First, i am a newb so please forgive all the newb mistakes, and thanks in advance for any help.
I'm just trying to build a fairly simple database. I have a quicksearch function that searches all fields with a LIKE %keyword% query. The result is sent to a template for output. To be able to sort the results, i embedded a link to each Column header in the template that includes the original query and a sort field. It actually works most of the time but i've discovered that whenever a search word that starts with "ad" or "ed", the embedded links get all messed up.
examples:
if i quicksearch "propofol", the column header will have an embedded link as follows:
http://.../sort.php?sql=SELECT * FROM patent WHERE title LIKE '%propofol%' OR inventor LIKE '%propofol%' OR...&sort=title
if i search for a word that starts with ed or ad, the link becomes:
http://.../sort.php?sql=SELECT%20*%20FROM%20patent%20WHERE%20title%20LIKE%20%27%edetate%%27%20OR%20inventor%20LIKE%20%27%edetate%%27%20OR...sort=assignee
I know that the characters are being translated to code but i'm just a little stuck as to why it only does it some of the time.
TIA
embedded links encoded
Moderator: General Moderators
- jaoudestudios
- DevNet Resident
- Posts: 1483
- Joined: Wed Jun 18, 2008 8:32 am
- Location: Surrey
Re: embedded links encoded
The url can not have spaces, so it encodes it. Do NOT send the query string through the url it is not safe. Even without sending the query string through the url make sure you filter all of it before you send it to the database, otherwise people will have access to your database.
Re: embedded links encoded
understood re security. it is an internal site for a very small company and it's really more for development.
but i'm still a bit baffled as to why it works most of the time, and sometimes not. BTW, i'm sort of copying the structure of this database from a widely used Reference Management system called Refbase. Their sort links are structured the same and the links have spaces in them...
but i'm still a bit baffled as to why it works most of the time, and sometimes not. BTW, i'm sort of copying the structure of this database from a widely used Reference Management system called Refbase. Their sort links are structured the same and the links have spaces in them...
- jaoudestudios
- DevNet Resident
- Posts: 1483
- Joined: Wed Jun 18, 2008 8:32 am
- Location: Surrey
Re: embedded links encoded
The query should not be built on the first page but the second. You could try url decode before the query is used to remove the %20 back to original spaces, but still not the best method. The best method is...
i.e.
Page1.php: form fields only! No queries
Page2.php: use POST values from previous page and build up sql query from that.
i.e.
Page1.php: form fields only! No queries
Page2.php: use POST values from previous page and build up sql query from that.
Re: embedded links encoded
thanks for the help....
what i ended up doing is encoding the query before sending to template - seems to work fine that way. weird thing is that i assumed that i would need to do a decode to reuse the query but was unnecessary.
thanks again.
what i ended up doing is encoding the query before sending to template - seems to work fine that way. weird thing is that i assumed that i would need to do a decode to reuse the query but was unnecessary.
thanks again.
- RobertGonzalez
- Site Administrator
- Posts: 14293
- Joined: Tue Sep 09, 2003 6:04 pm
- Location: Fremont, CA, USA
Re: embedded links encoded
I would like to reiterate the concept: DO NOT SEND YOUR QUERY AS PART OF THE QUERYSTRING. No matter the app, location of use or anything else, it is not good practice.
It is simple enough to use a variable that gets escaped then passed to your query. Plus you don't have to worry about encoded elements bnorking your query.
It is simple enough to use a variable that gets escaped then passed to your query. Plus you don't have to worry about encoded elements bnorking your query.