separating values in a URL, not with an & - html

Each parameter in a URL can have multiple values. How can I separate them? Here's an example:
http://www.example.com/search?queries=cars,phones
So I want to search for 2 different things: cars and phones (this is just a contrived example). The problem is the separator, a comma. A user could enter a comma in the search form as part of their query and then this would get screwed up. I could have 2 separate URL parameters:
http://www.example.com/login?name1=harry&name2=bob
There's no real problem there, in fact I think this is how URLs were designed to handle this situation. But I can't use it in my particular situation. Requires a separate long post to say why... I need to simply separate the values.
My question is basically, is there a URL encodable character or value that can't possibly be entered in a form (textarea or input) which I can use as a separator? Like a null character? Or a non-visible character?
UPDATE: thank you all for your very quick responses. I should've listed the same parameter name example too, but order matters in my case so that wasn't an option either. We solved this by using a %00 URL encoded character (UTF-8 \u0000) as a value separator.

The standard approach to this is to use the same key name twice.
http://www.example.com/search?queries=cars&queries=phones
Most form libraries will allow you to access it as an array automatically. (If you are using PHP (and making use of $_POST/GET and not reinventing the wheel) you will need to change the name to queries[].)

You can give them each the same parameter name.
http://www.example.com/search?query=cars&query=phones
The average server side HTTP API is able to obtain them as an array. As per your question history, you're using JSP/Servlet, so you can use HttpServletRequest#getParameterValues() for this.
String[] queries = request.getParameterValues("query");

Just URL-encode the user input so that their commas become %2C.

Come up with your own separator that is unlikely to get entered in a query. Two underscores '__' for example.

Why not just do something like "||"? Anyone who types that into a search area probably fell asleep on their keyboard :} Then just explode it on the backend.

easiest thing to do would be to use a custom separator like [!!ValSep!!].

Related

JMeter: Is there any way to inject value "Patient_1077,ELLA(161st Pharmacy address)" in a input field

I have a a field which accepts value as "Patient_1077,ELLA(161st Pharmacy address)" i.e: Patient ID, name and Address, that I want to parameterize, CSV is not helpful in this case as value contains comma itself, is there any alternative way where I can inject these kind of values from file and parameterize the same?
Delimiter is configurable. See this for an example:
http://ivetetecedor.com/how-to-use-a-csv-file-with-jmeter/
You can also quote the data, which is another solution in your case.
You can make values in csv like:
Patient_0154, ELLA(102st The Cave)
Patient_0155, ELLA(101st The
Wall)
Then read it:
Patient_0154 -> user
ELLA(102st The Cave) -> adress
And when you need the value you do the simple trick — ${user},${adress}.
At least this is my approach when I don't want to code a lot for a simple task.

Saving values containing comma's in a HTML Multiple select

I have a HTML multiple select being used which caused no issue until a selection with a comma was entered. When saving / loading the values are split by ',' into a list. Therefore causing an issue
I have tried to find a way of possibly changing the character that is being used to split the values when the form is posted but came to a dead end.
Would be very grateful if someone has any insight into this.
Thanks in advance.
---Update with Code---
The control is created dynamically
Dim SelectName1 As New HtmlSelect
SelectName1.ID = "SelectName" & id
SelectName1.Name = "SelectName"
SelectName1.Multiple = True
and filled by looping though the values.
For Each value As String In Request.Form(idToFind).Split(",")
If Not IsDBNull(SelectName.Items.FindByValue(value)) Then....
I cannot add any more code than that, Apologies
After updating the question by add code, I think the available options are limited:
Create an extra Javascript method, that stores the selected values in a json object and store it into a hidden input field. I'm not an expert in asp.net, though I'm sure there exists a method to parse json objects from a string.
Create an extra javascript method, that concatinating all values to a String and store it into a hidden input field. With creation of a single string, you can define your own delimiter.
After that, add this extra Javascript mehod to the event onSubmit. Then submit the form and read the value from hidden input field.
P.S. In my eyes the second idea is more simple to create, than the first one. And maybe there are better ways.

Find column values that are a start string of given string.

I have a database table that contains URLs in a column. I want to show certain data depending on what page the user is on, defaulting to a 'parent' page if not a direct match. How can I find the columns where the value is part of the submitted URL?
Eg. I have www.example.com/foo/bar/baz/here.html; I would expect to see (after sorting on length of column value):
www.example.com/foo/bar/baz/here.html
www.example.com/foo/bar/baz
www.example.com/foo/bar
www.example.com/foo
www.example.com
if all those URLs are in the table of course.
Is there a built in function or would I need to create a procedure? Googling kept getting me to LIKE and REGEXP, which is not what I need. I figured that a single query would be much more efficient than chopping the URL and making multiple queries (the URLs could potentially contain many path components).
Simple turn around the "Like" operator:
SELECT * FROM urls WHERE "www.example.com/foo/bar/baz/here.html" LIKE CONCAT(url, "%");
http://sqlfiddle.com/#!2/ef6ee/1

HTML Search Function

I need a search function for on an intranet , can I do this purely in HTML ? and if so could you possibly point me in the right direction , I tried googeling it but it came up with searching via search engines.
Cheers
EDIT: I only need it to search for text on 1 page , its not a whole website , just one page.
You will need some server-side scripting in order to provide the directory listings.
I recommend using PHP's glob function recursively, but there might be a better option.
Edit:
For one page, using JavaScript, you could get the contents of all of the elements, and use regex or indexOf to determine if the string exists within the text, and if so, where.
If you are to use the indexOf function, as the function only returns the index of the first occurrence of the string, you will need to repeat the search until you've gathered all occurrences.
You may specify the start parameter to snip the front of the searching area, to begin the new search after your last found occurrence.

How to suggest alternative usernames during signup in case username is unavailable?

How can I suggest a list of alternate usernames in case user has selected an invalid or existing username?
The suggestions must be somewhat related. Do I need to use a dictionary of possible usernames?
It depends entirely on what you consider "related". It's hard to define such a meaning for usernames, as they often aren't normal English words. You might wish to create a unique username by appending a random stream of numbers, or by changing some of the letters to numbers ('e' to '3' etc). If you will update your question with what you mean by 'relevant' I will try and tackle that specific issue.
Bad idea. Giving away related usernames allows a skillful attacker to deduce which usernames are in use.
IE if I try and register 'RandomUser' and the system suggests using on of:
RandomUser1
RandomUser2
RandomUser3
RandomUser5
Then I can reasonably surmise that RandomUser4 is a valid username.
Look a this:
http://www.onesoft.dk/post/2007/07/ASPNET-AJAX-username-availability-with-suggestions.aspx
Its build using Ajax & JSON. I'm sure you will be able to adapt it to your technology.
Just add more info to the user name that the user seleced. If you colected also info like birthday, you can add to it the year:
user -> user1985
Or if you're getting a first name:
user -> jose_user
Don't use "automatic" information, because it would make it easy for attackers to deduce valid user names.