1

When submitting form using get method if we pass # character in any field it skips all parameter after that field.

e.g.

bookmy_car.php?pod=6&room_id=32&starthour=14&startminute=00&startday=07&startmonth=08&startyear=2015&endhour=16&endminute=00&endday=07&endmonth=08&endyear=2015&end_date=1438927200&email_conf=1&cost_code=&desc=Trip description&trip_comment=#&day_rate=68.00&hourly_rate=6.60&hourly_km_rate=0.35&dur_hours=2 hours&location_charge=0.00&damage_cover_charge=5.00&total_free_kms=&longterm=0&rt=&minbooking=3600&returl=&returl_newid=&rep_id=&edit_type=&insPlanid=3&plan_name=goOccasional&id=3&driver_username_id=2&

How do we protect it? I tried escape() and encodeURI() function of JavaScript, it does not help.

rtruszk
  • 3,868
  • 13
  • 33
  • 53
Amit Shah
  • 1,264
  • 1
  • 9
  • 19
  • http://stackoverflow.com/questions/940905/can-i-read-the-hash-portion-of-the-url-on-my-server-side-application-php-ruby – apoq Aug 07 '15 at 05:29
  • I don't think that you can solve this problem due to the fact, that the browser won't send it to the server... But here is a related post: http://stackoverflow.com/questions/8033537/getting-hash-parameters-from-request-url – bloC Aug 07 '15 at 05:30
  • possible duplicate of [PHP - get value from URL after # sign](http://stackoverflow.com/questions/2317508/php-get-value-from-url-after-sign) – Snickbrack Aug 07 '15 at 07:55

2 Answers2

1

It happens because with hashbang in query string # it is interpreted as location.hash and hot processed as GET parameters. You need to properly encode URI before you use it. For example with encodeURIComponent:

alert( encodeURIComponent('trip_comment=#') )
dfsq
  • 182,609
  • 24
  • 222
  • 242
  • it does not solve, i already tried it earlier. do one thing create a php page, and do print_r($_GET) of url which i mentioned and see. – Amit Shah Aug 07 '15 at 07:02
  • You need to encode GET parameters. So `trip_comment=#` becomes `trip_comment%3D%23`. You should encode every parameter ideally. Not sure how you are constructing URL but you should use proper methods. there are some in both JS and PHP. – dfsq Aug 07 '15 at 07:49
1

I agree with @dgsq . But i prefer using only encodeURI so that he can get the uri as it is in the next page.

alert( encodeURI('&trip_comment=#&day_rate=68.00') )
sanjeev shetty
  • 412
  • 4
  • 17
  • it does not solve, i already tried it earlier. do one thing create a php page, and do print_r($_GET) of url which i mentioned and see. – Amit Shah Aug 07 '15 at 07:02