How can I base64_encode and base64_decode string with html tags?

3 Views

I have a problem with base64 decode
For example, I have this code: 

else if($_POST['submit']==2){
        $send = base64_encode($text_success);
        wp_redirect( home_url('/sales-funnel/add-product?msg='.$send) ); exit;
    }

I send encoded string to page, so that user can’t simply read it from url.
$text_success contain html code, which is generated if $wpdb->query not contain errors:

Read More
 `Darījums veiksmīgi pievienots!</br>Komentārs veiksmīgi pievienots!</br>Klients veiksmīgi pievienots!</br>Fāze ir pievienota! </br>`

In all online base64_decode it’s works great, but my WordPress site return empty string when I’m trying to do: 

if (isset($_GET['msg']) && !empty($_GET['msg'])){
    $text = base64_decode($_GET['msg']);
    echo $text;
}

But, $_GET['msg'] = RGFyxKtqdW1zIHZlaWtzbcSrZ2kgcGlldmllbm90cyE8L2JyPktvbWVudMSBcnMgdmVpa3NtxKtnaSBwaWV2aWVub3RzITwvYnI+S2xpZW50cyB2ZWlrc23Eq2dpIHBpZXZpZW5vdHMhPC9icj5GxIF6ZSBpciBwaWV2aWVub3RhISA8L2JyPg==

P.S. I tried to use it without html tags, all works great.

Post Views: 3

Related posts

1 comment

  1. The problem is related to the fact that the base64 alphabet is not URL-safe. In this particular case, your base64-encoded string contains a +, which is interpreted as a space.

    To solve this, you can either:

    • Use a URL-safe version of the base64 alphabet, i.e. replacing + with -, / with _, and trimming the trailing = paddding, as described in RFC4648. This answer includes a code sample for this approach.
    • URL-encode your content after base64 encoding, turning + into %2B, / into %2F, and = into %3D.

    This should solve your problem, but it goes without saying that in an untrusted environment, giving users the ability to inject raw HTML into your site constitutes a serious security risk.

Comments are closed.