Ajax.. %00 and + break my form!
I need help fixing my ajax form!
There are 3 fields (name, email, website) If one ore more are missing, it returns the form with values re-filled and an error message. if they are all filled, a success message.
After multiple tests (http://ha.ckers.org/xss.html), I found the following breaks it (I typed these characters into the first field, 'name')
The null character: %00
In firefox, the %00 is replaced with a ? in the form. in IE the html returned is broken (instead of the form field, I see: <input name="name" value="
This is a problem with either
a) php returning a null character rather than %00, or
b) the browser interpreting %00 as a null character rather than seeing it as three characters.
The plus character: +
One of 2 things happen:
1) if I type in +something:
returns the form without re-filling the name field. The name field should have the value +something.
This also gives error, undefined index email and error, undefined index website
2) If I type something+ or something+something:
It returns the error message: "error, undefined index email " and my own error message "Error with URL".
To make sure there is no problem with form submission, my script checks that the keys name, email, and website are set. For example $_GET['name'] and $_GET['email'] and $_GET['website'] should exist.
So, both 1 and 2 mean that the + sign is messing with the url being requested, which should be:
Can anyone please explain how to prevent these two errors?
1) how to prevent the + sign from messing with the URL above.
2) How to refill the user input with %00
with php I can at least replace %00 with %OO (using the letter instead of number)