0

I'm developing an app using react native, my job is make this app register a new record on my database located in my server. For this I have a file in my FTP (register.php) used to register a record on my database.

This is the php code:

<?
ini_set('memory_limit', '512M'); 

header("Content-Type: text/html; charset=UTF-8",true);

$user_id = $_GET['user_id'];
$url = $_GET['url'];

$db = mysqli_connect('mysql.urlAdress.com.br','dbName','password' ) or die( 'Conexion error' );
mysqli_select_db($db,'dbName');


if (!$db){
    echo '[{"erro": "Error trying to connect to the database"';
    echo '}]';
}else {

    $result = mysqli_query($db,"insert into profile (user_id, url) values ('$user_id', '$url') ");

}

mysqli_close($db);
?>

I just have to acess a link like this passing some information: http://www.mysite.com.br/app/ws/register.php?user_id=MyName&url=http:://urlHere.com

The problem is: always the php replace characters like: "%2F" by "/" and "%20" by "space". And then when I bring the url back into my app I can't be able to download the content of the url because it's "corrupted" by php. How can I fix this???

PS: In my database the field that receives the url from php is a Varchar: 300 lenght.

Diego Bittencourt
  • 595
  • 10
  • 28
  • 5
    [Little Bobby](http://bobby-tables.com/) says ***[your script is at risk for SQL Injection Attacks.](http://stackoverflow.com/questions/60174/how-can-i-prevent-sql-injection-in-php)*** Learn about [prepared](http://en.wikipedia.org/wiki/Prepared_statement) statements for [MySQLi](http://php.net/manual/en/mysqli.quickstart.prepared-statements.php). Even [escaping the string](http://stackoverflow.com/questions/5741187/sql-injection-that-gets-around-mysql-real-escape-string) is not safe! – Jay Blanchard Jan 18 '18 at 17:10
  • 3
    `urlencode()` should be the solution. – Jay Blanchard Jan 18 '18 at 17:11
  • 1
    http://php.net/manual/en/function.urlencode.php – Alex Jan 18 '18 at 17:12
  • 1
    Note: The object-oriented interface to `mysqli` is significantly less verbose, making code easier to read and audit, and is not easily confused with the obsolete `mysql_query` interface. Before you get too invested in the procedural style it’s worth switching over. Example: `$db = new mysqli(…)` and `$db->prepare("…")` The procedural interface is an artifact from the PHP 4 era when `mysqli` API was introduced and should not be used in new code. – tadman Jan 18 '18 at 17:42
  • That `ini_set` call looks completely out of place as well. Either edit your INI or figure out why that's strictly necessary. – tadman Jan 18 '18 at 17:42

2 Answers2

1

You shouldn't have to decode your URL if it was properly encoded in the first place. My guess is you just smash it into your query string with concatenation in JavaScript. This is wrong.

Two things can fix this. The first is using POST to send your data so that the URL can be of arbitrary length. The second is to let your JavaScript library do the encoding properly, pass it in as a distinct parameter. For example, in jQuery you can do:

$.ajax({
  url: '/register.php',
  method: 'post',
  data: {
    'url': 'http://...',
    'user_id': user_id
  }
});

Where that takes care of properly encoding any variables. A regular form submission will also do this if you're not doing AJAX style calls.

tadman
  • 208,517
  • 23
  • 234
  • 262
0

That's because php automatically decodes a URL including its parameters. You can use urlencode() on your url get parameter to get the encoded version of your url. http://php.net/manual/en/function.urlencode.php

Niels
  • 646
  • 3
  • 13