Quotes inside a Variable

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Nomistake
Forum Newbie
Posts: 15
Joined: Sat Oct 02, 2010 11:16 am

Quotes inside a Variable

Post by Nomistake »

Hi,

Question:
I have a php code:

Code: Select all

echo "<td><a href=\"item_addtomysql.php?&artid=".$id."&description=".$discr."&price=".$price."\">order</a>
This url goes to a page which uses

Code: Select all

$_GET
to read the values inside the URL and adds it to a mysql table.

This works fine...

But:
When the $discr variable contains quotes the URL, the URL stops at the quote so everything after the quote is omitted...
(the value of $discr is loaded from a mysql database so i cant escape the quotes)

If the value of

Code: Select all

$discr 
is Acer V193WLAObmd, 48cm / 19" Wide LCD, 16:10 HD LED, Analog & DVI, 12.000.000:1, 5ms, Speakers, Black, ES 5.0, TCO'05
and if I

Code: Select all

echo $discr
, it reads only Acer V193WLAObmd, 48cm / 19

Anyone?

Thanx! :dubious:
Nomistake
Forum Newbie
Posts: 15
Joined: Sat Oct 02, 2010 11:16 am

Re: Quotes inside a Variable

Post by Nomistake »

somethign with

Code: Select all

htmlspecialchars() 
?
Nomistake
Forum Newbie
Posts: 15
Joined: Sat Oct 02, 2010 11:16 am

Re: Quotes inside a Variable

Post by Nomistake »

Code: Select all

$descr = htmlspecialchars (mysql_result($result,$i,"Description"), ENT_QUOTES)
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: Quotes inside a Variable

Post by Eran »

Use urlencode for URL strings containing special characters.

Code: Select all

echo '<td><a href="item_addtomysql.php?&artid=' . $id . '&description=' . urlencode($discr) . '&price=' . $price . '">order</a>';
http://php.net/manual/en/function.urlencode.php

Why are you passing the description in the URL though? that doesn't seem like a good idea and makes for unreadable URLs
Nomistake
Forum Newbie
Posts: 15
Joined: Sat Oct 02, 2010 11:16 am

Re: Quotes inside a Variable

Post by Nomistake »

Hi Eran,

Thanks for the advice.
I'll will have a look at your solution also (you think its better then htmlspecialchars()?)

Yes currently i'm passing the description to a page (item_addtomysql.php) which has

Code: Select all

header("Location:shop.php");
on the page so the visitor doesn't really visit a page with a long or unreadable urls but get trown back to the main page (shop.php)
Is this a good idea working this way?

In the future i'll will only pass the article id and then the cart page gets the description and everything bij quering the database...

I'm new to php and this is my first php 'application' so i'm taking one step at the time,
good advice is always welcome!

Greetings,
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: Quotes inside a Variable

Post by Eran »

urlencode() and htmlspecialchars() do different things. The first escapes string for use in URLs, and the second escapes special characters for use in HTML.

Passing only the article_id is the common way to do it. There's no problem taking it one step at a time as long as you're aware of it :)
User avatar
Weirdan
Moderator
Posts: 5978
Joined: Mon Nov 03, 2003 6:13 pm
Location: Odessa, Ukraine

Re: Quotes inside a Variable

Post by Weirdan »

Eran wrote:urlencode() and htmlspecialchars() do different things. The first escapes string for use in URLs, and the second escapes special characters for use in HTML...
so, in fact, they should be used together when you preparing url for use in an html attribute (however most developers neglect to html-encode their urls).

Code: Select all

<a href="<?=htmlspecialchars('http://server.com/script.php?param1=' . urlencode($param1) . '&param2=' . urlencode($param2))?>">Click me</a>
User avatar
Eran
DevNet Master
Posts: 3549
Joined: Fri Jan 18, 2008 12:36 am
Location: Israel, ME

Re: Quotes inside a Variable

Post by Eran »

Quite right, I usually put the entities myself for ampersands and so forth, but use htmlspecialchars or htmlentities to escape URLs when you put them inside HTML attributes.
Nomistake
Forum Newbie
Posts: 15
Joined: Sat Oct 02, 2010 11:16 am

Re: Quotes inside a Variable

Post by Nomistake »

hey,
thank for your help on this case...!
Post Reply