php simplexml_load_file with htmlspecialchars

Question

I am getting content of XML using this code:

$xml = simplexml_load_file("X.xml");
echo $xml->CountryList->Country[1];

Here is the X.xml:

<PickUpCityListRQ>
  <CountryList>
    <Country>Albania</Country>
    <Country>Andorra</Country>
  </CountryList>
</PickUpCityListRQ>

Everything works fine, it returns Andorra for me, but, when I try to use url with special characters, like this one:

http://somelink/ServiceRequest.do?xml=<PickUpCityListRQ><Credentials username='USERNAME' password='PASSWORD' remoteIp='IP'/><Country>UK</Country></PickUpCityListRQ>

This link won't work for you as it just an example, but believe, real link returns the same content as X.xml. I know that the reason of that are special characters in the link, but I can't get it work. I tried something like this:

$username = "USERNAME";
$password = "PASSWORD";
$accessurl = htmlspecialchars("Credentials username='$username' password='$password' remoteIp='123.123.123.123'/");
$required = htmlspecialchars("<PickUpCityListRQ><$accessurl><Country>UK</Country></PickUpCityListRQ>");
$url = 'somelink/service/ServiceRequest.do?xml='.$required;
echo $url;

It returns (with echo) the required link, in case if I use it manualy (in browser) I'll get to the required content. But if I try to get XML content using this code:

$xml = simplexml_load_file($url);
echo $xml->CountryList->Country[1];

I won't work. Any ideas? Thank you in advance.

MatRt · Accepted Answer · 2013-03-20T07:20:41.937

2

htmlspecialchars is used to protect special char inside an HTML content page (especially on user input, to avoid some sort of XSS or other attack..).

When you are manipulating URLs, you should use instead urlencode to send your content as parameter of the URL.

So your URL will be:

http://someserver/somethink/services/ServiceRequest.do?xml=%3CPickUpCityListRQ%3E%3CCredentials%20username%3D'USERNAME'%20password%3D'PASS‌WORD'%20remoteIp%3D'IP'%2F%3E%3CCountry%3EUK%3C%2FCountry%3E%3C%2FPickUpCityListR‌Q%3E

As the documentation says, urldecode is not requiered because the superglobals $_GET and $_REQUEST are already urldecoded. So, in your script which do the job you can directly use the value in your $_GET entry.

$xml = simplexml_load_string($_GET['xml']);

documentation : urlencode

edited Mar 20 '13 at 07:20

answered Mar 20 '13 at 05:00

MatRt

3,494
1
19
14

I am sorry. But, I don't get what do I need urlencode for. When I use the code from the 4th "code container", it returns me the normal link. The problem is that $xml = simplexml_load_file($url); don't want to read that link – Jev Mar 20 '13 at 06:47
1) You have to urlencode because there is some char in your content that should be protected in URL (space, <, >...). If I urlencode your content, I obtain : `%3CPickUpCityListRQ%3E%3CCredentials%20username%3D'USERNAME'%20password%3D'PASSWORD'%20remoteIp%3D'IP'%2F%3E%3CCountry%3EUK%3C%2FCountry%3E%3C%2FPickUpCityListRQ%3E`. 2) As you URL parameter is a content, and not a file, you have to use `simple_xml_load_string` instead of `simple_xml_load_file` – MatRt Mar 20 '13 at 06:52
No, you just need to `urlencode` your parameter before putting it on the URL. On the PHP script represented by the URL, you just have to `simple_xml_load_string($_GET['xml'])` to load the XML content. Don(t forget to mark your best answer ;) – MatRt Mar 20 '13 at 07:18
In this case in returns nothing. Even if I try to get content from X.xml. $required = urlencode($required); $url = 'X.xml'; $xml = simplexml_load_string($_GET['$url']);; echo $xml->CountryList->Country[1]; returns nothing – Jev Mar 20 '13 at 08:06
humm.. your comment seems confusing. If you want to load XML content directly from a file, use just `$xml = simple_xml_load_file("your_file.xml")`. But if you want to send the XML content to a specific script (to a specific URL) that will process this XML, you have to urlencode the XML content (as it is transfered on the URL), put it as parameter of your URL. And on the script that do the job, just load the XML from your parameter (which should be in $_GET) with `simple_xml_load_string($_GET['your_param_name']);` – MatRt Mar 20 '13 at 08:18
$required = urlencode($required); $url = 'http://www.rentalcars.com/service/ServiceRequest.do?xml='.$required; $xml = simplexml_load_string($_GET[$url]); echo $xml->CountryList->Country[1]; I tried this, is it incorrect? I "urlencode" the XML content, then generate the url, and trying to get the generated XML date using that link. – Jev Mar 20 '13 at 08:39
let us [continue this discussion in chat](http://chat.stackoverflow.com/rooms/26521/discussion-between-judjin-and-matrt) – Jev Mar 20 '13 at 08:50

score 0 · Answer 2 · edited May 23 '17 at 12:21

Answer stolen from PHP simplexml_load_file with special chars in URL

Use this

$username = "USERNAME";
$password = "PASSWORD";
$accessurl = "Credentials username='$username' password='$password' remoteIp='123.123.123.123'/";
$required = "<PickUpCityListRQ><$accessurl><Country>UK</Country></PickUpCityListRQ>";

$url= rawurlencode("somelink/service/ServiceRequest.do?xml={$required}");

$xml = simplexml_load_file($url);
echo $xml->CountryList->Country[1];

php simplexml_load_file with htmlspecialchars

2 Answers2