开发者

PHP cookie special chars

开发者 https://www.devze.com 2023-02-17 16:49 出处:网络
I\'m storing multiple information in cookies in j开发者_StackOverflowavascript. The information pieces are separated by a \"+\" sign, like document.cookie =\'cookie1\'+\'=\'+inf1+\'+\'+inf2.

I'm storing multiple information in cookies in j开发者_StackOverflowavascript. The information pieces are separated by a "+" sign, like document.cookie ='cookie1'+'='+inf1+'+'+inf2.

But when I'm echoing out these cookies from PHP, the separating "+" sign is replaced with a space.

I've tried to echo with addslashes, didn't work. When I'm alerting the the cookie from JS it's alright, it shows the separating "+" sign.

Anyone out there knows a solution for this?


That’s weird — there is no specification that states a cookie should be treated as application/x-www-form-urlencoded:

  • Netscape’s original draft stated:

    NAME=VALUE
    

    This string is a sequence of characters excluding semi-colon, comma and white space. If there is a need to place such data in the name or value, some encoding method such as URL style %XX encoding is recommended, though no encoding is defined or required.

    So this is the plain percent-encoding.

  • RFC 2109 states:

    cookie          =       NAME "=" VALUE *(";" cookie-av)
    NAME            =       attr
    VALUE           =       value
    

    Where attr and value are specified as:

    attr            =       token
    value           =       word
    word            =       token | quoted-string
    

    And token and quoted-string are specified in HTTP/1.1 and can be represented by these regular expressions respectively:

      [!#$%&'*+\-.0-9A-Za-z^_`|~]+
      "([ \x21\x23-\x7E\x80-\xFF]|(\r\n)?[ \t]+|\\[\x00-\x7F])*"
    

    So this isn’t application/x-www-form-urlencoded either but a different format preferred by HTTP-based extensions.

  • RFC 2965 doesn’t specify anything different than RFC 2109 regarding the cookie syntax:

    cookie          =       NAME "=" VALUE *(";" set-cookie-av)
    NAME            =       attr
    VALUE           =       value
    

Thus the +, that is only is replaced in application/x-www-form-urlencoded, should not be replaced by a space in cookies. So this is a wrong behavior by PHP.


I know it's not new issue, but for those, who also runs to this problem, here's my solution:

To solve this error use escaped characters instead!

At http://www.w3schools.com/jsref/jsref_escape.asp it says:

This function encodes special characters, with the exception of: * @ - _ + . /

So it means you can insert these characters to the cookie, but won't be able to retrieve through PHP. PHP just and only accepts escaped ASCII chars like '%2B' for '+' '%2A' for '*' etc. Check the Hx column here: http://www.asciitable.com/

So how i solved it (quick and dirty) is that i tried to insert escaped data to the cookie:

function setCookie(c_name,value,exdays){
      var exdate=new Date();
      var n_value = escape(value).replace(/[+]/g,"%2B").replace(/[*]/g,"%2A").replace(/[@]/g,"%40").replace(/[-]/g,"%2D").replace(/[_]/g,"%5F").replace(/[.]/g,"%2E").replace(/[/]/g,"%2F");
      exdate.setDate(exdate.getDate() + exdays);
      var c_value = n_value + ((exdays==null) ? "" : "; expires="+exdate.toUTCString());
      document.cookie=c_name + "=" + c_value;
    }

this escapes the rest of the characters, then replace the exceptions ( +-_@*./ ). It's dirty and I'm pretty sure it can be done someway else, like regexp...etc, but it works for now.

Try it, you'll be satisfied with it!


You could replace + with it's url code %2B.

document.cookie = 'cookie1' + '=' + inf1 + '%2B' + inf2;

You should also encode inf1 and inf2 if they might contain unencoded strings (if they're numbers, it's fine). Just search google for "JavaScript urlencode"

0

精彩评论

暂无评论...
验证码 换一张
取 消