htmlspecialchars()
Posted: Sun Jul 21, 2013 3:27 pm
Hi Everyone,
I have a (hopefully) quick question. When I send a single piece of data in the URL to the next webpage, I get the behavior I'm expecting. I need to send two pieces of data and can not get it to work. I have session_start() at the top of both pages and session.use_trans_sid in my php.ini is set to 0 for security reasons. The PHP manual says that I can use htmlspecialchars(SID), it says:
The difference being the use of double quotes in the first and single quotes in the second. The code looks fine in the editor, all the mark up colors look good. When I hover over the link, I can see the URL of the target page and the instance_id, but nothing beyond that. I looks as if the browser is not reading the subsequent data (SID) I'm attempting to place in the URL. I also tried the following:
And when I hover over the link, I can see the instance_id and “session_id=” but no SID. The browser is not reading the PHP echo statement.
I also tried numerous other versions of this, but they looked completely wrong in the editor and /or throw errors. I seem to recall that there is a special character for this (to add more pieces of data to the URL), but everything I have plugged in to the code fails. Is there a simple way of writing more than one piece of data to the URL? Thanks very much for your time, I really appreciate it!
Cheers,
Rick
I have a (hopefully) quick question. When I send a single piece of data in the URL to the next webpage, I get the behavior I'm expecting. I need to send two pieces of data and can not get it to work. I have session_start() at the top of both pages and session.use_trans_sid in my php.ini is set to 0 for security reasons. The PHP manual says that I can use htmlspecialchars(SID), it says:
The following example demonstrates how to register a variable, and how to link correctly to another page using SID.
Code: Select all
<?php
session_start();
if (empty($_SESSION['count'])) {
$_SESSION['count'] = 1;
} else {
$_SESSION['count']++;
}
?>
<p>
Hello visitor, you have seen this page <?php echo $_SESSION['count']; ?> times.
</p>
<p>
To continue, <a href="nextpage.php?<?php echo htmlspecialchars(SID); ?>">click
here</a>.
</p>OK, good enough. I need to send the SID to the next page, and I need to send the instance_id too. What I have tried to do is this:The htmlspecialchars() may be used when printing the SID in order to prevent XSS related attacks.
Code: Select all
<a href="srch_detail_autos.php?instance_id=<?php echo $row_rsautos['instance_id']; ?>"?session_id="<?php echo htmlspecialchars(SID); ?>" ><?php echo stripslashes($row_rsautos['title']); ?></a>
<a href="srch_detail_autos.php?instance_id=<?php echo $row_rsautos['instance_id']; ?>"?session_id='<?php echo htmlspecialchars(SID); ?>' ><?php echo stripslashes($row_rsautos['title']); ?></a>Code: Select all
<a href="srch_detail_autos.php?instance_id=<?php echo $row_rsautos['instance_id']; ?>?session_id=<?php echo htmlspecialchars(SID); ?>" ><?php echo stripslashes($row_rsautos['title']); ?></a>And when I hover over the link, I can see the instance_id and “session_id=” but no SID. The browser is not reading the PHP echo statement.
I also tried numerous other versions of this, but they looked completely wrong in the editor and /or throw errors. I seem to recall that there is a special character for this (to add more pieces of data to the URL), but everything I have plugged in to the code fails. Is there a simple way of writing more than one piece of data to the URL? Thanks very much for your time, I really appreciate it!
Cheers,
Rick