Question How to remove unknown characters?
- Thread starter promem_da
- Start date
promem_da
New Member
Hello,
Yes, I'm using Webspeed. Progress version - 10.1C, am using Windows 7.
The HTTP request have few name-value pairs. I am trying to replace those values with some special character by manually editing the URL.
I need the new URL containing the special characters in the program! How can i retrieve them?
Also i want to replace those special chars with null and that should be reflected back into the URL.. Any idea how can this be done
Can you please provide your assistance on this..
Thanks..
Last edited:
medu
Member
not sure what are you after here, if looking to stripe some 'unsafe' characters from your input parameters then do that on values returned by get-value api... if you need the full list you can get it from cgi variable QUERY_STRING with get-cgi (or something like that).
the full URL you need to 're-compose' from cgi variables but that won't get 'reflected' back in case you expect to be able to change the URL entered in the address bar of user's browser
... don't see any reason why would you try something like that, just make sure you handle user input with care - if you for instance use that to build the where clause of a dynamic query or call a os-command.
the full URL you need to 're-compose' from cgi variables but that won't get 'reflected' back in case you expect to be able to change the URL entered in the address bar of user's browser
... don't see any reason why would you try something like that, just make sure you handle user input with care - if you for instance use that to build the where clause of a dynamic query or call a os-command.
promem_da
New Member
not sure what are you after here, if looking to stripe some 'unsafe' characters from your input parameters then do that on values returned by get-value api... if you need the full list you can get it from cgi variable QUERY_STRING with get-cgi (or something like that).
the full URL you need to 're-compose' from cgi variables but that won't get 'reflected' back in case you expect to be able to change the URL entered in the address bar of user's browser
This is to prevent hackers to read the data rendered by a web page.
I need to remove special chars in the URL so that an attacker cannot control the response . That is what am trying to do.
Hope you got what am trying to do..
Thanks!
Last edited:
medu
Member
so why do you care about the URL? just make sure you don't just stream that data back without validation... but either way, are you expecting the users to 'hack' themselves?
point it, you need to care about user-data when and depending how you use that. you definitively shouldn't trust that data and validate it before using it but that has nothing to do with the URL, mind you CR+LF can be a legit value in those parameters sometimes (hence it's url-encoded).
if you do use set-header api or something then just make sure you don't add CR+LF in the value, not sure if the api already do that but it might worth checking and if not even raise a feature request at PSC.
if you store that data in database then it might be OK to leave those alone, in that case you often need to encode data when you output it back in generated html.
point it, you need to care about user-data when and depending how you use that. you definitively shouldn't trust that data and validate it before using it but that has nothing to do with the URL, mind you CR+LF can be a legit value in those parameters sometimes (hence it's url-encoded).
if you do use set-header api or something then just make sure you don't add CR+LF in the value, not sure if the api already do that but it might worth checking and if not even raise a feature request at PSC.
if you store that data in database then it might be OK to leave those alone, in that case you often need to encode data when you output it back in generated html.
promem_da
New Member
so why do you care about the URL? just make sure you don't just stream that data back without validation... but either way, are you expecting the users to 'hack' themselves?
point it, you need to care about user-data when and depending how you use that. you definitively shouldn't trust that data and validate it before using it but that has nothing to do with the URL, mind you CR+LF can be a legit value in those parameters sometimes (hence it's url-encoded).
if you do use set-header api or something then just make sure you don't add CR+LF in the value, not sure if the api already do that but it might worth checking and if not even raise a feature request at PSC.
if you store that data in database then it might be OK to leave those alone, in that case you often need to encode data when you output it back in generated html.
Okay Thanks for your quick resposne
Similar threads
- Locked
- Locked
- Raphael Frei
- Stackoverflow tagged OpenEdge or Progress-4GL/DB