Page 1 of 1
query string - how to pass a value that has space in it
Posted: Thu Feb 07, 2008 5:07 pm
by tawfiq
I am using a timestamp to uniquely identy shopping cart. Here is the output of one such cartID :
2008-02-07 20:43:49
I am passing the value as a query string and in the url you can see just the first part of the value (that is the date) appears. How can i pass the whole value as query string.
Code: Select all
echo "<a href=showCartHistory.php?cart=".$_SESSION['cart'].">";
echo "Your cart reference </a>";
http://localhost/tinycart/showCartHisto ... 2008-02-07
Re: query string - how to pass a value that has space in it
Posted: Thu Feb 07, 2008 5:44 pm
by GuitarheadCA
Use the urlencode() function
Code: Select all
echo "<a href=showCartHistory.php?cart=" . urlencode($_SESSION['cart']) . ">";
Re: query string - how to pass a value that has space in it
Posted: Thu Feb 07, 2008 6:48 pm
by tawfiq
Thanks,but another prob. How do i get rid of the slash. I used stripslashes() but no success.
This works - (manually coded)
[sql] SELECT * FROM `cartlineitems` WHERE cartID = "2008-02-08 00:33:29" [/sql]
This doesnt - (in the query string I get this -
showCartHistory.php?cart='2008-02-08+00%3A40%3A34'
if i use this query string, i can build the following sql but it doesn't work
[sql] $sql = "SELECT * FROM `cartlineitems` WHERE cartID = ".$_GET['cart']." "; [/sql]
When I run this query I dont get any result. Here is how it looks like if i echo the query :
[sql] SELECT * FROM `cartlineitems` WHERE cartID = '\'2008-02-08 00:33:29\'' [/sql]
Dont know why ths slash is not appearing , okay here it goes again -
SELECT * FROM `cartlineitems` WHERE cartID = '\'2008-02-08 00:33:29\''
How do I get rid of this slash and make the value appear in double quote
Re: query string - how to pass a value that has space in it
Posted: Thu Feb 07, 2008 7:05 pm
by Christopher
urlencode() is not adding the single quotes (?cart='2008-02-08+00%3A40%3A34') so where are you adding them into the URL string?
If you can't figure that out, you can do trim($_GET['cart'], "'"). That also shows that you should be doing validation and filtering of these request variables for security reasons. SQL injection would be very easy with your code.
Re: query string - how to pass a value that has space in it
Posted: Thu Feb 07, 2008 7:21 pm
by GuitarheadCA
It would likely be much easier and more secure to add an ID field to your database table. Then, use that field to request and pull records. It also makes validation and protection against SQL-inj much easier, because you can just cast it to an int before you use it.