/Genius
This is causing a problem, because my application presumes that the slash in the variable name represents a different section of the website, the artists albums. So the URL will fail.
I am wondering if there is anyway to prevent this from happening? Do I need to use a function that replaces slashes in the variable names with another character?
You need to escape the slashes as %2F.
You could easily replace the forward slashes / with something like an underscore _ such as Wikipedia uses for spaces. Replacing special characters with underscores, etc., is common practice.
You need to escape those but don't just replace it by %2F manually. You can use URLEncoder for this.
Eg URLEncoder.encode(url, "UTF-8")
Then you can say
yourUrl = "www.musicExplained/index.cfm/artist/" + URLEncoder.encode(VariableName, "UTF-8")
Check out this w3schools page about "HTML URL Encoding Reference":
https://www.w3schools.com/tags/ref_urlencode.asp
for / you would escape with %2F

Bad request 400 for HttpUtility.UrlEncoded URL segments

So, if there are url encoded segments in my apps MVC url, IIS throws a BAD REQUEST 400.
e.g.
http://u.lasoo.com.au/Offer/*9289--750W-Generic-ATX12V-Power-Supply-%252449dot99/6355
<--- the '*' and '%' are causing this error.
Notice that http://u.lasoo.com.au/Offer/The-Giant-Good-As-Gone-7-Day-Sale/6354 works fine.
What's the correct way to convert an arbitrary string into an accepted MVC URL segment?
UPDATE: the URl segment should resemble the original string. Base64 encoding completely transformed the string.
Instead of passing the info in the url you can pass it as a get parameter. Like this:
http://u.lasoo.com.au/Offer/?id=*9289--750W-Generic-ATX12V-Power-Supply-%252449dot99/6355
Have you tried UrlEncode? MSDN
Try a string replace to strip out or substitute symbols ":", "%", "*", "/" - any symbols illegal within a folder name. They seem to screw up everything royally and appear to be a design weakness of the URL routing system.

Resources