embedded links encoded

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
villajay
Forum Newbie
Posts: 3
Joined: Fri Aug 01, 2008 12:32 pm

embedded links encoded

Post by villajay »

First, i am a newb so please forgive all the newb mistakes, and thanks in advance for any help.

I'm just trying to build a fairly simple database. I have a quicksearch function that searches all fields with a LIKE %keyword% query. The result is sent to a template for output. To be able to sort the results, i embedded a link to each Column header in the template that includes the original query and a sort field. It actually works most of the time but i've discovered that whenever a search word that starts with "ad" or "ed", the embedded links get all messed up.

examples:

if i quicksearch "propofol", the column header will have an embedded link as follows:

http://.../sort.php?sql=SELECT * FROM patent WHERE title LIKE '%propofol%' OR inventor LIKE '%propofol%' OR...&sort=title

if i search for a word that starts with ed or ad, the link becomes:

http://.../sort.php?sql=SELECT%20*%20FROM%20patent%20WHERE%20title%20LIKE%20%27%edetate%%27%20OR%20inventor%20LIKE%20%27%edetate%%27%20OR...sort=assignee

I know that the characters are being translated to code but i'm just a little stuck as to why it only does it some of the time.

TIA
User avatar
jaoudestudios
DevNet Resident
Posts: 1483
Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey

Re: embedded links encoded

Post by jaoudestudios »

The url can not have spaces, so it encodes it. Do NOT send the query string through the url it is not safe. Even without sending the query string through the url make sure you filter all of it before you send it to the database, otherwise people will have access to your database.
villajay
Forum Newbie
Posts: 3
Joined: Fri Aug 01, 2008 12:32 pm

Re: embedded links encoded

Post by villajay »

understood re security. it is an internal site for a very small company and it's really more for development.

but i'm still a bit baffled as to why it works most of the time, and sometimes not. BTW, i'm sort of copying the structure of this database from a widely used Reference Management system called Refbase. Their sort links are structured the same and the links have spaces in them...
User avatar
jaoudestudios
DevNet Resident
Posts: 1483
Joined: Wed Jun 18, 2008 8:32 am
Location: Surrey

Re: embedded links encoded

Post by jaoudestudios »

The query should not be built on the first page but the second. You could try url decode before the query is used to remove the %20 back to original spaces, but still not the best method. The best method is...

i.e.
Page1.php: form fields only! No queries

Page2.php: use POST values from previous page and build up sql query from that.
villajay
Forum Newbie
Posts: 3
Joined: Fri Aug 01, 2008 12:32 pm

Re: embedded links encoded

Post by villajay »

thanks for the help....

what i ended up doing is encoding the query before sending to template - seems to work fine that way. weird thing is that i assumed that i would need to do a decode to reuse the query but was unnecessary.

thanks again.
User avatar
RobertGonzalez
Site Administrator
Posts: 14293
Joined: Tue Sep 09, 2003 6:04 pm
Location: Fremont, CA, USA

Re: embedded links encoded

Post by RobertGonzalez »

I would like to reiterate the concept: DO NOT SEND YOUR QUERY AS PART OF THE QUERYSTRING. No matter the app, location of use or anything else, it is not good practice.

It is simple enough to use a variable that gets escaped then passed to your query. Plus you don't have to worry about encoded elements bnorking your query.
Post Reply