what is correct approach to manipulate/work with URL parameters?

[Jimmi08]

Hi,
I was able to find this example

			parse_str(str_replace('&', '&', e_QUERY), $query); //FIXME - FIX THIS
			$query['action'] = 'edit';
			$query['id'] = $id;
			$query = http_build_query($query, '', '&');

SEF URLs are not used

I need to get URL parameters ($_GET), create an array with safe keys and values (probably toDB() or Filter()) should be used) , then manipulate with this array and create a new URL with http_build_query();

So is it there a better example than the above from cpage.php file?

And is e_QUERY already safe? so with the example above I don't need to worry about values?

Thanks

[Deltik]

The purpose of e_QUERY appears to be for legacy uses where the value of the constant is directly put back into rendered HTML. A query string of [debug=everything]id.1&a=b&c[]=1&c[]=2&x="Deltik's Test" gets turned into id.1&a=b&c[]=1&c[]=2&x="Deltik's Test", which is escaped specifically for HTML, not the browser address bar, though browsers should(?) translate the URL encoding themselves to sensible defaults.

You shouldn't manipulate serialized/escaped data directly, as that is an extra layer of complexity. It should be sufficient to work with $_GET and copy the keys you care about.

If you are trying to put the query string into an HTML page, http_build_query() would assemble the array into a valid query string. A common use case would be to put the query string in an HTML attribute. For this, further wrap the URL/URI in e_parse::toAttribute() (example).

If you want to store the value in the database, use prepared statements, not e_parse::toDB(), as I find that method to be very, very messy. Note that you probably should not store arrays in a table cell, as that would be a violation of the first normal form (1NF), which increases the maintenance burden. The e107 core doesn't follow 1NF in some really old structures, so I would not look at the e107 core for examples of good database design.

[Jimmi08]

Thank you so much. I want to replace some old stuff with correct way. This is example how they sanitize $_GET now

// Prevent possible XSS attacks via $_GET.
foreach ($_GET as $v) {
	if(preg_match('@<script[^>]*?>.*?</script>@si', $v) ||
		preg_match("'@<iframe[^>]*?>.*?</script>@si'", $v) ||
		preg_match("'@<applet[^>]*?>.*?</script>@si'", $v) ||
		preg_match("'@<meta[^>]*?>.*?</script>@si'", $v) ||
		preg_match('@<[\/\!]*?[^<>]*?>@si', $v) ||
		preg_match('@<style[^>]*?>.*?</style>@siU', $v) ||
		preg_match('@<![\s\S]*?--[ \t\n\r]*>@', $v)) {
		include("languages/en.php"); // no language set yet, so default to English.	
		die (_POSSIBLEHACK);
	}
}
unset($v);

so replace this (or check any $_GET) is to use e_parse::toAttribute() , not toFilter(). This is a very unsafe area for me, I am afraid to make safety mistake. But I saw another solution - to have listed possible keys for $_GET and nothing other will be used.

The second thing is to create a new URL. Legacy looks like this (those attributes can vary:
/admin.php?action=members&do=list&list=admincreated&let=H

and because I am playing with javascript, I want to change one attribute with it

This works for list and let attributes
document.location = 'admin.php?" . ($list ? "list=$list&" : "") . "let=' + this.value;

So I got the idea to replace that middle part with http_build_query.

Thanks again

[Deltik]

In my opinion, the key is to have a clear mental picture of what kind of data is in the variable you're looking at. Once you know that, you can nest it in whatever kind of template you're rendering.

Using your JavaScript example, you want to build a JavaScript string. e107 has documentation on how to do that here.

Let's see how we can improve this:

document.location = 'admin.php?" . ($list ? "list=$list&" : "") . "let=' + this.value;

The first layer is the query string, but it's a bit complicated because you're building it server-side (PHP) and client-side (JavaScript). You can break this up by making the PHP query string first:

<?php

$tp = e107::getParser();
$params = [];
if ($list) {
    $params['list'] = $list;
}
$paramsJson = $tp->toJSON(http_build_query($params));

$javascript = <<<EOF
// This puts the PHP query string into a JavaScript variable
let rawParams = $paramsJson;

// This processes the JavaScript query string client-side
let params = new URLSearchParams(rawParams);

// This edits the query string
params.set('let', this.value);

// This constructs the final URL client-side
document.location = 'admin.php?' + params.toString();
EOF;

Now, $javascript cleanly contains the JavaScript code you want to render.

You can even embed the whole thing into an HTML attribute if you're feeling ugly:

echo "<button onclick=\"{$tp->toAttribute($javascript)}\">Click me</button>";

[Jimmi08]

This is really helpful...

I did that simple one and it worked :) ... full code if I ever need it.
I couldn't go with <<EOF (Parse error: syntax error, unexpected '<<' (T_SL), yeah I already know how this is tricky, so I changed it to HEREDOC and no issues.

/* ALPHABET **********************************************/
$tmp = "<div class='col-12 container mb-2 p-0'><div class='row justify-content-center pricing-wrapper rounded '> ";
$tmp .= $frm->open('list', "POST", e_SELF);
$tmp .= e107::getForm()->radio('let', efiction::$alphabet, $let);
$tmp .= $frm->close();
$tmp .= "</div></div>";
$output .= $tmp;
 
$params = [];
if ($list)
{
	$params['list'] = $list;
}
$paramsJson = e107::getParser()->toJSON(http_build_query($params));

$jscode = <<<HEREDOC
// This puts the PHP query string into a JavaScript variable
let rawParams = $paramsJson;

// This processes the JavaScript query string client-side
let params = new URLSearchParams(rawParams);

// This constructs the final URL client-side
$('input[type=radio][name=let]').on('change', function() {
	// This edits the query string
	params . set('let', this . value);
	if($(this).val() != 'false') document . location = 'authors.php?' + params . toString();
});
HEREDOC;

e107::js('footer-inline', $jscode);
/* ALPHABET **********************************************/

Now, that complicated one...

[Deltik]

Ah, yeah, I typo'd the beginning of the heredoc. It should've been <<< rather than <<.

[Jimmi08]

Advanced:

$tp = e107::getParser();
$allowedKeys = ['action', 'do', 'list', 'let'];
$params = array();
foreach ($allowedKeys as $key)
{
	if ($_GET[$key])
	{
		$params[$key] = $tp->toAttribute($_GET[$key]);
	}
}
$paramsQuery = http_build_query($params);
$paramsJson = e107::getParser()->toJSON($paramsQuery);

/* ALPHABET **********************************************/
$tmp = "<div class='col-12 container mb-2 p-0'><div class='row justify-content-center pricing-wrapper rounded '> ";
$tmp .= e107::getForm()->open('list', "POST", e_SELF);
$tmp .= e107::getForm()->radio('let', efiction::$alphabet, $let);
$tmp .= e107::getForm()->close();
$tmp .= "</div></div>";
$output .= $tmp;
 
$page = e_REQUEST_SELF;

$jscode = <<<HEREDOC
// This puts the PHP query string into a JavaScript variable
let rawParams = $paramsJson;

// This processes the JavaScript query string client-side
let params = new URLSearchParams(rawParams);

 
// This constructs the final URL client-side
$('input[type=radio][name=let]').on('change', function() {
	// This edits the query string
	params.set('let', this.value);
	var val_list = $(this).val(); 
	if($(this).val() != 'false') document . location = '$page?' + params . toString();
});
HEREDOC;

e107::js('footer-inline', $jscode);
/* ALPHABET **********************************************/

I wasn't sure with this
$page = e_REQUEST_SELF;
but it works.