query string - how to pass a value that has space in it

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
tawfiq
Forum Newbie
Posts: 21
Joined: Sun Jan 27, 2008 12:19 pm

query string - how to pass a value that has space in it

Post by tawfiq »

I am using a timestamp to uniquely identy shopping cart. Here is the output of one such cartID :

2008-02-07 20:43:49

I am passing the value as a query string and in the url you can see just the first part of the value (that is the date) appears. How can i pass the whole value as query string.

Code: Select all

 
 
echo "<a href=showCartHistory.php?cart=".$_SESSION['cart'].">";
echo "Your cart reference </a>";
 
 
http://localhost/tinycart/showCartHisto ... 2008-02-07
GuitarheadCA
Forum Newbie
Posts: 20
Joined: Fri Jul 13, 2007 12:59 am

Re: query string - how to pass a value that has space in it

Post by GuitarheadCA »

Use the urlencode() function

Code: Select all

 
echo "<a href=showCartHistory.php?cart=" . urlencode($_SESSION['cart']) . ">";
 
tawfiq
Forum Newbie
Posts: 21
Joined: Sun Jan 27, 2008 12:19 pm

Re: query string - how to pass a value that has space in it

Post by tawfiq »

Thanks,but another prob. How do i get rid of the slash. I used stripslashes() but no success.

This works - (manually coded)
[sql]   SELECT * FROM `cartlineitems` WHERE cartID = "2008-02-08 00:33:29"   [/sql]

This doesnt - (in the query string I get this -


showCartHistory.php?cart='2008-02-08+00%3A40%3A34'


if i use this query string, i can build the following sql but it doesn't work

[sql]  $sql = "SELECT * FROM `cartlineitems`              WHERE cartID = ".$_GET['cart']."  ";  [/sql]

When I run this query I dont get any result. Here is how it looks like if i echo the query :

[sql]  SELECT * FROM `cartlineitems` WHERE cartID = '\'2008-02-08 00:33:29\''   [/sql]

Dont know why ths slash is not appearing , okay here it goes again -

SELECT * FROM `cartlineitems` WHERE cartID = '\'2008-02-08 00:33:29\''

How do I get rid of this slash and make the value appear in double quote
User avatar
Christopher
Site Administrator
Posts: 13596
Joined: Wed Aug 25, 2004 7:54 pm
Location: New York, NY, US

Re: query string - how to pass a value that has space in it

Post by Christopher »

urlencode() is not adding the single quotes (?cart='2008-02-08+00%3A40%3A34') so where are you adding them into the URL string?

If you can't figure that out, you can do trim($_GET['cart'], "'"). That also shows that you should be doing validation and filtering of these request variables for security reasons. SQL injection would be very easy with your code.
(#10850)
GuitarheadCA
Forum Newbie
Posts: 20
Joined: Fri Jul 13, 2007 12:59 am

Re: query string - how to pass a value that has space in it

Post by GuitarheadCA »

It would likely be much easier and more secure to add an ID field to your database table. Then, use that field to request and pull records. It also makes validation and protection against SQL-inj much easier, because you can just cast it to an int before you use it.
Post Reply