Page 1 of 1

htmlspecialchars()

Posted: Sun Jul 21, 2013 3:27 pm
by rick.emmet
Hi Everyone,
I have a (hopefully) quick question. When I send a single piece of data in the URL to the next webpage, I get the behavior I'm expecting. I need to send two pieces of data and can not get it to work. I have session_start() at the top of both pages and session.use_trans_sid in my php.ini is set to 0 for security reasons. The PHP manual says that I can use htmlspecialchars(SID), it says:
The following example demonstrates how to register a variable, and how to link correctly to another page using SID.

Code: Select all

<?php

session_start();

if (empty($_SESSION['count'])) {
   $_SESSION['count'] = 1;
} else {
   $_SESSION['count']++;
}
?>

<p>
Hello visitor, you have seen this page <?php echo $_SESSION['count']; ?> times.
</p>

<p>
To continue, <a href="nextpage.php?<?php echo htmlspecialchars(SID); ?>">click
here</a>.
</p>
The htmlspecialchars() may be used when printing the SID in order to prevent XSS related attacks.
OK, good enough. I need to send the SID to the next page, and I need to send the instance_id too. What I have tried to do is this:

Code: Select all

<a href="srch_detail_autos.php?instance_id=<?php echo $row_rsautos['instance_id']; ?>"?session_id="<?php echo htmlspecialchars(SID); ?>" ><?php echo stripslashes($row_rsautos['title']); ?></a>

<a href="srch_detail_autos.php?instance_id=<?php echo $row_rsautos['instance_id']; ?>"?session_id='<?php echo htmlspecialchars(SID); ?>' ><?php echo stripslashes($row_rsautos['title']); ?></a>
The difference being the use of double quotes in the first and single quotes in the second. The code looks fine in the editor, all the mark up colors look good. When I hover over the link, I can see the URL of the target page and the instance_id, but nothing beyond that. I looks as if the browser is not reading the subsequent data (SID) I'm attempting to place in the URL. I also tried the following:

Code: Select all

<a href="srch_detail_autos.php?instance_id=<?php echo $row_rsautos['instance_id']; ?>?session_id=<?php echo htmlspecialchars(SID); ?>" ><?php echo stripslashes($row_rsautos['title']); ?></a>

And when I hover over the link, I can see the instance_id and “session_id=” but no SID. The browser is not reading the PHP echo statement.

I also tried numerous other versions of this, but they looked completely wrong in the editor and /or throw errors. I seem to recall that there is a special character for this (to add more pieces of data to the URL), but everything I have plugged in to the code fails. Is there a simple way of writing more than one piece of data to the URL? Thanks very much for your time, I really appreciate it!
Cheers,
Rick

Re: htmlspecialchars()

Posted: Sun Jul 21, 2013 5:06 pm
by Celauran
The manual also says:
Alternatively, you can use the constant SID which is defined if the session started. If the client did not send an appropriate session cookie, it has the form session_name=session_id. Otherwise, it expands to an empty string. Thus, you can embed it unconditionally into URLs.
You're seeing the empty string because your browser is accepting cookies.

Also, separate multiple parameters with &

Code: Select all

page.php?session=foo&other_var=bar

Re: htmlspecialchars()

Posted: Sun Jul 21, 2013 8:10 pm
by rick.emmet
Hello Celauran,
Thank you so much for your time, there were just a couple of things I wasn't getting. I got a little help and did a little experimenting and came up with this:

Code: Select all

<a href="srch_detail_autos.php?instance_id=<?php echo $row_rsautos['instance_id']; ?>&column=<?php echo $_SESSION['column']; ?>&key_word=<?php echo $_SESSION['key_word']; ?>&session_id=<?php echo session_id(); ?>" >
Using the "&" for subsequent parameters I was then able to see the parameters in the URL, so that was a good sign. But I was still failing to get a result on the second page for two lines of code "echo $_SESSION['column'];" and "echo $_SESSION['key_word'];". So I just use $_GET on the second page,  and it worked like a champ. Thanks again for your help!!
cheers,
Rick