Page 1 of 1
Quotes inside a Variable
Posted: Tue Oct 19, 2010 8:38 am
by Nomistake
Hi,
Question:
I have a php code:
Code: Select all
echo "<td><a href=\"item_addtomysql.php?&artid=".$id."&description=".$discr."&price=".$price."\">order</a>
This url goes to a page which uses
to read the values inside the URL and adds it to a mysql table.
This works fine...
But:
When the $discr variable contains quotes the URL, the URL stops at the quote so everything after the quote is omitted...
(the value of $discr is loaded from a mysql database so i cant escape the quotes)
If the value of
is Acer V193WLAObmd, 48cm / 19" Wide LCD, 16:10 HD LED, Analog & DVI, 12.000.000:1, 5ms, Speakers, Black, ES 5.0, TCO'05
and if I
, it reads only Acer V193WLAObmd, 48cm / 19
Anyone?
Thanx!

Re: Quotes inside a Variable
Posted: Tue Oct 19, 2010 8:50 am
by Nomistake
Re: Quotes inside a Variable
Posted: Tue Oct 19, 2010 8:59 am
by Nomistake
Code: Select all
$descr = htmlspecialchars (mysql_result($result,$i,"Description"), ENT_QUOTES)
Re: Quotes inside a Variable
Posted: Tue Oct 19, 2010 9:04 am
by Eran
Use urlencode for URL strings containing special characters.
Code: Select all
echo '<td><a href="item_addtomysql.php?&artid=' . $id . '&description=' . urlencode($discr) . '&price=' . $price . '">order</a>';
http://php.net/manual/en/function.urlencode.php
Why are you passing the description in the URL though? that doesn't seem like a good idea and makes for unreadable URLs
Re: Quotes inside a Variable
Posted: Tue Oct 19, 2010 9:14 am
by Nomistake
Hi Eran,
Thanks for the advice.
I'll will have a look at your solution also (you think its better then htmlspecialchars()?)
Yes currently i'm passing the description to a page (item_addtomysql.php) which has
on the page so the visitor doesn't really visit a page with a long or unreadable urls but get trown back to the main page (shop.php)
Is this a good idea working this way?
In the future i'll will only pass the article id and then the cart page gets the description and everything bij quering the database...
I'm new to php and this is my first php 'application' so i'm taking one step at the time,
good advice is always welcome!
Greetings,
Re: Quotes inside a Variable
Posted: Tue Oct 19, 2010 9:32 am
by Eran
urlencode() and htmlspecialchars() do different things. The first escapes string for use in URLs, and the second escapes special characters for use in HTML.
Passing only the article_id is the common way to do it. There's no problem taking it one step at a time as long as you're aware of it

Re: Quotes inside a Variable
Posted: Tue Oct 19, 2010 9:39 am
by Weirdan
Eran wrote:urlencode() and htmlspecialchars() do different things. The first escapes string for use in URLs, and the second escapes special characters for use in HTML...
so, in fact, they should be used together when you preparing url for use in an html attribute (however most developers neglect to html-encode their urls).
Code: Select all
<a href="<?=htmlspecialchars('http://server.com/script.php?param1=' . urlencode($param1) . '¶m2=' . urlencode($param2))?>">Click me</a>
Re: Quotes inside a Variable
Posted: Tue Oct 19, 2010 9:59 am
by Eran
Quite right, I usually put the entities myself for ampersands and so forth, but use htmlspecialchars or htmlentities to escape URLs when you put them inside HTML attributes.
Re: Quotes inside a Variable
Posted: Wed Oct 27, 2010 8:43 am
by Nomistake
hey,
thank for your help on this case...!