Page 1 of 1

Quotes inside a Variable

Posted: Tue Oct 19, 2010 8:38 am
by Nomistake
Hi,

Question:
I have a php code:

Code: Select all

echo "<td><a href=\"item_addtomysql.php?&artid=".$id."&description=".$discr."&price=".$price."\">order</a>
This url goes to a page which uses

Code: Select all

$_GET
to read the values inside the URL and adds it to a mysql table.

This works fine...

But:
When the $discr variable contains quotes the URL, the URL stops at the quote so everything after the quote is omitted...
(the value of $discr is loaded from a mysql database so i cant escape the quotes)

If the value of

Code: Select all

$discr 
is Acer V193WLAObmd, 48cm / 19" Wide LCD, 16:10 HD LED, Analog & DVI, 12.000.000:1, 5ms, Speakers, Black, ES 5.0, TCO'05
and if I

Code: Select all

echo $discr
, it reads only Acer V193WLAObmd, 48cm / 19

Anyone?

Thanx! :dubious:

Re: Quotes inside a Variable

Posted: Tue Oct 19, 2010 8:50 am
by Nomistake
somethign with

Code: Select all

htmlspecialchars() 
?

Re: Quotes inside a Variable

Posted: Tue Oct 19, 2010 8:59 am
by Nomistake

Code: Select all

$descr = htmlspecialchars (mysql_result($result,$i,"Description"), ENT_QUOTES)

Re: Quotes inside a Variable

Posted: Tue Oct 19, 2010 9:04 am
by Eran
Use urlencode for URL strings containing special characters.

Code: Select all

echo '<td><a href="item_addtomysql.php?&artid=' . $id . '&description=' . urlencode($discr) . '&price=' . $price . '">order</a>';
http://php.net/manual/en/function.urlencode.php

Why are you passing the description in the URL though? that doesn't seem like a good idea and makes for unreadable URLs

Re: Quotes inside a Variable

Posted: Tue Oct 19, 2010 9:14 am
by Nomistake
Hi Eran,

Thanks for the advice.
I'll will have a look at your solution also (you think its better then htmlspecialchars()?)

Yes currently i'm passing the description to a page (item_addtomysql.php) which has

Code: Select all

header("Location:shop.php");
on the page so the visitor doesn't really visit a page with a long or unreadable urls but get trown back to the main page (shop.php)
Is this a good idea working this way?

In the future i'll will only pass the article id and then the cart page gets the description and everything bij quering the database...

I'm new to php and this is my first php 'application' so i'm taking one step at the time,
good advice is always welcome!

Greetings,

Re: Quotes inside a Variable

Posted: Tue Oct 19, 2010 9:32 am
by Eran
urlencode() and htmlspecialchars() do different things. The first escapes string for use in URLs, and the second escapes special characters for use in HTML.

Passing only the article_id is the common way to do it. There's no problem taking it one step at a time as long as you're aware of it :)

Re: Quotes inside a Variable

Posted: Tue Oct 19, 2010 9:39 am
by Weirdan
Eran wrote:urlencode() and htmlspecialchars() do different things. The first escapes string for use in URLs, and the second escapes special characters for use in HTML...
so, in fact, they should be used together when you preparing url for use in an html attribute (however most developers neglect to html-encode their urls).

Code: Select all

<a href="<?=htmlspecialchars('http://server.com/script.php?param1=' . urlencode($param1) . '&param2=' . urlencode($param2))?>">Click me</a>

Re: Quotes inside a Variable

Posted: Tue Oct 19, 2010 9:59 am
by Eran
Quite right, I usually put the entities myself for ampersands and so forth, but use htmlspecialchars or htmlentities to escape URLs when you put them inside HTML attributes.

Re: Quotes inside a Variable

Posted: Wed Oct 27, 2010 8:43 am
by Nomistake
hey,
thank for your help on this case...!