[NEEDS REPRODUCING] function splitURL does not preserve spaces that are url encoded

[ynohtna92]

On https://github.com/panique/mini/blob/master/application/core/application.php#L72 this method is causing spaces that are encoded (%20) to be removed from the url. (No%20Space would become NoSpace)

I have fixed it by replacing L72 with $url = str_replace('\/', ' ', filter_var(str_replace(' ', '\/', $url), FILTER_SANITIZE_URL)); however there is probably a better way to do this.

[panique]

thanks, I'll add this to the project soon

[panique]

Sorry i cannot reproduce this, please have a look at this code which is basically a copy of the above part of the application.php file, it gives back the string including the %20, exactly like it should...

$url = 'http://www.example.com/index.php?a=1&b=2&c=3&d=some%20string';

$url = trim($url, '/');
$url = filter_var($url, FILTER_SANITIZE_URL);

var_dump($url);`

and try this out here live: http://sandbox.onlinephpfunctions.com/code/670f22f6c2016fddd240144a6746dc542189a300

plz correct me if i'm overseeing something here..

[ynohtna92]

Ok so I tested it out again and there seems to be some inconsistencies between what apache/php dumps for me. Code: $url = trim($_GET['url'], '/'); var_dump($url); $url = filter_var($url, FILTER_SANITIZE_URL); $url = explode('/', $url); var_dump($url);

Output: string 'search/d dfd' (length=12) array (size=2) 0 => string 'search' (length=6) 1 => string 'ddfd' (length=4)

It seems to get the url from $_GET['url'] with the url already encoded and so it shows as ' ' instead of '%20' like you posted.

[panique]

The code you posted is totally different from the code inside MINI !

[ynohtna92]

Ignore that 3rd line it has been commented out. It follows MINI exactly minus the var_dump lines.

[panique]

Sorry I still don't get it! :) %20 is not filtered out, you can test this out by clicking the link above, it will give you any given URL WITH %20 still intact. Stuff like real empty spaces like in ?yo=123 456 are for sure filtered out as domains never have spaces inside!

Please correct me if I'm wrong here, but you said %20 are filtered out, but that's definitly not happening, it's trying it out right now and works exactly like it should!

[ynohtna92]

Ok, so I think we are being confused here. In that test php script you wrote in the %20, however with apache and the variable $_GET['url'] it will return a string without the %20 and a ' ' instead (since 'url' come already decoded). So your script may be still wrong and missing a line to re-encode the url with %xx so that the spaces are not forgotten. Does that make sense?

[panique]

I've tried this with a normal installation (via auto-installation script) and it works perfectly in a standard apache setup. Sorry, i really cannot reproduce... Do you have any special settings on your apache ?

[ynohtna92]

I am using standard settings, it seems unlikely that It would be working for you as $_GET['url'] is decoded so you should have the same issues. Can you do a print out of $_GET['url'] when you have a url with %20 in it?

[panique]

No sorry, please install the official version with the official autoinstaller and you'll get exactly what's described above! Also have a look at the code example (http://sandbox.onlinephpfunctions.com/code/670f22f6c2016fddd240144a6746dc542189a300), which shows exactly what's happening inside the application (but uses a string instead $_GET for sure). If your GET parameter already HAS a space inside (not a %20, a real space), then the get parameter is broken, as spaces are not allowed inside, then you'll have to correct the url creation (whereever this url is created) in your application...