Why doesn't nbsp display as nbsp in the URL
Question
I am following a tutorial where a web application written in PHP, blacklists spaces from the input(The 'id' parameter). The task is to add other characters, which essentially bypasses this blacklist, but still gets interpreted by the MySQL database in the back end. What works is a URL constructed like so - http://192.168.2.15/sqli-labs/Less-26/?id=1'%A0||%A0'1
Now, my question is simply that if '%A0' indicates an NBSP, then why is it that when I go to a site like http://www.url-encode-decode.com , and try to decode the URL http://192.168.2.15/sqli-labs/Less-26/?id=1'%A0||%A0'1 , it gets decoded as http://192.168.2.15/sqli-labs/Less-26/?id=1' || '1 .
Instead of the question mark inside a black box, I was expecting to see a blank space.
3 answers
solution1
1 ACCPTED 2015-07-01 12:08:43
I suspect that this is due to differences between character encodings.
The value A0 represents nbsp in the ISO-8859-1 encoding (and probably in other extended-ASCII encodings too). The page at http://www.url-encode-decode.com appears to use the UTF-8 encoding.
Your problem is that there is no character represented by A0 in UTF-8. The equivalent nbsp character in UTF-8 would be represented by the value C2A0 .
Decoding http://192.168.2.15/sqli-labs/Less-26/?id=1'%C2%A0||%C2%A0'1 will produce the nbsp characters that you expected.
solution2
0 2015-07-01 11:31:28
Independently from why there is an encoding error, try %20 as a replacement for a whitespace! Later on you can str_replace the whitespace with a
echo str_replace(" ", " ", $_GET["id"]);
solution3
0 2015-07-01 11:31:58
Maybe the script on this site does not work properly. If you use it in your PHP code it should work properly.
echo urldecode( '%A0' );
outputs:
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.