Search code examples
phpxmlxml-parsingsimplexmlhtmlspecialchars

php simplexml_load_file with htmlspecialchars

I am getting content of XML using this code:

$xml = simplexml_load_file("X.xml");
echo $xml->CountryList->Country[1];

Here is the X.xml:

<PickUpCityListRQ>
  <CountryList>
    <Country>Albania</Country>
    <Country>Andorra</Country>
  </CountryList>
</PickUpCityListRQ>

Everything works fine, it returns Andorra for me, but, when I try to use url with special characters, like this one:

http://somelink/ServiceRequest.do?xml=<PickUpCityListRQ><Credentials username='USERNAME' password='PASSWORD' remoteIp='IP'/><Country>UK</Country></PickUpCityListRQ>

This link won't work for you as it just an example, but believe, real link returns the same content as X.xml. I know that the reason of that are special characters in the link, but I can't get it work. I tried something like this:

$username = "USERNAME";
$password = "PASSWORD";
$accessurl = htmlspecialchars("Credentials username='$username' password='$password' remoteIp='123.123.123.123'/");
$required = htmlspecialchars("<PickUpCityListRQ><$accessurl><Country>UK</Country></PickUpCityListRQ>");
$url = 'somelink/service/ServiceRequest.do?xml='.$required;
echo $url;

It returns (with echo) the required link, in case if I use it manualy (in browser) I'll get to the required content. But if I try to get XML content using this code:

$xml = simplexml_load_file($url);
echo $xml->CountryList->Country[1];

I won't work. Any ideas? Thank you in advance.

Solution

  • htmlspecialchars is used to protect special char inside an HTML content page (especially on user input, to avoid some sort of XSS or other attack..).

    When you are manipulating URLs, you should use instead urlencode to send your content as parameter of the URL.

    So your URL will be:

    http://someserver/somethink/services/ServiceRequest.do?xml=%3CPickUpCityListRQ%3E%3CCredentials%20username%3D'USERNAME'%20password%3D'PASS‌​WORD'%20remoteIp%3D'IP'%2F%3E%3CCountry%3EUK%3C%2FCountry%3E%3C%2FPickUpCityListR‌​Q%3E

    As the documentation says, urldecode is not requiered because the superglobals $_GET and $_REQUEST are already urldecoded. So, in your script which do the job you can directly use the value in your $_GET entry.

    $xml = simplexml_load_string($_GET['xml']);

    documentation : urlencode