passing variables through url get garbled

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
nefus
Forum Newbie
Posts: 16
Joined: Tue Mar 04, 2003 12:04 pm

passing variables through url get garbled

Post by nefus »

I am passing variables through a url and even using urlencode I still have problems with the ' character. It wants to convert them to \ or just kill the remainder of the variable after the ' character.
User avatar
delorian
Forum Contributor
Posts: 223
Joined: Sun May 04, 2003 5:20 pm
Location: Olsztyn, Poland

Post by delorian »

If you're passing a variable and the browser add the \, just use the stripslashes function.

And of course strip_tags() for better security. :D
nefus
Forum Newbie
Posts: 16
Joined: Tue Mar 04, 2003 12:04 pm

Post by nefus »

That seems to work pretty well. However, when the variable is passed thus.. echo "<INPUT NAME=comment SIZE=55 VALUE= '$variable' >" if there is a ' in the variable, it will display no text afterwards.
User avatar
delorian
Forum Contributor
Posts: 223
Joined: Sun May 04, 2003 5:20 pm
Location: Olsztyn, Poland

Post by delorian »

Sometimes you need to use the concatenation like:

Code: Select all

echo "<input name=comment size=55 value='".$variable."'>"; 
// or if you're passing it through url
echo "<input name=comment size=55 value='".$_GET['variable']."'>"
nefus
Forum Newbie
Posts: 16
Joined: Tue Mar 04, 2003 12:04 pm

Post by nefus »

I appreciate your effort! Sadly, your last suggestions didn't work. The first one echoed the first word as though nothing had changed. It still left off any other text after the ' character. The second suggestion added the \ character back even though stripslashes had been used. No further text was displayed with it either.

$foo = "test test's test"
echo "<INPUT NAME=comment SIZE=55 VALUE= '".$foo."' >"

This will return "test test" and not show "test test's test" as it should. I've tried value= '$foo' first. Any ideas?
corlando
Forum Newbie
Posts: 21
Joined: Sun Jun 15, 2003 10:07 pm

Post by corlando »

use the htmlspecialchars() function
http://us4.php.net/manual/tr/function.h ... lchars.php

Code: Select all

<?php

echo "<INPUT NAME=comment SIZE=55 VALUE= '" . htmlspecialchars($foo, ENT_QUOTES ) ."' >";

?>
McGruff
DevNet Master
Posts: 2893
Joined: Thu Jan 30, 2003 8:26 pm
Location: Glasgow, Scotland

Post by McGruff »

Single quotes are converted to %27 by urlencode - can you show us the string arg you pass to urlencode?
User avatar
delorian
Forum Contributor
Posts: 223
Joined: Sun May 04, 2003 5:20 pm
Location: Olsztyn, Poland

Post by delorian »

nefus wrote:I appreciate your effort! Sadly, your last suggestions didn't work. The first one echoed the first word as though nothing had changed. It still left off any other text after the ' character. The second suggestion added the \ character back even though stripslashes had been used. No further text was displayed with it either.

$foo = "test test's test"
echo "<INPUT NAME=comment SIZE=55 VALUE= '".$foo."' >"

This will return "test test" and not show "test test's test" as it should. I've tried value= '$foo' first. Any ideas?
With $foo defined like this it can't be correct. In $foo you have ' mark so it's obvious that it can't be parsed correctly.

After PHP parsing the server will send html like this:

Code: Select all

<INPUT NAME=comment SIZE=55 VALUE= 'test test's test'>
// so the 'test test' is a value and "s test'" is some other s**t
How could this work :?:

The $foo should be defined:

Code: Select all

$foo = "test test''s test"; // so the ' is treated literary
About that $_GET['variable'] - what version of PHP are you using :?: $_GET array is available from 4.1.0 up. If you're using some older version you will have $HTTP_GET_VARS array.

But like corlando said. Use the htmlspecialchars().
User avatar
twigletmac
Her Royal Site Adminness
Posts: 5371
Joined: Tue Apr 23, 2002 2:21 am
Location: Essex, UK

Post by twigletmac »

It would be a good idea to have your HTML attributes in double quotes instead of single quotes, so instead of:

Code: Select all

<INPUT NAME=comment SIZE=55 VALUE= 'test test's test'>
you should have

Code: Select all

<INPUT NAME="comment" SIZE="55" VALUE="test test's test">
which gets rid of the immediate problem with single quotes in the value (which can't be escaped in HTML as they can be in PHP).

Then to make sure that double quotes (or other HTML special characters) within the string don't cause a problem, use the htmlspecialchars() function as was advised earlier (using single instead of double quotes around the string in PHP):

Code: Select all

echo '<input name="comment" size="55" value= "'.htmlspecialchars($foo) .'">';
Mac
Post Reply