POST data issues

Question

I have an issue with submitting post data. I have a form which have a couple of text fields in, and when a button is pressed to submit the data, it is run through a custom from validation (JS), then I construct a query string like

title=test&content=some content

which is then submitted to the server. The problem I had is when I have '&' (eg &nbsp) entered into one of the inputs which then breaks up the query string. Eg:

title=test&content=some content &nbsp 

How do I get around this?

Thanks in advance, Harry.

Answer 1

Run encodeURIComponent over each key and value.

var title = "test";
var content = "some content &nbsp ";
var data = encodeURIComponent('title') + /* You don't actually need to encode this as it is a string that only contains safe characters, but you would if you weren't sure about the data */
           '=' + encodeURIComponent(title) + 
           '&' + encodeURIComponent('content') + 
           '=' + encodeURIComponent(content);

Answer 2

Encode the string..when you want to encode a query string with special characters you need to use encoding. ampersand is encoded like this

title=test&content=some content %26

basically any character in a query string can be replaced by its ASCII Hex equivalent with a % as the prefix

Space = %20
A = %41
B = %42
C = %43
...

Answer 3

You need to encode your query to make it URL-safe. You can refer to the following links on how to do that in JS:

http://xkr.us/articles/javascript/encode-compare/

http://www.webtoolkit.info/javascript-url-decode-encode.html

Answer 4

You said:

...and when a button is pressed to submit the data, it is run through a custom from validation (JS), then I construct a query string...

In the section where you are building the query string you should also run the value of each input through encodeURIComponent() as David Dorward suggested.

As you do - be careful that you only assign the new value to your processed query string and NOT the form element value, otherwise your users will think their input was somehow corrupted and potentially freak out.

[EDIT]

I just re-read your question and realized something important: you're encoding an &nbsp ;character. This is probably a more complicated issue than other posters here have read into. If you want that character, and other &code; type characters to transfer over you'll need to realize that they are codes. Those characters &, n, b, s, p and ; are not themselves the same as " " which is a space character that does not break.

You'll have to add another step of encoding/decoding. You can place this step either before of after the data is sent (or "POSTed").

Before: (Using this question's answers)

var data = formElement.value;
data = rhtmlspecialchars(data, 0);

Which is intended to replace your "special" characters like   with " " so that they are then properly encoded by encodeURIComponent(data)

Or after: (using standard PHP functions)

<?PHP
$your_field_name = htmlspecialchars_decode(urldecode($_POST['your_field_name']));
?>

This assumes that you escaped the & in your POST with %26 If you replaced it with some function other than encodeURIComponent() you'll have to find a different way to decode it in PHP.

Answer 5

This should solve your problem:

encodeURIComponent(name)+'='+encodeURIComponent(value)+'&'+encodeURIComponent(name2)+'='+encodeURIComponent(value2)

You need to escape each value (and name if you want to be on the safe side) before concatenating them when you're building your query.

• The JavaScript global function encodeURIComponent() does the escaping.
• The global function escape() (DOM) does this for you in a browser. Although people are saying it is not doing the escaping well for unicode chars. Anyway if you're only concerned about '&' then this would solve your problem.