Page 1 of 1

please help with urlencode

Posted: Sun Nov 02, 2008 11:04 pm
by steve_linn
I am having trouble passing a variable in a URL (the row 'id' is actually a phone number XXX-XXX-XXXX). I am under the impression that I need to use the urlencode feature. I cannot figure out how to include it in this url. I do not know the syntax to use. I have verified that the query works in mySQL and the query works if there are no hyphens. Your assistance is greatly appreciated!

Code: Select all

<?php
   
$search = $_GET['searchFor']; 
$words = explode(" ", $search); 
$phrase = implode("%' AND account LIKE '%", $words); 
$query = "SELECT id,account,address1,city,state,zip from customers where account like '%$phrase%'"; 
$result = mysql_query($query) or die('Could not query database at this time');
 
echo "<h1>Search Results</h1><br><br>\n"; 
if (mysql_num_rows($result) == 0) 
  { 
    echo "<h2>Sorry, no accounts were found with '$search' in them.</h2>"; 
  } else 
  { 
    while($row=mysql_fetch_array($result, MYSQL_ASSOC)) 
  { 
     $id = $row['id'];
     $account = $row['account']; 
     $address1 = $row['address1']; 
     $city = $row['city']; 
     $state = $row['state'];
     $zip = $row['zip'];
     echo "<a href='index.php?content=showaccount&id=$id'>$account</a><br>\n";
     echo "$address1<br>\n";
     echo "$city $state $zip<br><br>\n"; 
  } 
 } 
?>

Re: please help with urlencode

Posted: Sun Nov 02, 2008 11:26 pm
by requinix
You only need urlencode if the text might have unusual characters. If it's just numbers and hyphens then don't worry about it.

Besides that, there are two glaring security holes in your code.

Code: Select all

$words = explode(" ", mysql_real_escape_string($search));

Code: Select all

echo "<h2>Sorry, no accounts were found with '", htmlentities($search), "' in them.</h2>";

Re: please help with urlencode

Posted: Mon Nov 03, 2008 8:31 am
by steve_linn
so, if it's not a urlencode issue, then why will the variable not pass?

it works if the hyphens are taken out and its just a number. (xxxxxxxxxx)

It does not work with the hyphens (xxx-xxx-xxxx)

Re: please help with urlencode

Posted: Mon Nov 03, 2008 8:36 am
by aceconcepts
It's probably dealing with the hyphens as minus signs!

Re: please help with urlencode

Posted: Mon Nov 03, 2008 9:15 am
by steve_linn
so what is the solution?

Re: please help with urlencode

Posted: Mon Nov 03, 2008 9:32 am
by aceconcepts
What data type is id in your database?

Re: please help with urlencode

Posted: Mon Nov 03, 2008 11:03 am
by steve_linn
char(17)

Re: please help with urlencode

Posted: Mon Nov 03, 2008 11:26 am
by Mark Baker
What does the HTML of the search result look like when it includes results with a hyphen in the id?

What do you see if you do a var_dump of $_GET after following the link from the search result?

Re: please help with urlencode

Posted: Mon Nov 03, 2008 9:51 pm
by steve_linn
I fixed this issue - it was a MySQL error - coding was incorrect