Page 1 of 1

passing variables through url get garbled

Posted: Mon Jun 16, 2003 2:42 pm
by nefus
I am passing variables through a url and even using urlencode I still have problems with the ' character. It wants to convert them to \ or just kill the remainder of the variable after the ' character.

Posted: Mon Jun 16, 2003 3:11 pm
by delorian
If you're passing a variable and the browser add the \, just use the stripslashes function.

And of course strip_tags() for better security. :D

Posted: Mon Jun 16, 2003 3:18 pm
by nefus
That seems to work pretty well. However, when the variable is passed thus.. echo "<INPUT NAME=comment SIZE=55 VALUE= '$variable' >" if there is a ' in the variable, it will display no text afterwards.

Posted: Mon Jun 16, 2003 3:32 pm
by delorian
Sometimes you need to use the concatenation like:

Code: Select all

echo "<input name=comment size=55 value='".$variable."'>"; 
// or if you're passing it through url
echo "<input name=comment size=55 value='".$_GET['variable']."'>"

Posted: Mon Jun 16, 2003 3:51 pm
by nefus
I appreciate your effort! Sadly, your last suggestions didn't work. The first one echoed the first word as though nothing had changed. It still left off any other text after the ' character. The second suggestion added the \ character back even though stripslashes had been used. No further text was displayed with it either.

$foo = "test test's test"
echo "<INPUT NAME=comment SIZE=55 VALUE= '".$foo."' >"

This will return "test test" and not show "test test's test" as it should. I've tried value= '$foo' first. Any ideas?

Posted: Mon Jun 16, 2003 5:10 pm
by corlando
use the htmlspecialchars() function
http://us4.php.net/manual/tr/function.h ... lchars.php

Code: Select all

<?php

echo "<INPUT NAME=comment SIZE=55 VALUE= '" . htmlspecialchars($foo, ENT_QUOTES ) ."' >";

?>

Posted: Mon Jun 16, 2003 8:19 pm
by McGruff
Single quotes are converted to %27 by urlencode - can you show us the string arg you pass to urlencode?

Posted: Tue Jun 17, 2003 8:46 am
by delorian
nefus wrote:I appreciate your effort! Sadly, your last suggestions didn't work. The first one echoed the first word as though nothing had changed. It still left off any other text after the ' character. The second suggestion added the \ character back even though stripslashes had been used. No further text was displayed with it either.

$foo = "test test's test"
echo "<INPUT NAME=comment SIZE=55 VALUE= '".$foo."' >"

This will return "test test" and not show "test test's test" as it should. I've tried value= '$foo' first. Any ideas?
With $foo defined like this it can't be correct. In $foo you have ' mark so it's obvious that it can't be parsed correctly.

After PHP parsing the server will send html like this:

Code: Select all

<INPUT NAME=comment SIZE=55 VALUE= 'test test's test'>
// so the 'test test' is a value and "s test'" is some other s**t
How could this work :?:

The $foo should be defined:

Code: Select all

$foo = "test test''s test"; // so the ' is treated literary
About that $_GET['variable'] - what version of PHP are you using :?: $_GET array is available from 4.1.0 up. If you're using some older version you will have $HTTP_GET_VARS array.

But like corlando said. Use the htmlspecialchars().

Posted: Tue Jun 17, 2003 9:33 am
by twigletmac
It would be a good idea to have your HTML attributes in double quotes instead of single quotes, so instead of:

Code: Select all

<INPUT NAME=comment SIZE=55 VALUE= 'test test's test'>
you should have

Code: Select all

<INPUT NAME="comment" SIZE="55" VALUE="test test's test">
which gets rid of the immediate problem with single quotes in the value (which can't be escaped in HTML as they can be in PHP).

Then to make sure that double quotes (or other HTML special characters) within the string don't cause a problem, use the htmlspecialchars() function as was advised earlier (using single instead of double quotes around the string in PHP):

Code: Select all

echo '<input name="comment" size="55" value= "'.htmlspecialchars($foo) .'">';
Mac