Problem with & in URL

PHP
1

I have a link that send the user to another page where the information showed changes based on the url parameters:


<a href="page.php?'.'name'.'='.stripslashes($row['nome']).'&'.'date'.'='.stripslashes($row['date']).'">Link to the page</a>

And I use the following SQL query to retrieve the data from a database:


$sql = "SELECT * FROM table WHERE name='".mysqli_real_escape_string($conn,$_GET['name'])."' AND date='".mysqli_real_escape_string($conn,$_GET['date'])."'";

This works if the “name” parameter contains quotes, double quotes, slashes etc. but it doesn’t if an “&” in present. How can I make it so that this & is treated as a normal character and not as a delimiter for the URL parameters?

2

Use [fphp]urlencode[/fphp] when building the URL, or [fphp]http_build_query[/fphp] :slight_smile:


<?php
$url = sprintf(
  'page.php?%s',
  http_build_query(array('name' => $row['name'], 'date' => $row['date']))
);
3

Thanks Anthony :slight_smile: The url is correctly encoded now, but it looks like the WHERE clause in the sql code is not working correctly. The problem happens with strings containing the ampersand character. I’ve also tried chaning the & in the database entry to %26 to make it match with the url but it’s till not working. Is there a particular way that I should store this character in the database to make it work in this case?

4

Once you’ve built and passed the query by encoding it, you’ll need to [FPHP]urldecode[/FPHP] it again…

5

Pretty sure PHP does this automatically.

6

Ah yes… learned something new today.

in which case my response to D3V4 would be ‘echo out your query and see what it looks like’

7

I can confirm this, because I get the same result when I use urldecode and when I don’t.

The weird thing is that there are 3 slashes before a single quote (\\\'). Everything works if I avoid using mysqli_real_escape_string _

8

So somehow you’ve put \’ into real_escape string, which results in \\\’ (the second \ is the one from the original)

9

It sounds like you have magic quotes enabled, you really should disable them. Unless you’re adding these slashes?

10

I add just one slash before inserting data into the database. In fact, in the database the single quote is correctly escaped with a single backslash.

11

The values in the database shouldn’t have any slashes though. :confused:

12

They do because I escape data before inserting into the db. Isn’t this good practice? :confused:

13

Escaping the data should leave the data untouched inside the database.

“This is a te’st” Real_Escape_string => “This is a te\'st” Stored in database as => “This is a te’st”

14 

<?php
$string = "I can't sleep";
echo $string; #I can't sleep

$string = mysqli_real_escape_string($link, $string);
echo $string; #I can\\'t sleep

If you insert $string into the database, you should only see “I can’t sleep”.

15

By the way, I just realized that there’s an error in the code I posted in the op:


$sql = "SELECT * FROM table WHERE name='".stripslashes($_GET['name'])."' AND date='".stripslashes($_GET['date'])."'";

Ok, now what I don’t understand is: why is it that things work if I leave the 3 backslashes and they don’t if I use stripslashes on the string? After all, after encoding the URL, here there’s \‘. Using stripslashes \\\’ becomes \', and in this case things don’t work :confused: